Re: [PATCH net] ice: fix stats array overflow when VF requests more queues

Next message: Michal Hocko: "Re: [PATCH v1 2/3] mm: process_mrelease: skip LRU movement for exclusive file folios"
Previous message: Dan Carpenter: "Re: [PATCH 0/6] media: Fix new smatch warnings"
In reply to: Michal Schmidt: "Re: [PATCH net] ice: fix stats array overflow when VF requests more queues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Wed Apr 29 2026 - 06:33:28 EST

On Mon, Apr 27, 2026 at 05:18:26PM +0200, Michal Schmidt wrote:
> When a VF increases its queue count via VIRTCHNL_OP_REQUEST_QUEUES,
> ice_vc_request_qs_msg() sets vf->num_req_qs and triggers a VF reset.
> The reset calls ice_vf_reconfig_vsi(), which does ice_vsi_decfg()
> followed by ice_vsi_cfg(). ice_vsi_decfg() does not free the per-ring
> stats arrays. Inside ice_vsi_cfg_def(), ice_vsi_set_num_qs() updates
> alloc_txq/alloc_rxq to the new larger value, but
> ice_vsi_alloc_stat_arrays() returns early because the stats already
> exist. ice_vsi_alloc_ring_stats() then iterates using the new larger
> alloc_txq and writes beyond the bounds of the old, smaller
> tx_ring_stats/rx_ring_stats pointer arrays, corrupting adjacent SLUB
> metadata.

...

> See the linked RHEL Jira item for a reproducer.
>
> Fixes: 2a2cb4c6c181 ("ice: replace ice_vf_recreate_vsi() with ice_vf_reconfig_vsi()")
> Closes: https://redhat.atlassian.net/browse/RHEL-164321
> Signed-off-by: Michal Schmidt <mschmidt@xxxxxxxxxx>
> Assisted-by: Claude:claude-opus-4-6 semcode

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>

FTR: There is an AI generated review of this patch available on sashiko.dev.
I believe the issues flagged there pre-date this patch and do not impact
this patch. So while I do not think they should block progress of this
patch I suggest looking over them to see if any follow-up is warranted.