From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54985175A99; Tue, 7 Apr 2026 01:11:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775524263; cv=none; b=Wxv/E8L0lmxqFp4h+8Ddmd50ECu6ZxMAprYd1Vb8Xj6uuCzDn0aFsZxzisjSniENuvoh9uZmhXbMAhQd/yRv0PYFZV6IexON35dZbWrRdQOL1H5e3pYp3EtEA71U9SWwPOJZ2Q4cFzN9VzG6xeiE7isFO3nBFWgSgRxTo19XrEc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775524263; c=relaxed/simple; bh=ZXj38vIObp9F072c7DsHoOrcRUp7uumJB+k9WQ9WWSk=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=E1ZBpxeoNqNF16PdR34m/CYHNqeEpkLuHx2uJ1CRAjGQtDBZysKjAUPgSvg8GQ6yuW11ZxD0b+1TagLqB0MMy+FHI8/uQsVxunBz84ghjn+tlri0NI5D4BNVhdZn7k5m2/srGzWlv5bMOJmn8gfNvCb9y4JcU1cQJE966tZs748= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VMul48R1; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VMul48R1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 44B81C4CEF7; Tue, 7 Apr 2026 01:11:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1775524262; bh=ZXj38vIObp9F072c7DsHoOrcRUp7uumJB+k9WQ9WWSk=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=VMul48R1xrmVSQU7SBY3Ame7NN/BxhhhXrJ8nJdd1y9ECZh/Ee6I5kwBodFkL5Cxr wk+qe9N+k0XggF+nhOO2YZ7GEEqpHCb2ke5/RwUT+/x6H5emeaGBG863JtzfFTDWli vGvJ6fMpvkicREeMkDNN4k9e3F8WUeFEZbZ1QNbl2iu64olH5w46qwq/qcA6pcrp5s 2wyoBFAPaHWfbXhsAhucrPot5fbpaR3/KM6Ayv3SzxswEgNPt4dPk+/8I8GuhoXw9k JOmIj+RqJozXtcVLVFo43QYzAao+slLywxyheTIRdg2PD+JC3CbiX0xgtQrT7YmwPu v0nE3rVvUHsKQ== Date: Mon, 6 Apr 2026 18:11:01 -0700 From: Jakub Kicinski To: Michael Chan Cc: Junrui Luo , Michael Chan , Pavan Chebbi , Andrew Lunn , "David S. Miller" , Eric Dumazet , Paolo Abeni , Prashant Sreedharan , Jeffrey Huang , Eddie Wai , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Yuhao Jiang , stable@vger.kernel.org Subject: Re: [PATCH net] bnxt_en: fix out-of-bounds write in bnxt_alloc_vf_resources() Message-ID: <20260406181101.10b1ddee@kernel.org> In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 31 Mar 2026 17:57:10 +0800 Junrui Luo wrote: > bnxt_alloc_vf_resources() derives the number of DMA pages for VF HWRM > command buffers from num_vfs and stores them in the fixed-size arrays > hwrm_cmd_req_addr[4] and hwrm_cmd_req_dma_addr[4]. The vf_event_bmap > bitmap is similarly fixed at 128 bits. > > If num_vfs exceeds 128, the allocation loop writes past the arrays, > corrupting adjacent fields in bnxt_pf_info. > > Add BNXT_MAX_VFS to cap num_vfs at 128, matching the existing array and > bitmap capacity. > > Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") > Reported-by: Yuhao Jiang > Cc: stable@vger.kernel.org > Signed-off-by: Junrui Luo Quick Google search reveals that BCM957608 is supposed to support 1k VFs so I suspect Broadcom may be scrambling for a real fix here. I'll drop this from patchwork. Michael, if my hunch is correct please make sure to credit the reporter. If you just need more time to validate - please take this in and repost once ready. patches older than 1 week "fall out" of our patch tracking :(