Re: [v6,net-next,8/8] bng_en: Add support for TPA events

[Bhargava Chenna Marreddy]

On Tue, Jan 27, 2026 at 8:53 AM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> This is an AI-generated review of your patch. The human sending this
> email has considered the AI review valid, or at least plausible.
>
> For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
> ---
> bng_en: Add support for TPA events
>
> This commit enables TPA (Transport Protocol Aggregation) functionality
> in the VNIC and adds functions to handle TPA events for LRO/GRO
> processing.
>
> > +static void bnge_tpa_agg(struct bnge_net *bn, struct bnge_rx_ring_info *rxr,
> > +                      struct rx_agg_cmp *rx_agg)
> > +{
> > +     u16 agg_id = TPA_AGG_AGG_ID(rx_agg);
> > +     struct bnge_tpa_info *tpa_info;
> > +
> > +     agg_id = bnge_lookup_agg_idx(rxr, agg_id);
> > +     tpa_info = &rxr->rx_tpa[agg_id];
> > +
> > +     tpa_info->agg_arr[tpa_info->agg_count++] = *rx_agg;
>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> The agg_arr is allocated with MAX_SKB_FRAGS entries, but there is no
> bounds check before writing to it. The bnxt driver has a BUG_ON guard
> at this location:
>
>     BUG_ON(tpa_info->agg_count >= MAX_SKB_FRAGS);
>
> Is there a reason this check was omitted? While the check in
> bnge_tpa_end() catches agg_bufs > MAX_SKB_FRAGS, that happens after
> the aggregation completions have already been stored. If hardware
> misbehaves and sends more aggregation completions than expected, could
> this overflow agg_arr[]?

We didn't include the BUG_ON as per this discussion,
https://lore.kernel.org/netdev/20251225125229.GL11869@unreal/

We plan to address this HW misbehavior using a recovery mechanism in a
follow-up patch series.
Please let me know if you agree with this plan.

Thanks,
Bhargava Marreddy

>
> > +}
> --
> pw-bot: cr

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature