[PATCH net] bnxt_en: fix out-of-bounds write in bnxt_alloc_vf_resources()

[Junrui Luo]

bnxt_alloc_vf_resources() derives the number of DMA pages for VF HWRM
command buffers from num_vfs and stores them in the fixed-size arrays
hwrm_cmd_req_addr[4] and hwrm_cmd_req_dma_addr[4]. The vf_event_bmap
bitmap is similarly fixed at 128 bits.

If num_vfs exceeds 128, the allocation loop writes past the arrays,
corrupting adjacent fields in bnxt_pf_info.

Add BNXT_MAX_VFS to cap num_vfs at 128, matching the existing array and
bitmap capacity.

Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.h       | 2 ++
 drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index a97d651130df..cee67ca2955d 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -1398,6 +1398,8 @@ struct bnxt_vf_info {
 };
 #endif
 
+#define BNXT_MAX_VFS	128
+
 struct bnxt_pf_info {
 #define BNXT_FIRST_PF_FID	1
 #define BNXT_FIRST_VF_FID	128
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
index 7f9829287c49..18ac0aaf4166 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
@@ -459,6 +459,12 @@ static int bnxt_alloc_vf_resources(struct bnxt *bp, int num_vfs)
 	struct pci_dev *pdev = bp->pdev;
 	u32 nr_pages, size, i, j, k = 0;
 
+	if (num_vfs > BNXT_MAX_VFS) {
+		netdev_warn(bp->dev, "Too many VFs (%d), max is %d\n",
+			    num_vfs, BNXT_MAX_VFS);
+		return -EINVAL;
+	}
+
 	bp->pf.vf = kzalloc_objs(struct bnxt_vf_info, num_vfs);
 	if (!bp->pf.vf)
 		return -ENOMEM;

---
base-commit: c369299895a591d96745d6492d4888259b004a9e
change-id: 20260331-fixes-ee2efcc963a3

Best regards,
-- 
Junrui Luo <moonafterrain@xxxxxxxxxxx>