The VF allocates a fixed-size buffer for IAVF_MAX_VF_VSI (3) VSI
entries when processing a VIRTCHNL_OP_GET_VF_RESOURCES response from
the PF. However, num_vsis from the PF response is used unchecked as
the loop bound when iterating over vsi_res[] in multiple functions.
A PF sending num_vsis greater than IAVF_MAX_VF_VSI leads to
out-of-bounds accesses on the vsi_res[] array.
Clamp num_vsis to IAVF_MAX_VF_VSI in iavf_validate_num_queues(),
following the same pattern already used for num_queue_pairs.
Fixes: 5eae00c57f5e ("i40evf: main driver core")
Reported-by: Yuhao Jiang <[email protected]>
Cc: [email protected]
Signed-off-by: Junrui Luo <[email protected]>
---
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index a52c100dcbc5..2ebfb65a6f3b 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -254,6 +254,12 @@ int iavf_send_vf_ptp_caps_msg(struct iavf_adapter *adapter)
**/
static void iavf_validate_num_queues(struct iavf_adapter *adapter)
{
+ if (adapter->vf_res->num_vsis > IAVF_MAX_VF_VSI) {
+ dev_info(&adapter->pdev->dev, "Received %d VSIs, but can only
have a max of %d\n",
+ adapter->vf_res->num_vsis, IAVF_MAX_VF_VSI);
+ adapter->vf_res->num_vsis = IAVF_MAX_VF_VSI;
+ }
+
if (adapter->vf_res->num_queue_pairs > IAVF_MAX_REQ_QUEUES) {
struct virtchnl_vsi_resource *vsi_res;
int i;
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260513-fixes-26ec29fa50a5
Best regards,
--
Junrui Luo <[email protected]>
