Re: [PATCH net] bnxt_en: fix out-of-bounds write in bnxt_alloc_vf_resources()

Next message: Masami Hiramatsu (Google): "[RESEND PATCH v16 0/5] ring-buffer: Making persistent ring buffers robust"
Previous message: SeongJae Park: "[RFC PATCH v3 10/10] selftests/damon/sysfs.py: test failed region quota charge ratio"
In reply to: Paolo Abeni: "Re: [PATCH net] bnxt_en: fix out-of-bounds write in bnxt_alloc_vf_resources()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Mon Apr 06 2026 - 21:11:28 EST

On Tue, 31 Mar 2026 17:57:10 +0800 Junrui Luo wrote:
> bnxt_alloc_vf_resources() derives the number of DMA pages for VF HWRM
> command buffers from num_vfs and stores them in the fixed-size arrays
> hwrm_cmd_req_addr[4] and hwrm_cmd_req_dma_addr[4]. The vf_event_bmap
> bitmap is similarly fixed at 128 bits.
>
> If num_vfs exceeds 128, the allocation loop writes past the arrays,
> corrupting adjacent fields in bnxt_pf_info.
>
> Add BNXT_MAX_VFS to cap num_vfs at 128, matching the existing array and
> bitmap capacity.
>
> Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>

Quick Google search reveals that BCM957608 is supposed to support
1k VFs so I suspect Broadcom may be scrambling for a real fix here.
I'll drop this from patchwork.

Michael, if my hunch is correct please make sure to credit the reporter.
If you just need more time to validate - please take this in and repost
once ready. patches older than 1 week "fall out" of our patch tracking
:(