Re: [PATCH net] ice: fix stats array overflow when VF requests more queues

[Przemek Kitszel]

On 4/29/26 23:59, Michal Schmidt wrote:
> On Tue, Apr 28, 2026 at 4:00 PM Przemek Kitszel
> <przemyslaw.kitszel@xxxxxxxxx> wrote:
> > On 4/27/26 17:18, Michal Schmidt wrote:
> > > When a VF increases its queue count via VIRTCHNL_OP_REQUEST_QUEUES,
> > > ice_vc_request_qs_msg() sets vf->num_req_qs and triggers a VF reset.
> > > The reset calls ice_vf_reconfig_vsi(), which does ice_vsi_decfg()
> > > followed by ice_vsi_cfg(). ice_vsi_decfg() does not free the per-ring
> > > stats arrays. Inside ice_vsi_cfg_def(), ice_vsi_set_num_qs() updates
> > > alloc_txq/alloc_rxq to the new larger value, but
> > > ice_vsi_alloc_stat_arrays() returns early because the stats already
> > > exist. ice_vsi_alloc_ring_stats() then iterates using the new larger
> > > alloc_txq and writes beyond the bounds of the old, smaller
> > > tx_ring_stats/rx_ring_stats pointer arrays, corrupting adjacent SLUB
> > > metadata.
> >
> > thank you for reproducing the bug, it is exactly the situation that
> > I was facing
> > have you tried with my proposed (unfortunately not public yet) fix
> > to just combine ice_vsi_alloc_stat_arrays() and
> > ice_vsi_realloc_stat_arrays() into one function?
>
> I tried that now and the result is: yes, your patch fixes the bug too.
> Michal

Hi,
are you going to make your patch more robust against on CHNL VSIs?
https://lore.kernel.org/netdev/20260523001618.1757240-1-kuba@xxxxxxxxxx

alternatively I could sent my "alternative fix" which covers that case