RE: [Intel-wired-lan] [PATCH net v2] iavf: validate num_vsis in VIRTCHNL_OP_GET_VF_RESOURCES response

From: Romanowski, Rafal

Date: Wed Jun 17 2026 - 03:55:07 EST

> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf Of Simon
> Horman
> Sent: Monday, May 18, 2026 8:56 PM
> To: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> Cc: Nguyen, Anthony L <anthony.l.nguyen@xxxxxxxxx>; Kitszel, Przemyslaw
> <przemyslaw.kitszel@xxxxxxxxx>; Andrew Lunn <andrew+netdev@xxxxxxx>;
> David S. Miller <davem@xxxxxxxxxxxxx>; Eric Dumazet
> <edumazet@xxxxxxxxxx>; Jakub Kicinski <kuba@xxxxxxxxxx>; Paolo Abeni
> <pabeni@xxxxxxxxxx>; Mitch Williams <mitch.a.williams@xxxxxxxxx>; Greg Rose
> <gregory.v.rose@xxxxxxxxx>; intel-wired-lan@xxxxxxxxxxxxxxxx;
> netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Yuhao Jiang
> <danisjiang@xxxxxxxxx>; stable@xxxxxxxxxxxxxxx
> Subject: Re: [Intel-wired-lan] [PATCH net v2] iavf: validate num_vsis in
> VIRTCHNL_OP_GET_VF_RESOURCES response
>
> On Thu, May 14, 2026 at 02:55:04PM +0800, Junrui Luo wrote:
> > The VF allocates a fixed-size buffer for IAVF_MAX_VF_VSI (3) VSI
> > entries when processing a VIRTCHNL_OP_GET_VF_RESOURCES response from
> > the PF. However, num_vsis from the PF response is used unchecked as
> > the loop bound when iterating over vsi_res[] in multiple functions.
> >
> > A PF sending num_vsis greater than IAVF_MAX_VF_VSI, or the received
> > message is shorter than num_vsis claims leads to out-of-bounds
> > accesses on the vsi_res[] array.
> >
> > Clamp num_vsis based on the actual bytes copied from the PF response.
> >
> > Fixes: 5eae00c57f5e ("i40evf: main driver core")
> > Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> > ---
> > Changes in v2:
> > - Clamp num_vsis based on actual received message length instead of
> > IAVF_MAX_VF_VSI suggested by Przemek
> > - Link to v1:
> >
> https://lore.kernel.org/r/SYBPR01MB7881AF11C45AEDC0D4CA89C1AF062@SYB
> PR
> > 01MB7881.ausprd01.prod.outlook.com
>
> Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
>
> There is an AI-generated review of this patchset available on sashiko.dev.
> However, I believe that the issues raised there can be considered in the context of
> possible follow-up. I do not believe they should block progress of this patch.


Tested-by: Rafal Romanowski <rafal.romanowski@xxxxxxxxx>