From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [DPDK/ethdev Bug 1859] common/cnxk: out of bounds access
Date: Tue, 23 Dec 2025 22:18:44 +0000 [thread overview]
Message-ID: <bug-1859-3@http.bugs.dpdk.org/> (raw)
http://bugs.dpdk.org/show_bug.cgi?id=1859
Bug ID: 1859
Summary: common/cnxk: out of bounds access
Product: DPDK
Version: 25.11
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: ethdev
Assignee: dev@dpdk.org
Reporter: stephen@networkplumber.org
Target Milestone: ---
Gcc 16 detects out of bounds array access:
In function ‘nix_inl_selftest_work_cb’,
inlined from ‘inl_outb_soft_exp_poll’ at
../drivers/common/cnxk/roc_nix_inl_dev.c:1173:4,
inlined from ‘nix_inl_outb_poll_thread’ at
../drivers/common/cnxk/roc_nix_inl_dev.c:1201:6:
../drivers/common/cnxk/roc_nix_inl_dev.c:43:19: warning: array subscript 1 is
outside array bounds of ‘uint64_t[1]’ {aka ‘long unsigned int[1]’}
[-Warray-bounds=]
43 | uintptr_t work = gw[1];
| ^~~~
../drivers/common/cnxk/roc_nix_inl_dev.c: In function
‘nix_inl_outb_poll_thread’:
../drivers/common/cnxk/roc_nix_inl_dev.c:1172:34: note: at offset 8 into object
‘tmp’ of size 8
1172 | uint64_t tmp = ~(uint32_t)0x0;
| ^~~
The code in question is:
static void
inl_outb_soft_exp_poll(struct nix_inl_dev *inl_dev, uint32_t ring_idx)
{
... if (sa != NULL) {
uint64_t tmp = ~(uint32_t)0x0;
inl_dev->work_cb(&tmp, sa, NIX_INL_SOFT_EXPIRY_THRD,
NULL, port_id);
...
static void
nix_inl_selftest_work_cb(uint64_t *gw, void *args, enum nix_inl_event_type
type, void *cq_s,
uint32_t port_id)
{
uintptr_t work = gw[1];
(void)type;
(void)cq_s;
(void)port_id;
*((uintptr_t *)args + (gw[0] & 0x1)) = work;
plt_atomic_thread_fence(__ATOMIC_ACQ_REL);
}
I.e tmp is 64 bits, and work_cb is referencing outside of that.
--
You are receiving this mail because:
You are the assignee for the bug.
reply other threads:[~2025-12-23 22:18 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-1859-3@http.bugs.dpdk.org/ \
--to=bugzilla@dpdk.org \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).