|SUCCESS| net/octeontx/base: fix out-of-bounds read in DQ range lookup

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Wed Apr 8 13:57:41 CEST 2026

Previous message (by thread): |Smoke |SUCCESS| pw(162942) sid(37852) job(PER_PATCH_BUILD18526-20260408171300) raw/ifpga: replace printf calls with logging
Next message (by thread): |SUCCESS| net/octeontx/base: fix out-of-bounds read in DQ range lookup
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/162939

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-04-08

This patch from Sergei Iashin addresses an out-of-bounds array access in the
octeontx PKO driver.

Git commit: patchwork submission (no SHA yet)
Author: Sergei Iashin <yashin.sergey at gmail.com>
Subject: [PATCH] net/octeontx/base: fix out-of-bounds read in DQ range lookup

The patch fixes a bounds checking issue in octeontx_pko_dq_range_lookup()
by reordering a while loop condition to check array bounds before accessing
array elements.

> diff --git a/drivers/net/octeontx/base/octeontx_pkovf.c b/drivers/net/octeontx/base/octeontx_pkovf.c
> index 7aec84a813..5326fe24b9 100644
> --- a/drivers/net/octeontx/base/octeontx_pkovf.c
> +++ b/drivers/net/octeontx/base/octeontx_pkovf.c
> @@ -196,8 +196,8 @@ octeontx_pko_dq_range_lookup(struct octeontx_pko_vf_ctl_s *ctl, uint64_t chanid,
>  	while (dq < RTE_DIM(ctl->dq_map)) {
>  		dq_base = dq;
>  		dq_cnt = 0;
> -		while (ctl->dq_map[dq].chanid == ~chanid &&
> -			dq < RTE_DIM(ctl->dq_map)) {
> +		while (dq < RTE_DIM(ctl->dq_map) &&
> +			ctl->dq_map[dq].chanid == ~chanid) {

The fix looks correct. The reordering ensures that dq is bounds-checked
before ctl->dq_map[dq] is accessed, which prevents reading past the end of
the 256-element array when dq reaches 256.

The change follows the same pattern as the outer loop and is consistent
with proper short-circuit evaluation practices in C.

However, there is a potential infinite loop condition. In
octeontx_pko_dq_range_lookup(), if the inner while loop exits without
finding dq_num contiguous matching entries, what prevents the outer loop
from revisiting the same dq value? Does the code always increment dq
somewhere after the inner loop completes?

Looking at the logic flow: the outer loop starts with some dq value, the
inner loop may increment dq_cnt without incrementing dq, and if dq_cnt
never reaches dq_num, does the outer loop increment dq before the next
iteration?

The patch correctly fixes the bounds checking issue, but can you verify
that the outer loop properly advances dq to prevent infinite loops?

Previous message (by thread): |Smoke |SUCCESS| pw(162942) sid(37852) job(PER_PATCH_BUILD18526-20260408171300) raw/ifpga: replace printf calls with logging
Next message (by thread): |SUCCESS| net/octeontx/base: fix out-of-bounds read in DQ range lookup
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the test-report mailing list