From b2c2b141d92846222aeb8e8920dd325ed03d24b6 Mon Sep 17 00:00:00 2001
From: Yonglong Liu <liuyonglong@huawei.com>
Date: Sat, 11 Sep 2021 15:35:04 +0800
Subject: [PATCH] net: hns3: fix memory override when bd_num is bigger than the
 ring size

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

----------------------------

The bd_num is from firmware, it may be bigger than the ring
size, and may cause memory override problem.

Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
Reviewed-by: Junxin Chen <chenjunxin1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 .../net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c    | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c b/drivers/net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c
index cede7eb5ef33..5404048ad60d 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_cae/hns3_cae_port.c
@@ -88,6 +88,12 @@ int hns3_get_port_info(const struct hns3_nic_priv *net_priv,
 	desc_data = (__le32 *)(&desc.data[0]);
 	bd_num = le32_to_cpu(*desc_data);
 
+	if (bd_num > hdev->hw.cmq.csq.desc_num) {
+		dev_err(&hdev->pdev->dev, "get invalid BD num %u(max %u)\n",
+			bd_num, hdev->hw.cmq.csq.desc_num);
+		return -EINVAL;
+	}
+
 	port_desc = kcalloc(bd_num, sizeof(struct hclge_desc), GFP_KERNEL);
 	if (ZERO_OR_NULL_PTR(port_desc))
 		return -ENOMEM;
-- 
GitLab