+ Aleksandr
On Mon, Dec 01, 2025 at 11:40:58AM +0800, Guangshuo Li wrote:
In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq):
...
Fixes: 2037110c96d5 ("e1000: move tbi workaround code into helper function") Cc: stable@vger.kernel.org Suggested-by: Tony Nguyen tony.nguyen@intel.com Signed-off-by: Guangshuo Li lgs201920130244@gmail.com
changelog: v2:
- Keep declarations at the beginning of e1000_tbi_should_accept().
- Move the last_byte assignment after the length bounds checks (suggested by Tony Nguyen)
I'm not sure that Tony's suggestions warrant a Suggested-by tag. And perhaps Aleksandr's Reviewed-by tag should have been carried over from v1: IMHO, I don't think the changes between v1 and v2 materially effect the review. But overall this looks good to me.
Reviewed-by: Simon Horman horms@kernel.org