RE: [Intel-wired-lan] [PATCH net] ice: fix stats array overflow when VF requests more queues

[Romanowski, Rafal]

> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf Of
> Przemek Kitszel
> Sent: Monday, May 4, 2026 3:09 PM
> To: Schmidt, Michal <mschmidt@xxxxxxxxxx>
> Cc: intel-wired-lan@xxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Andrew Lunn
> <andrew+netdev@xxxxxxx>; Eric Dumazet <edumazet@xxxxxxxxxx>; Nguyen,
> Anthony L <anthony.l.nguyen@xxxxxxxxx>; netdev@xxxxxxxxxxxxxxx; Keller, Jacob
> E <jacob.e.keller@xxxxxxxxx>; Jakub Kicinski <kuba@xxxxxxxxxx>; Paolo Abeni
> <pabeni@xxxxxxxxxx>; David S. Miller <davem@xxxxxxxxxxxxx>
> Subject: Re: [Intel-wired-lan] [PATCH net] ice: fix stats array overflow when VF
> requests more queues
> 
> On 4/27/26 17:18, Michal Schmidt wrote:
> > When a VF increases its queue count via VIRTCHNL_OP_REQUEST_QUEUES,
> > ice_vc_request_qs_msg() sets vf->num_req_qs and triggers a VF reset.
> > The reset calls ice_vf_reconfig_vsi(), which does ice_vsi_decfg()
> > followed by ice_vsi_cfg(). ice_vsi_decfg() does not free the per-ring
> > stats arrays. Inside ice_vsi_cfg_def(), ice_vsi_set_num_qs() updates
> > alloc_txq/alloc_rxq to the new larger value, but
> > ice_vsi_alloc_stat_arrays() returns early because the stats already
> > exist. ice_vsi_alloc_ring_stats() then iterates using the new larger
> > alloc_txq and writes beyond the bounds of the old, smaller
> > tx_ring_stats/rx_ring_stats pointer arrays, corrupting adjacent SLUB
> > metadata.
> >
> > KASAN detects the bug:
> 
> [...]
> 
> >
> > ice_vsi_rebuild() handles this correctly by calling
> > ice_vsi_realloc_stat_arrays() before reconfiguration, but
> > ice_vf_reconfig_vsi() was missing this call.
> >
> > Fix by calling ice_vsi_realloc_stat_arrays() in ice_vf_reconfig_vsi()
> > before ice_vsi_decfg(), mirroring the ice_vsi_rebuild() pattern. Set
> > vsi->req_txq/req_rxq from vf->num_req_qs so the realloc function knows
> > the target array size.
> >
> > See the linked RHEL Jira item for a reproducer.
> >
> > Fixes: 2a2cb4c6c181 ("ice: replace ice_vf_recreate_vsi() with
> > ice_vf_reconfig_vsi()")
> > Closes: https://redhat.atlassian.net/browse/RHEL-164321
> > Signed-off-by: Michal Schmidt <mschmidt@xxxxxxxxxx>
> 
> I have an unpublished fix for the same issue, but your patch is smaller, and thus
> more suitable for net-
> 
> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@xxxxxxxxx>
> 
> thank you
> 
> > Assisted-by: Claude:claude-opus-4-6 semcode
> > ---
> >   drivers/net/ethernet/intel/ice/ice_lib.c    | 2 +-
> >   drivers/net/ethernet/intel/ice/ice_lib.h    | 1 +
> >   drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 +++++++
> >   3 files changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c
> > b/drivers/net/ethernet/intel/ice/ice_lib.c
> > index 837b71b7b2b7..fc78176a2a8d 100644
> > --- a/drivers/net/ethernet/intel/ice/ice_lib.c
> > +++ b/drivers/net/ethernet/intel/ice/ice_lib.c
> > @@ -3015,7 +3015,7 @@ ice_vsi_rebuild_set_coalesce(struct ice_vsi *vsi,

Tested-by: Rafal Romanowski <rafal.romanowski@xxxxxxxxx>