On Thu, May 14, 2026 at 02:55:04PM +0800, Junrui Luo wrote:
> The VF allocates a fixed-size buffer for IAVF_MAX_VF_VSI (3) VSI
> entries when processing a VIRTCHNL_OP_GET_VF_RESOURCES response from
> the PF. However, num_vsis from the PF response is used unchecked as
> the loop bound when iterating over vsi_res[] in multiple functions.
>
> A PF sending num_vsis greater than IAVF_MAX_VF_VSI, or the received
> message is shorter than num_vsis claims leads to out-of-bounds accesses
> on the vsi_res[] array.
>
> Clamp num_vsis based on the actual bytes copied from the PF response.
>
> Fixes: 5eae00c57f5e ("i40evf: main driver core")
> Reported-by: Yuhao Jiang <[email protected]>
> Cc: [email protected]
> Signed-off-by: Junrui Luo <[email protected]>
> ---
> Changes in v2:
> - Clamp num_vsis based on actual received message length instead of
> IAVF_MAX_VF_VSI suggested by Przemek
> - Link to v1:
> https://lore.kernel.org/r/sybpr01mb7881af11c45aedc0d4ca89c1af...@sybpr01mb7881.ausprd01.prod.outlook.com
Reviewed-by: Simon Horman <[email protected]>
There is an AI-generated review of this patchset available on sashiko.dev.
However, I believe that the issues raised there can be considered in
the context of possible follow-up. I do not believe they should block
progress of this patch.
