> -----Original Message----- > From: Intel-wired-lan <[email protected]> On Behalf > Of Junrui Luo > Sent: Thursday, May 14, 2026 8:55 AM > To: Nguyen, Anthony L <[email protected]>; Kitszel, > Przemyslaw <[email protected]>; Andrew Lunn > <[email protected]>; David S. Miller <[email protected]>; Eric > Dumazet <[email protected]>; Jakub Kicinski <[email protected]>; Paolo > Abeni <[email protected]>; Mitch Williams > <[email protected]>; Greg Rose <[email protected]> > Cc: [email protected]; [email protected]; linux- > [email protected]; Yuhao Jiang <[email protected]>; > [email protected]; Junrui Luo <[email protected]> > Subject: [Intel-wired-lan] [PATCH net v2] iavf: validate num_vsis in > VIRTCHNL_OP_GET_VF_RESOURCES response > > The VF allocates a fixed-size buffer for IAVF_MAX_VF_VSI (3) VSI > entries when processing a VIRTCHNL_OP_GET_VF_RESOURCES response from > the PF. However, num_vsis from the PF response is used unchecked as > the loop bound when iterating over vsi_res[] in multiple functions. > > A PF sending num_vsis greater than IAVF_MAX_VF_VSI, or the received > message is shorter than num_vsis claims leads to out-of-bounds > accesses on the vsi_res[] array. > > Clamp num_vsis based on the actual bytes copied from the PF response. > > Fixes: 5eae00c57f5e ("i40evf: main driver core") > Reported-by: Yuhao Jiang <[email protected]> > Cc: [email protected] > Signed-off-by: Junrui Luo <[email protected]> > --- > Changes in v2: > - Clamp num_vsis based on actual received message length instead of > IAVF_MAX_VF_VSI suggested by Przemek > - Link to v1: > https://lore.kernel.org/r/SYBPR01MB7881AF11C45AEDC0D4CA89C1AF062@SYBPR > 01MB7881.ausprd01.prod.outlook.com > --- > drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 26 > ++++++++++++++++++++----- > 1 file changed, 21 insertions(+), 5 deletions(-) > > diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c > b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c > index a52c100dcbc5..1f9a2fc70084 100644 > --- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c > +++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c > @@ -248,12 +248,28 @@ int iavf_send_vf_ptp_caps_msg(struct > iavf_adapter *adapter) > /** > * iavf_validate_num_queues > * @adapter: adapter structure > + * @msglen: length of the received VF resource message > * > - * Validate that the number of queues the PF has sent in > - * VIRTCHNL_OP_GET_VF_RESOURCES is not larger than the VF can handle. > + * Validate the VIRTCHNL_OP_GET_VF_RESOURCES response from the PF. > + Ensure > + * num_vsis does not exceed what the message length can cover, and > cap > + * num_queue_pairs to the VF maximum. > **/ > -static void iavf_validate_num_queues(struct iavf_adapter *adapter) > +static void iavf_validate_num_queues(struct iavf_adapter *adapter, > u16 > +msglen) > { > + u16 max_vsis; > + > + if (msglen < sizeof(struct virtchnl_vf_resource)) > + max_vsis = 0; > + else > + max_vsis = (msglen - sizeof(struct > virtchnl_vf_resource)) / > + sizeof(struct virtchnl_vsi_resource); > + > + if (adapter->vf_res->num_vsis > max_vsis) { > + dev_info(&adapter->pdev->dev, "Received %d VSIs, but > message can only cover %d\n", > + adapter->vf_res->num_vsis, max_vsis); > + adapter->vf_res->num_vsis = max_vsis; > + } > + > if (adapter->vf_res->num_queue_pairs > IAVF_MAX_REQ_QUEUES) { > struct virtchnl_vsi_resource *vsi_res; > int i; > @@ -300,7 +316,7 @@ int iavf_get_vf_config(struct iavf_adapter > *adapter) > * we aren't getting too many queues > */ > if (!err) > - iavf_validate_num_queues(adapter); > + iavf_validate_num_queues(adapter, min(event.msg_len, > len)); > iavf_vf_parse_hw_config(hw, adapter->vf_res); > > kfree(event.msg_buf); > @@ -2609,7 +2625,7 @@ void iavf_virtchnl_completion(struct > iavf_adapter *adapter, > u16 len = IAVF_VIRTCHNL_VF_RESOURCE_SIZE; > > memcpy(adapter->vf_res, msg, min(msglen, len)); > - iavf_validate_num_queues(adapter); > + iavf_validate_num_queues(adapter, min(msglen, len)); > iavf_vf_parse_hw_config(&adapter->hw, adapter->vf_res); > if (is_zero_ether_addr(adapter->hw.mac.addr)) { > /* restore current mac address */ > > --- > base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d > change-id: 20260514-fixes-a6c4176c0c6a > > Best regards, > -- > Junrui Luo <[email protected]>
Reviewed-by: Aleksandr Loktionov <[email protected]>
