|SUCCESS| net/octeontx/base: fix out-of-bounds read in DQ range lookup

[dpdklab at iol.unh.edu]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/162939

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-04-08

Commit: (git sha not available from patch file)
Author: Sergei Iashin <yashin.sergey at gmail.com>
Subject: [PATCH] net/octeontx/base: fix out-of-bounds read in DQ range lookup

This patch fixes an out-of-bounds array access in the
octeontx_pko_dq_range_lookup() function by reordering the loop condition
to check bounds before accessing the array element.

> diff --git a/drivers/net/octeontx/base/octeontx_pkovf.c b/drivers/net/octeontx/base/octeontx_pkovf.c
> index 7aec84a813..5326fe24b9 100644
> --- a/drivers/net/octeontx/base/octeontx_pkovf.c
> +++ b/drivers/net/octeontx/base/octeontx_pkovf.c
> @@ -196,8 +196,8 @@ octeontx_pko_dq_range_lookup(struct octeontx_pko_vf_ctl_s *ctl, uint64_t chanid,
>  	while (dq < RTE_DIM(ctl->dq_map)) {
>  		dq_base = dq;
>  		dq_cnt = 0;
> -		while (ctl->dq_map[dq].chanid == ~chanid &&
> -			dq < RTE_DIM(ctl->dq_map)) {
> +		while (dq < RTE_DIM(ctl->dq_map) &&
> +			ctl->dq_map[dq].chanid == ~chanid) {

The fix correctly addresses the out-of-bounds read by ensuring the
bounds check occurs before the array access. This follows C's
short-circuit evaluation semantics.

However, does the existing outer loop prevent dq from being incremented
past the bounds? Looking at the structure, when this inner loop exits
due to the bounds check, control returns to the outer loop which also
checks dq < RTE_DIM(ctl->dq_map). But what increments dq after the inner
loop exits? If dq is not incremented between the inner and outer loop
checks, could this create an infinite loop when the inner loop exits due
to bounds rather than mismatched chanid?

>  			dq_cnt++;
>  			if (dq_cnt == dq_num)
>  				return dq_base;