From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D04F8329C5F; Tue, 27 Jan 2026 18:47:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769539637; cv=none; b=Im+jys1kMaR9CLO0Jkd6r05o6tomHilf/YRhz5XJv2EzIRLtxqzNVTphfoHYIcD6cU/tNMODJIvGjBbt6OQf37BYRvDk0bCA+EEOoNVuabIlYuZfd6oRxb1IXIkfCmJhjX0CDZNWaoE/PYWweKvqUnU1H1s7xEAw6kmyLhU/JTo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769539637; c=relaxed/simple; bh=+UVH4DQvol0wsl55oFN29/mx4ehVmvcDVPNiUqen2Kk=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=rwLnWKSuGvPveL05TYgHOci9igR2oQEMsn9I35DbLmRxJ7GUSeP0dCtDGkbvoMkuTd/jorscS7Dizi3PDooQvwqrmk03o0vaMNVBIyAQkPgCnw6+jw4O5QR8IeBBzu0vt1qog1YfhaKXDXemyl62SZmU07cqvDdQluWC77Sb/Rw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=aHC9ozcw; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="aHC9ozcw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AE9B7C116C6; Tue, 27 Jan 2026 18:47:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1769539637; bh=+UVH4DQvol0wsl55oFN29/mx4ehVmvcDVPNiUqen2Kk=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=aHC9ozcwCxxmSno+5UsOABqs97HSK32UCPVKjQ1gJpyvrCrnfE5iDDFLYHC7aHirG GbcdJOoK8rHdn47fEU2KKZPd7ocHUtvgKNXWy7t3YBqXk4VfjV8qxpPbFkIXiGtpmW UqtxEBp+31AbijZ6QiKEicZ+Rm+FTOBc7cPG7rspZh6LGO9rZBh2fnjqyTEkVtfHtj D1X1Ei+lErwLZqIWd8tGu/twqTSIQZdTgJvrGOc4MMgGTEBGqdP5N5OnWjKwBr431g +ZzxuQY2XTOnjUHq9wLZLmBcAs6xXG1FijoS8HtmHBK9nfqwi6isRUHfDxDoWvTPS3 lE+vEVlqIyh8w== Date: Tue, 27 Jan 2026 10:47:15 -0800 From: Jakub Kicinski To: Bhargava Chenna Marreddy Cc: pabeni@redhat.com, pavan.chebbi@broadcom.com, rahul-rg.gupta@broadcom.com, edumazet@google.com, ajit.khaparde@broadcom.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, vsrama-krishna.nemani@broadcom.com, andrew+netdev@lunn.ch, horms@kernel.org, davem@davemloft.net, michael.chan@broadcom.com, rajashekar.hudumula@broadcom.com, vikas.gupta@broadcom.com Subject: Re: [v6,net-next,8/8] bng_en: Add support for TPA events Message-ID: <20260127104715.7b552ad9@kernel.org> In-Reply-To: References: <20260123193504.285573-9-bhargava.marreddy@broadcom.com> <20260127032255.3847218-2-kuba@kernel.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 27 Jan 2026 23:28:46 +0530 Bhargava Chenna Marreddy wrote: > > The agg_arr is allocated with MAX_SKB_FRAGS entries, but there is no > > bounds check before writing to it. The bnxt driver has a BUG_ON guard > > at this location: > > > > BUG_ON(tpa_info->agg_count >= MAX_SKB_FRAGS); > > > > Is there a reason this check was omitted? While the check in > > bnge_tpa_end() catches agg_bufs > MAX_SKB_FRAGS, that happens after > > the aggregation completions have already been stored. If hardware > > misbehaves and sends more aggregation completions than expected, could > > this overflow agg_arr[]? > > We didn't include the BUG_ON as per this discussion, > https://lore.kernel.org/netdev/20251225125229.GL11869@unreal/ Oh, interesting. I couldn't find it in the patch I assumed it's out of context. Sounds like AI has imagined it again :| > We plan to address this HW misbehavior using a recovery mechanism in a > follow-up patch series. > Please let me know if you agree with this plan. IIUC you're referring to issues like "leaking" the ID which is then recovered by doing a TPA / queue reset. I'm fine with deferring that. Simple bugs like potential OOB memory accesses have to be handled.