Commit 6ef935e6 authored Dec 11, 2025 by Jian Shen Committed by Paolo Abeni Dec 18, 2025

net: hns3: add VLAN id validation before using



Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. The length of
vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause
out-of-bounds memory access once the VLAN id is bigger than
or equal to VLAN_N_VID.

Therefore, VLAN id needs to be checked to ensure it is within
the range of VLAN_N_VID.

Fixes: fe4144d4 ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-4-shaojijie@huawei.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent d180c11a

drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -10555,6 +10555,9 @@ int hclge_set_vlan_filter(struct hnae3_handle *handle, __be16 proto,
		bool writen_to_tbl = false;
		int ret = 0;

		if (vlan_id >= VLAN_N_VID)
		return -EINVAL;

		/* When device is resetting or reset failed, firmware is unable to
		* handle mailbox. Just record the vlan id, and remove it after
		* reset finished.