Re: [PATCH] RDMA/hns: fix out-of-bounds write in IRQ array during configuration

Next message: Simon Horman: "Re: [PATCH net 1/2] net: mana: Use pci_name() for debugfs directory naming"
Previous message: Simon Horman: "Re: [PATCH net-next v6] net: mana: Expose hardware diagnostic info via debugfs"
Next in thread: Junrui Luo: "Re: [PATCH] RDMA/hns: fix out-of-bounds write in IRQ array during configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Romanovsky

Date: Sun Apr 12 2026 - 08:51:22 EST

On Sun, Apr 05, 2026 at 04:15:44PM +0800, Junrui Luo wrote:
> hns_roce_hw_v2_get_cfg() writes IRQ vector numbers into hr_dev->irq[]
> using handle->rinfo.num_vectors as the loop bound. num_vectors originates
> from firmware via hclge_query_pf_resource() without validation against
> the array size.
>
> If firmware reports more than 128 MSI-X vectors for RoCE, the loop
> overflows hr_dev->irq[], corrupting adjacent struct members in the
> heap-allocated hns_roce_dev structure.

Is this an actual issue, or just another imagined problem?

Thanks