net: hns3: check queue id range before using

[ Upstream commit 63b1279d9905100a14da9e043de7b28e99dba3f8 ]

The input parameters may not be reliable. Before using the
queue id, we should check this parameter. Otherwise, memory
overwriting may occur.

Fixes: d34100184685 ("net: hns3: refactor the mailbox message between PF and VF")
Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index ff9d84a7147f1a956b423baa48967c6b709131ff..5d39967672561dbac88f8728f68d5c0df2a1e87f 100644 (file)
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -581,9 +581,17 @@ static void hclge_get_queue_id_in_pf(struct hclge_vport *vport,
                                     struct hclge_mbx_vf_to_pf_cmd *mbx_req,
                                     struct hclge_respond_to_vf_msg *resp_msg)
 {
+       struct hnae3_handle *handle = &vport->nic;
+       struct hclge_dev *hdev = vport->back;
        u16 queue_id, qid_in_pf;
 
        memcpy(&queue_id, mbx_req->msg.data, sizeof(queue_id));
+       if (queue_id >= handle->kinfo.num_tqps) {
+               dev_err(&hdev->pdev->dev, "Invalid queue id(%u) from VF %u\n",
+                       queue_id, mbx_req->mbx_src_vfid);
+               return;
+       }
+
        qid_in_pf = hclge_covert_handle_qid_global(&vport->nic, queue_id);
        memcpy(resp_msg->data, &qid_in_pf, sizeof(qid_in_pf));
        resp_msg->len = sizeof(qid_in_pf);