Re: [PATCH net] ice: fix stats array overflow when VF requests more queues

Next message: Aleksander Jan Bajkowski: "Re: [PATCH net-next v2 0/4] r8152: Add support for the RTL8159 10Gbit USB Ethernet chip"
Previous message: Besar Wicaksono: "[PATCH v3] perf/arm_pmu: Skip PMCCNTR_EL0 on NVIDIA Olympus"
In reply to: Przemek Kitszel: "Re: [PATCH net] ice: fix stats array overflow when VF requests more queues"
Next in thread: Simon Horman: "Re: [PATCH net] ice: fix stats array overflow when VF requests more queues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michal Schmidt

Date: Wed Apr 29 2026 - 18:00:13 EST

On Tue, Apr 28, 2026 at 4:00 PM Przemek Kitszel
<przemyslaw.kitszel@xxxxxxxxx> wrote:
> On 4/27/26 17:18, Michal Schmidt wrote:
> > When a VF increases its queue count via VIRTCHNL_OP_REQUEST_QUEUES,
> > ice_vc_request_qs_msg() sets vf->num_req_qs and triggers a VF reset.
> > The reset calls ice_vf_reconfig_vsi(), which does ice_vsi_decfg()
> > followed by ice_vsi_cfg(). ice_vsi_decfg() does not free the per-ring
> > stats arrays. Inside ice_vsi_cfg_def(), ice_vsi_set_num_qs() updates
> > alloc_txq/alloc_rxq to the new larger value, but
> > ice_vsi_alloc_stat_arrays() returns early because the stats already
> > exist. ice_vsi_alloc_ring_stats() then iterates using the new larger
> > alloc_txq and writes beyond the bounds of the old, smaller
> > tx_ring_stats/rx_ring_stats pointer arrays, corrupting adjacent SLUB
> > metadata.
> >
>
> thank you for reproducing the bug, it is exactly the situation that
> I was facing
> have you tried with my proposed (unfortunately not public yet) fix
> to just combine ice_vsi_alloc_stat_arrays() and
> ice_vsi_realloc_stat_arrays() into one function?

I tried that now and the result is: yes, your patch fixes the bug too.
Michal