net: do not pass flow_id to set_rps_cpu()

Blamed commit made the assumption that the RPS table for each receive
queue would have the same size, and that it would not change.

Compute flow_id in set_rps_cpu(), do not assume we can use the value
computed by get_rps_cpu(). Otherwise we risk out-of-bound access
and/or crashes.

Fixes: 48aa30443e52 ("net: Cache hash and flow_id to avoid recalculation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Krishna Kumar <krikku@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260220222605.3468081-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/core/dev.c b/net/core/dev.c
index 096b3ff13f6b9bf685cb74d0e762a2b00e97d9de..f3426385f1ba83d98ba237c5f23440b5f119b799 100644 (file)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4992,8 +4992,7 @@ static bool rps_flow_is_active(struct rps_dev_flow *rflow,
 
 static struct rps_dev_flow *
 set_rps_cpu(struct net_device *dev, struct sk_buff *skb,
-           struct rps_dev_flow *rflow, u16 next_cpu, u32 hash,
-           u32 flow_id)
+           struct rps_dev_flow *rflow, u16 next_cpu, u32 hash)
 {
        if (next_cpu < nr_cpu_ids) {
                u32 head;
@@ -5004,6 +5003,7 @@ set_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                struct rps_dev_flow *tmp_rflow;
                unsigned int tmp_cpu;
                u16 rxq_index;
+               u32 flow_id;
                int rc;
 
                /* Should we steer this flow to a different hardware queue? */
@@ -5019,6 +5019,7 @@ set_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                if (!flow_table)
                        goto out;
 
+               flow_id = rfs_slot(hash, flow_table);
                tmp_rflow = &flow_table->flows[flow_id];
                tmp_cpu = READ_ONCE(tmp_rflow->cpu);
 
@@ -5066,7 +5067,6 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
        struct rps_dev_flow_table *flow_table;
        struct rps_map *map;
        int cpu = -1;
-       u32 flow_id;
        u32 tcpu;
        u32 hash;
 
@@ -5113,8 +5113,7 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                /* OK, now we know there is a match,
                 * we can look at the local (per receive queue) flow table
                 */
-               flow_id = rfs_slot(hash, flow_table);
-               rflow = &flow_table->flows[flow_id];
+               rflow = &flow_table->flows[rfs_slot(hash, flow_table)];
                tcpu = rflow->cpu;
 
                /*
@@ -5133,8 +5132,7 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                     ((int)(READ_ONCE(per_cpu(softnet_data, tcpu).input_queue_head) -
                      rflow->last_qtail)) >= 0)) {
                        tcpu = next_cpu;
-                       rflow = set_rps_cpu(dev, skb, rflow, next_cpu, hash,
-                                           flow_id);
+                       rflow = set_rps_cpu(dev, skb, rflow, next_cpu, hash);
                }
 
                if (tcpu < nr_cpu_ids && cpu_online(tcpu)) {