{"id":2228969,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2228969/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260427151827.43342-1-mschmidt@redhat.com/","project":{"id":46,"url":"http://patchwork.ozlabs.org/api/1.1/projects/46/?format=json","name":"Intel Wired Ethernet development","link_name":"intel-wired-lan","list_id":"intel-wired-lan.osuosl.org","list_email":"intel-wired-lan@osuosl.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260427151827.43342-1-mschmidt@redhat.com>","date":"2026-04-27T15:18:26","name":"[net] ice: fix stats array overflow when VF requests more queues","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"4dcf8acca94cedce525979c3ef22fb5aabcd52a9","submitter":{"id":1162,"url":"http://patchwork.ozlabs.org/api/1.1/people/1162/?format=json","name":"Michal Schmidt","email":"mschmidt@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260427151827.43342-1-mschmidt@redhat.com/mbox/","series":[{"id":501673,"url":"http://patchwork.ozlabs.org/api/1.1/series/501673/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=501673","date":"2026-04-27T15:18:26","name":"[net] ice: fix stats array overflow when VF requests more queues","version":1,"mbox":"http://patchwork.ozlabs.org/series/501673/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2228969/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2228969/checks/","tags":{},"headers":{"Return-Path":"<intel-wired-lan-bounces@osuosl.org>","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=QyU7dWre;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g46fP74Cyz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 01:18:53 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id ACF4B4048D;\n\tMon, 27 Apr 2026 15:18:51 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id VQdtRLNqBmHl; Mon, 27 Apr 2026 15:18:50 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id D417A404A8;\n\tMon, 27 Apr 2026 15:18:50 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id 121C91B8\n for <intel-wired-lan@lists.osuosl.org>; Mon, 27 Apr 2026 15:18:50 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id EAC934048D\n for <intel-wired-lan@lists.osuosl.org>; Mon, 27 Apr 2026 15:18:48 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id MiDLZ4t-gDSk for <intel-wired-lan@lists.osuosl.org>;\n Mon, 27 Apr 2026 15:18:48 +0000 (UTC)","from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by smtp4.osuosl.org (Postfix) with ESMTPS id C97BD404A8\n for <intel-wired-lan@lists.osuosl.org>; Mon, 27 Apr 2026 15:18:46 +0000 (UTC)","from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-551-fctzMtMrNLG8LE1L4Putxw-1; Mon,\n 27 Apr 2026 11:18:41 -0400","from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id E4DA01956059; Mon, 27 Apr 2026 15:18:39 +0000 (UTC)","from mschmidt-thinkpadp1gen4i.tpbc.com (unknown [10.44.34.211])\n by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id A9401195608E; Mon, 27 Apr 2026 15:18:35 +0000 (UTC)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org D417A404A8","OpenDKIM Filter v2.11.0 smtp4.osuosl.org C97BD404A8"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1777303130;\n\tbh=eP255AJKi20CdWJSLl90PUo6dc/xnZcS6fxVydD/CJk=;\n\th=From:To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From;\n\tb=QyU7dWrerNtyWBVrtdb3Cy0dF/YsjgxMvfyuclmLUPgY751QQjKcbVE/Bq2ndVpJ2\n\t 2GniPYTXooPlJIJHsLnptZur+LOuW+hpubvWAZ3U79W0mVT+iZC3JUsro3Zt0TY6ka\n\t Gnhnt0Bgm+0iXLaWwoX9imWxWnL3GZwEsCWeAo3LIYHH094pAZeUql5h8udODW/DiJ\n\t 4+ApvGLpZmgNbmcoug9aKsLvwbEwz7Bm+wlWVCJ3aDpaM7J/ojM44jLOJRW9EaOqBr\n\t ThQGUpXmIY2cGj8+XPefjeVFU0xVK+Tis1pza4+b14c22VZ+MajpbEjJIQOoIjRxXl\n\t qsOTVcehHVGWQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=mschmidt@redhat.com;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org C97BD404A8","X-MC-Unique":"fctzMtMrNLG8LE1L4Putxw-1","X-Mimecast-MFC-AGG-ID":"fctzMtMrNLG8LE1L4Putxw_1777303120","From":"Michal Schmidt <mschmidt@redhat.com>","To":"Tony Nguyen <anthony.l.nguyen@intel.com>,\n Przemek Kitszel <przemyslaw.kitszel@intel.com>,\n Andrew Lunn <andrew+netdev@lunn.ch>,\n \"David S. Miller\" <davem@davemloft.net>,\n Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,\n Paolo Abeni <pabeni@redhat.com>, Jacob Keller <jacob.e.keller@intel.com>,\n Petr Oros <poros@redhat.com>","Cc":"intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,\n linux-kernel@vger.kernel.org","Date":"Mon, 27 Apr 2026 17:18:26 +0200","Message-ID":"<20260427151827.43342-1-mschmidt@redhat.com>","MIME-Version":"1.0","X-Scanned-By":"MIMEDefang 3.0 on 10.30.177.17","X-Mimecast-MFC-PROC-ID":"5Jb_C9dJ06po5IaViaouu6YJC-WahVlO8A2pKvu1Rg4_1777303120","X-Mimecast-Originator":"redhat.com","Content-Transfer-Encoding":"8bit","content-type":"text/plain; charset=\"US-ASCII\"; x-default=true","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=redhat.com;\n s=mimecast20190719; t=1777303125;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=eP255AJKi20CdWJSLl90PUo6dc/xnZcS6fxVydD/CJk=;\n b=V4leo3pOwRt/3inuiLW+Hs/w8BCf9JVV62Z5TcltCLU9bwOVsLvGQ9SpC8lSQwGLO/Ij16\n tdHEI1WuQ3vcDg7DdayQNxUQCF/lQGNpxg1zgpPH2HrTao1d9WmA1TiyDB+ybR5lJ49qgj\n hl+xBMEn+PBKVTSeQcu5zAFV3e1OLdA=","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com","smtp4.osuosl.org;\n dkim=pass (1024-bit key,\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=V4leo3pO"],"Subject":"[Intel-wired-lan] [PATCH net] ice: fix stats array overflow when VF\n requests more queues","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n <intel-wired-lan.osuosl.org>","List-Unsubscribe":"<https://lists.osuosl.org/mailman/options/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=unsubscribe>","List-Archive":"<http://lists.osuosl.org/pipermail/intel-wired-lan/>","List-Post":"<mailto:intel-wired-lan@osuosl.org>","List-Help":"<mailto:intel-wired-lan-request@osuosl.org?subject=help>","List-Subscribe":"<https://lists.osuosl.org/mailman/listinfo/intel-wired-lan>,\n <mailto:intel-wired-lan-request@osuosl.org?subject=subscribe>","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" <intel-wired-lan-bounces@osuosl.org>"},"content":"When a VF increases its queue count via VIRTCHNL_OP_REQUEST_QUEUES,\nice_vc_request_qs_msg() sets vf->num_req_qs and triggers a VF reset.\nThe reset calls ice_vf_reconfig_vsi(), which does ice_vsi_decfg()\nfollowed by ice_vsi_cfg(). ice_vsi_decfg() does not free the per-ring\nstats arrays. Inside ice_vsi_cfg_def(), ice_vsi_set_num_qs() updates\nalloc_txq/alloc_rxq to the new larger value, but\nice_vsi_alloc_stat_arrays() returns early because the stats already\nexist. ice_vsi_alloc_ring_stats() then iterates using the new larger\nalloc_txq and writes beyond the bounds of the old, smaller\ntx_ring_stats/rx_ring_stats pointer arrays, corrupting adjacent SLUB\nmetadata.\n\nKASAN detects the bug:\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x385/0x4a0 [ice]\n Read of size 8 at addr ffff88810affea60 by task kworker/u131:7/221\n\n CPU: 24 UID: 0 PID: 221 Comm: kworker/u131:7 Not tainted 7.1.0-rc1+ #1 PREEMPT(lazy)\n ...\n Workqueue: ice ice_service_task [ice]\n Call Trace:\n  <TASK>\n  ...\n  kasan_report+0xd7/0x120\n  ice_vsi_alloc_ring_stats+0x385/0x4a0 [ice]\n  ice_vsi_cfg_def+0x12e2/0x2060 [ice]\n  ice_vsi_cfg+0xb5/0x3c0 [ice]\n  ice_reset_vf+0x858/0xf80 [ice]\n  ice_vc_request_qs_msg+0x1da/0x290 [ice]\n  ice_vc_process_vf_msg+0xb15/0x1430 [ice]\n  __ice_clean_ctrlq+0x70d/0x9d0 [ice]\n  ice_service_task+0x840/0xf20 [ice]\n  process_one_work+0x690/0xff0\n  worker_thread+0x4d9/0xd20\n  kthread+0x322/0x410\n  ret_from_fork+0x332/0x660\n  ret_from_fork_asm+0x1a/0x30\n  </TASK>\n\n Allocated by task 2439:\n  kasan_save_stack+0x1c/0x40\n  kasan_save_track+0x10/0x30\n  __kasan_kmalloc+0x96/0xb0\n  __kmalloc_noprof+0x1d8/0x580\n  ice_vsi_cfg_def+0x115c/0x2060 [ice]\n  ice_vsi_cfg+0xb5/0x3c0 [ice]\n  ice_vsi_setup+0x180/0x320 [ice]\n  ice_start_vfs+0x1f3/0x590 [ice]\n  ice_ena_vfs+0x66d/0x798 [ice]\n  ice_sriov_configure.cold+0xe4/0x121 [ice]\n  sriov_numvfs_store+0x279/0x480\n  kernfs_fop_write_iter+0x331/0x4f0\n  vfs_write+0x4c4/0xe40\n  ksys_write+0x10c/0x240\n  do_syscall_64+0xd9/0x650\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff88810affea40\n                which belongs to the cache kmalloc-32 of size 32\n The buggy address is located 0 bytes to the right of\n                allocated 32-byte region [ffff88810affea40, ffff88810affea60)\n ...\n ==================================================================\n\nice_vsi_rebuild() handles this correctly by calling\nice_vsi_realloc_stat_arrays() before reconfiguration, but\nice_vf_reconfig_vsi() was missing this call.\n\nFix by calling ice_vsi_realloc_stat_arrays() in ice_vf_reconfig_vsi()\nbefore ice_vsi_decfg(), mirroring the ice_vsi_rebuild() pattern. Set\nvsi->req_txq/req_rxq from vf->num_req_qs so the realloc function knows\nthe target array size.\n\nSee the linked RHEL Jira item for a reproducer.\n\nFixes: 2a2cb4c6c181 (\"ice: replace ice_vf_recreate_vsi() with ice_vf_reconfig_vsi()\")\nCloses: https://redhat.atlassian.net/browse/RHEL-164321\nSigned-off-by: Michal Schmidt <mschmidt@redhat.com>\nAssisted-by: Claude:claude-opus-4-6 semcode\n---\n drivers/net/ethernet/intel/ice/ice_lib.c    | 2 +-\n drivers/net/ethernet/intel/ice/ice_lib.h    | 1 +\n drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 +++++++\n 3 files changed, 9 insertions(+), 1 deletion(-)","diff":"diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c\nindex 837b71b7b2b7..fc78176a2a8d 100644\n--- a/drivers/net/ethernet/intel/ice/ice_lib.c\n+++ b/drivers/net/ethernet/intel/ice/ice_lib.c\n@@ -3015,7 +3015,7 @@ ice_vsi_rebuild_set_coalesce(struct ice_vsi *vsi,\n  * ice_vsi_realloc_stat_arrays - Frees unused stat structures or alloc new ones\n  * @vsi: VSI pointer\n  */\n-static int\n+int\n ice_vsi_realloc_stat_arrays(struct ice_vsi *vsi)\n {\n \tu16 req_txq = vsi->req_txq ? vsi->req_txq : vsi->alloc_txq;\ndiff --git a/drivers/net/ethernet/intel/ice/ice_lib.h b/drivers/net/ethernet/intel/ice/ice_lib.h\nindex 49454d98dcfe..6f7da84384e5 100644\n--- a/drivers/net/ethernet/intel/ice/ice_lib.h\n+++ b/drivers/net/ethernet/intel/ice/ice_lib.h\n@@ -66,6 +66,7 @@ int ice_ena_vsi(struct ice_vsi *vsi, bool locked);\n void ice_vsi_decfg(struct ice_vsi *vsi);\n void ice_dis_vsi(struct ice_vsi *vsi, bool locked);\n \n+int ice_vsi_realloc_stat_arrays(struct ice_vsi *vsi);\n int ice_vsi_rebuild(struct ice_vsi *vsi, u32 vsi_flags);\n int ice_vsi_cfg(struct ice_vsi *vsi);\n struct ice_vsi *ice_vsi_alloc(struct ice_pf *pf);\ndiff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c\nindex 772f6b07340d..9edb2c14f553 100644\n--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c\n+++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c\n@@ -268,6 +268,13 @@ static int ice_vf_reconfig_vsi(struct ice_vf *vf)\n \n \tvsi->flags = ICE_VSI_FLAG_NO_INIT;\n \n+\tvsi->req_txq = vf->num_req_qs;\n+\tvsi->req_rxq = vf->num_req_qs;\n+\n+\terr = ice_vsi_realloc_stat_arrays(vsi);\n+\tif (err)\n+\t\treturn err;\n+\n \tice_vsi_decfg(vsi);\n \tice_fltr_remove_all(vsi);\n \n","prefixes":["net"]}