Skip to content

Commit ab1068d

Browse files
angelslKalle Valo
angelsl
authored and
Kalle Valo
committed
iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs
When there are 16 or more logical CPUs, we request for `IWL_MAX_RX_HW_QUEUES` (16) IRQs only as we limit to that number of IRQs, but later on we compare the number of IRQs returned to nr_online_cpus+2 instead of max_irqs, the latter being what we actually asked for. This ends up setting num_rx_queues to 17 which causes lots of out-of-bounds array accesses later on. Compare to max_irqs instead, and also add an assertion in case num_rx_queues > IWM_MAX_RX_HW_QUEUES. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199551 Fixes: 2e5d4a8 ("iwlwifi: pcie: Add new configuration to enable MSIX") Signed-off-by: Hao Wei Tee <[email protected]> Tested-by: Sara Sharon <[email protected]> Signed-off-by: Luca Coelho <[email protected]> Signed-off-by: Kalle Valo <[email protected]>
1 parent 52a1923 commit ab1068d

File tree

1 file changed

+5
-5
lines changed
  • drivers/net/wireless/intel/iwlwifi/pcie

1 file changed

+5
-5
lines changed

drivers/net/wireless/intel/iwlwifi/pcie/trans.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1590,14 +1590,13 @@ static void iwl_pcie_set_interrupt_capa(struct pci_dev *pdev,
15901590
struct iwl_trans *trans)
15911591
{
15921592
struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
1593-
int max_irqs, num_irqs, i, ret, nr_online_cpus;
1593+
int max_irqs, num_irqs, i, ret;
15941594
u16 pci_cmd;
15951595

15961596
if (!trans->cfg->mq_rx_supported)
15971597
goto enable_msi;
15981598

1599-
nr_online_cpus = num_online_cpus();
1600-
max_irqs = min_t(u32, nr_online_cpus + 2, IWL_MAX_RX_HW_QUEUES);
1599+
max_irqs = min_t(u32, num_online_cpus() + 2, IWL_MAX_RX_HW_QUEUES);
16011600
for (i = 0; i < max_irqs; i++)
16021601
trans_pcie->msix_entries[i].entry = i;
16031602

@@ -1623,16 +1622,17 @@ static void iwl_pcie_set_interrupt_capa(struct pci_dev *pdev,
16231622
* Two interrupts less: non rx causes shared with FBQ and RSS.
16241623
* More than two interrupts: we will use fewer RSS queues.
16251624
*/
1626-
if (num_irqs <= nr_online_cpus) {
1625+
if (num_irqs <= max_irqs - 2) {
16271626
trans_pcie->trans->num_rx_queues = num_irqs + 1;
16281627
trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX |
16291628
IWL_SHARED_IRQ_FIRST_RSS;
1630-
} else if (num_irqs == nr_online_cpus + 1) {
1629+
} else if (num_irqs == max_irqs - 1) {
16311630
trans_pcie->trans->num_rx_queues = num_irqs;
16321631
trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX;
16331632
} else {
16341633
trans_pcie->trans->num_rx_queues = num_irqs - 1;
16351634
}
1635+
WARN_ON(trans_pcie->trans->num_rx_queues > IWL_MAX_RX_HW_QUEUES);
16361636

16371637
trans_pcie->alloc_vecs = num_irqs;
16381638
trans_pcie->msix_enabled = true;

0 commit comments

Comments
 (0)