Re: [RFC PATCH] RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()

[Ding Hui]

On 2025/12/21 23:47, Kalesh Anakkur Purayil wrote:
> On Mon, Dec 8, 2025 at 12:52 PM Ding Hui <dinghui@xxxxxxxxxxxxxx> wrote:
> > Recently we encountered an OOB write issue on BCM957414A4142CC with outbox
> > NetXtreme-E-235.1.160.0 driver from broadcom. After a litte research,
> > we found the inbox driver from upstream maybe have the same issue.
> >
> > The commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters
> > update") introduced 3 counters, and appended after BNXT_RE_OUT_OF_SEQ_ERR.
> >
> > However, BNXT_RE_OUT_OF_SEQ_ERR serves as a boundary marker for allocating
> > hw stats with different num_counters for chip_gen_p5_p7 hardware.
> >
> > For BNXT_RE_NUM_STD_COUNTERS allocated hw_stats, leading to an
> > out-of-bounds write in bnxt_re_copy_err_stats().
> >
> > It seems like that the BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR,
> > and BNXT_RE_RESP_REMOTE_ACCESS_ERRS can be updated for generic hardware,
> > not only for p5/p7 hardware.
> >
> > Fix this by moving them before BNXT_RE_OUT_OF_SEQ_ERR so they become
> > part of the generic counter.
> >
> > Compile tested only.
> >
> > Fixes: ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update")
> > Reported-by: Yingying Zheng <zhengyingying@xxxxxxxxxxxxxx>
> > Signed-off-by: Ding Hui <dinghui@xxxxxxxxxxxxxx>
>
> Thank you Ding, the fix looks good to me and I have verified it locally.

Thanks for confirming.

Do I need to resend the patch without RFC prefix and update some commit log,
such as getting rid of the first paragraph about the outbox driver?

> Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@xxxxxxxxxxxx>
> Tested-by: Kalesh AP <kalesh-anakkur.purayil@xxxxxxxxxxxx>

--
Thanks,
- Ding Hui