[PATCH net] iavf: validate num_vsis in VIRTCHNL_OP_GET_VF_RESOURCES response

[Junrui Luo]

The VF allocates a fixed-size buffer for IAVF_MAX_VF_VSI (3) VSI
entries when processing a VIRTCHNL_OP_GET_VF_RESOURCES response from
the PF. However, num_vsis from the PF response is used unchecked as
the loop bound when iterating over vsi_res[] in multiple functions.

A PF sending num_vsis greater than IAVF_MAX_VF_VSI leads to
out-of-bounds accesses on the vsi_res[] array.

Clamp num_vsis to IAVF_MAX_VF_VSI in iavf_validate_num_queues(),
following the same pattern already used for num_queue_pairs.

Fixes: 5eae00c57f5e ("i40evf: main driver core")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
 drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index a52c100dcbc5..2ebfb65a6f3b 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -254,6 +254,12 @@ int iavf_send_vf_ptp_caps_msg(struct iavf_adapter *adapter)
  **/
 static void iavf_validate_num_queues(struct iavf_adapter *adapter)
 {
+	if (adapter->vf_res->num_vsis > IAVF_MAX_VF_VSI) {
+		dev_info(&adapter->pdev->dev, "Received %d VSIs, but can only have a max of %d\n",
+			 adapter->vf_res->num_vsis, IAVF_MAX_VF_VSI);
+		adapter->vf_res->num_vsis = IAVF_MAX_VF_VSI;
+	}
+
 	if (adapter->vf_res->num_queue_pairs > IAVF_MAX_REQ_QUEUES) {
 		struct virtchnl_vsi_resource *vsi_res;
 		int i;

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260513-fixes-26ec29fa50a5

Best regards,
-- 
Junrui Luo <moonafterrain@xxxxxxxxxxx>