<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<pre class="elementToProof"><div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><code>Applied to dpdk-next-net-mrvl/for-main. Thanks</code></div></pre>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Sergei Iashin <yashin.sergey@gmail.com><br>
<b>Sent:</b> Tuesday, April 7, 2026 5:00 PM<br>
<b>To:</b> Harman Kalra <hkalra@marvell.com>; Santosh Shukla <santosh.shukla@caviumnetworks.com>; Jerin Jacob <jerinj@marvell.com><br>
<b>Cc:</b> dev@dpdk.org <dev@dpdk.org>; stable@dpdk.org <stable@dpdk.org>; jerin.jacob@caviumnetworks.com <jerin.jacob@caviumnetworks.com>; Sergei Iashin <yashin.sergey@gmail.com><br>
<b>Subject:</b> [EXTERNAL] [PATCH] net/octeontx/base: fix out-of-bounds read in DQ range lookup</font>
<div> </div>
</div>
<div>
<div style="display:none!important; display:none; visibility:hidden; font-size:1px; color:#ffffff; line-height:1px; max-height:0px; opacity:0; overflow:hidden">
In octeontx_pko_dq_range_lookup(), the inner while loop evaluates the array access ctl->dq_map[dq]. chanid before the bounds check dq < RTE_DIM(ctl->dq_map). When dq is incremented to 256 inside the loop, the next iteration reads one</div>
<div style="display:none!important; display:none; visibility:hidden; font-size:1px; color:#ffffff; line-height:1px; max-height:0px; opacity:0; overflow:hidden">
ZjQcmQRYFpfptBannerStart</div>
<div dir="ltr" lang="en" id="x_pfptBannerwxolh9m" style="display:block!important; text-align:left!important; margin:0 0 10px 0!important; padding:7px 16px 8px 16px!important; border-radius:4px!important; min-width:200px!important; background-color:#d2d0d0!important; background-color:#d2d0d0; border-top:4px solid #8d8c8c!important; border-top:4px solid #8d8c8c">
<div id="x_pfptBannerwxolh9m" style="float:left!important; display:block!important; margin:1px 0 1px 0!important; max-width:600px!important">
<div id="x_pfptBannerwxolh9m" style="display:block!important; visibility:visible!important; background-color:#d2d0d0!important; color:#000000!important; color:#000000; font-family:'Arial',sans-serif!important; font-family:'Arial',sans-serif; font-weight:bold!important; font-weight:bold; font-size:14px!important; line-height:1.29!important; line-height:1.29">
Prioritize security for external emails: </div>
<div id="x_pfptBannerwxolh9m" style="display:block!important; visibility:visible!important; background-color:#d2d0d0!important; color:#000000!important; color:#000000; font-weight:normal; font-family:'Arial',sans-serif!important; font-family:'Arial',sans-serif; font-size:12px!important; line-height:1.5!important; line-height:1.5; margin-top:2px!important">
Confirm sender and content safety before clicking links or opening attachments </div>
</div>
<div id="x_pfptBannerwxolh9m" style="float:right!important; display:block!important; display:block; margin-left:16px!important; margin-top:1px!important; text-align:right!important; width:fit-content!important; font-size:12px!important">
<a id="x_pfptBannerwxolh9m" href="https://us-phishalarm-ewt.proofpoint.com/EWT/v1/CRVmXkqW!tm3Z1f8UYnVa9O-cmb1abtPB-IORJwK3Jr3VXVds937zvL1Te5uABuIyTLhBPe1u0lFyd2PYF2MzgfBRj9IabE7Hc6ItR791qHo$" style="display:inline-block!important; text-decoration:none">
<div class="x_pfptPrimaryButtonwxolh9m" style="display:inline-block!important; display:inline-block; visibility:visible!important; opacity:1!important; color:#000000!important; color:#000000; font-family:'Arial',sans-serif!important; font-family:'Arial',sans-serif; font-size:14px!important; font-weight:normal!important; text-decoration:none!important; border-radius:2px!important; margin-top:3px!important; margin-bottom:3px!important; margin-left:16px!important; padding:7.5px 16px!important; white-space:nowrap!important; width:fit-content!important; border:1px solid #666666">
Report Suspicious </div>
</a></div>
<div style="clear:both!important; display:block!important; visibility:hidden!important; line-height:0!important; font-size:0.01px!important; height:0px">
 </div>
</div>
<div style="display:none!important; display:none; visibility:hidden; font-size:1px; color:#ffffff; line-height:1px; max-height:0px; opacity:0; overflow:hidden">
ZjQcmQRYFpfptBannerEnd</div>
<style>
<!--
#x_pfptBannerwxolh9m
        {display:block!important;
        visibility:visible!important;
        opacity:1!important;
        background-color:#d2d0d0!important;
        max-width:none!important;
        max-height:none!important}
html:root, html:root > div
        {display:block!important;
        visibility:visible!important;
        opacity:1!important}
-->
</style>
<pre style="font-family:sans-serif; font-size:100%; white-space:pre-wrap; word-wrap:break-word">In octeontx_pko_dq_range_lookup(), the inner while loop evaluates the
array access ctl->dq_map[dq].chanid before the bounds check
dq < RTE_DIM(ctl->dq_map). When dq is incremented to 256 inside the
loop, the next iteration reads one element past the end of the
256-element dq_map array before the bounds condition can short-circuit.

Swap the two conjuncts so the bounds check is evaluated first, matching
the pattern already used in the outer loop.

Fixes: cad78ca23818 ("net/octeontx/base: add base PKO operations")
Cc: jerin.jacob@caviumnetworks.com
Cc: stable@dpdk.org

Signed-off-by: Sergei Iashin <yashin.sergey@gmail.com>
---
 drivers/net/octeontx/base/octeontx_pkovf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/octeontx/base/octeontx_pkovf.c b/drivers/net/octeontx/base/octeontx_pkovf.c
index 7aec84a813..5326fe24b9 100644
--- a/drivers/net/octeontx/base/octeontx_pkovf.c
+++ b/drivers/net/octeontx/base/octeontx_pkovf.c
@@ -196,8 +196,8 @@ octeontx_pko_dq_range_lookup(struct octeontx_pko_vf_ctl_s *ctl, uint64_t chanid,
        while (dq < RTE_DIM(ctl->dq_map)) {
                dq_base = dq;
                dq_cnt = 0;
-               while (ctl->dq_map[dq].chanid == ~chanid &&
-                       dq < RTE_DIM(ctl->dq_map)) {
+               while (dq < RTE_DIM(ctl->dq_map) &&
+                       ctl->dq_map[dq].chanid == ~chanid) {
                        dq_cnt++;
                        if (dq_cnt == dq_num)
                                return dq_base;
-- 
2.39.5

</pre>
</div>
</body>
</html>