Re: [v6,net-next,8/8] bng_en: Add support for TPA events

Next message: Swapnil Sapkal: "[PATCH v1 1/6] perf header: Replace hardcoded max cpus by MAX_NR_CPUS"
Previous message: Swapnil Sapkal: "[PATCH v1 0/6] perf sched stats: Fixes and improvements"
In reply to: Bhargava Chenna Marreddy: "Re: [v6,net-next,8/8] bng_en: Add support for TPA events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Tue Jan 27 2026 - 13:55:42 EST

On Tue, 27 Jan 2026 23:28:46 +0530 Bhargava Chenna Marreddy wrote:
> > The agg_arr is allocated with MAX_SKB_FRAGS entries, but there is no
> > bounds check before writing to it. The bnxt driver has a BUG_ON guard
> > at this location:
> >
> > BUG_ON(tpa_info->agg_count >= MAX_SKB_FRAGS);
> >
> > Is there a reason this check was omitted? While the check in
> > bnge_tpa_end() catches agg_bufs > MAX_SKB_FRAGS, that happens after
> > the aggregation completions have already been stored. If hardware
> > misbehaves and sends more aggregation completions than expected, could
> > this overflow agg_arr[]?
>
> We didn't include the BUG_ON as per this discussion,
> https://lore.kernel.org/netdev/20251225125229.GL11869@unreal/

Oh, interesting. I couldn't find it in the patch I assumed it's out of
context. Sounds like AI has imagined it again :|

> We plan to address this HW misbehavior using a recovery mechanism in a
> follow-up patch series.
> Please let me know if you agree with this plan.

IIUC you're referring to issues like "leaking" the ID which is then
recovered by doing a TPA / queue reset. I'm fine with deferring that.
Simple bugs like potential OOB memory accesses have to be handled.