From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFC8442B72C for ; Wed, 1 Jul 2026 11:00:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782903643; cv=none; b=omjvmiNqnhcOAnFZ0FAadSeyjIkShZNgYGIfan3TSQFPV+l1TPTni5AW17y7z9WyucmmgHbBCt4atdMpAMdp3Bb+o/MVZ6GKZydYnU9N/x1xrtA77K0wifNgv0tnkgWaazjVT4Gy8E+j+8GyeLUxxOs45lJF5YQ85ghK9JyoiDM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782903643; c=relaxed/simple; bh=E8RBWXlTTBf2FMiPjS26uKCN4JqiVWr6pCktAz80oVI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ciOha3cqQdL5W/mh9KXIVec68ozSzqNfMO1Hqxw45XLCeBeUNUVMKTEY8618y/Cj3m8twXQRwt+peRt3sRy0YC5cicBKAS1oeXGLZTIycpya7mB6xgET7dviQ8ko8HFNhNIZUqQHcPmxjx4UrFjmStbfu45sPMxZM9z5GtBgvNo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Rb6a2ACJ; arc=none smtp.client-ip=198.175.65.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Rb6a2ACJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1782903642; x=1814439642; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=E8RBWXlTTBf2FMiPjS26uKCN4JqiVWr6pCktAz80oVI=; b=Rb6a2ACJ1V7Ncb9Wk4ECG1DVqfIYLOI4qAGmCg83V59+7ToAw9A4HhCW TGQM7fzGT3aM9M5dtG9QVA21g0qPhSr7o1iXqC3sy42Cr1uKs/Qpo8gae ADlUVZ5cQhEsHF1JFmATh/Jw0aPqcKFwNAYHHfKPyujftfeFIKMWD03dU u+ruGIuot/1DKyvwoVhnJrBltFY+pIWAGbQwnd1SDxD/lMsw/qPPABm6M DEs2en1OxZn4yclVClg5JHxtP3Sv7+WgNoNU355V4CD26x2zBGaWUkU4J dZMK/yXpbm/LjI4zt64YNBbC6NBzQEWtQgVPuyW9EhDkq6nf5hXkLqKyX g==; X-CSE-ConnectionGUID: MEaPN15WR0CgJ962QHwcmQ== X-CSE-MsgGUID: uM3h+uBlSG2UneNtAdZ6Vw== X-IronPort-AV: E=McAfee;i="6800,10657,11833"; a="93989155" X-IronPort-AV: E=Sophos;i="6.25,141,1779174000"; d="scan'208";a="93989155" Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by orvoesa103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2026 04:00:41 -0700 X-CSE-ConnectionGUID: kjrr1HkNQy+E9IDKid52og== X-CSE-MsgGUID: aIKAe79ESLiJDNl9N41t9g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.25,141,1779174000"; d="scan'208";a="249887295" Received: from irvmail002.ir.intel.com ([10.43.11.120]) by fmviesa008.fm.intel.com with ESMTP; 01 Jul 2026 04:00:37 -0700 Received: from vecna.igk.intel.com (vecna.igk.intel.com [10.123.220.17]) by irvmail002.ir.intel.com (Postfix) with ESMTP id CEA1C28763; Wed, 1 Jul 2026 12:00:35 +0100 (IST) From: Przemek Kitszel To: intel-wired-lan@lists.osuosl.org, Michal Schmidt , Jakub Kicinski Cc: netdev@vger.kernel.org, Tony Nguyen , Aleksandr Loktionov , Andrew Lunn , "David S. Miller" , Eric Dumazet , Paolo Abeni , Jedrzej Jagielski , Piotr Kwapulinski , Przemek Kitszel Subject: [PATCH iwl-net 2/2] ice: fix stats array overflow via proper realloc Date: Wed, 1 Jul 2026 12:41:03 +0200 Message-ID: <20260701104141.9740-2-przemyslaw.kitszel@intel.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260701104141.9740-1-przemyslaw.kitszel@intel.com> References: <20260701104141.9740-1-przemyslaw.kitszel@intel.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Integrate ice_vsi_alloc_stat_arrays() with realloc variant. Instead of keeping two functions for stat arrays allocation, change the ice_vsi_realloc_stat_arrays() to handle initial condition (no vsi_stat entry) and replace ice_vsi_alloc_stat_arrays() by the more generic ice_vsi_realloc_stat_arrays(). Note that VSIs of ICE_VSI_CHNL type are ignored in realloc variant as they were in the replaced ice_vsi_alloc_stat_arrays(). This is a fix for stats array overflow that occurs when VF is given more queues (an operation that will be more frequent, and by bigger increase, when we will merge my "XLVF" series). Splat for increasing number of queues thanks to Michal Schmidt: KASAN detects the bug: ================================================================== BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x385/0x4a0 [ice] Read of size 8 at addr ffff88810affea60 by task kworker/u131:7/221 CPU: 24 UID: 0 PID: 221 Comm: kworker/u131:7 Not tainted 7.1.0-rc1+ #1 PREEMPT(lazy) ... Workqueue: ice ice_service_task [ice] Call Trace: ... kasan_report+0xd7/0x120 ice_vsi_alloc_ring_stats+0x385/0x4a0 [ice] ice_vsi_cfg_def+0x12e2/0x2060 [ice] ice_vsi_cfg+0xb5/0x3c0 [ice] ice_reset_vf+0x858/0xf80 [ice] ice_vc_request_qs_msg+0x1da/0x290 [ice] ice_vc_process_vf_msg+0xb15/0x1430 [ice] __ice_clean_ctrlq+0x70d/0x9d0 [ice] ice_service_task+0x840/0xf20 [ice] process_one_work+0x690/0xff0 worker_thread+0x4d9/0xd20 kthread+0x322/0x410 ret_from_fork+0x332/0x660 ret_from_fork_asm+0x1a/0x30 Allocated by task 2439: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x96/0xb0 __kmalloc_noprof+0x1d8/0x580 ice_vsi_cfg_def+0x115c/0x2060 [ice] ice_vsi_cfg+0xb5/0x3c0 [ice] ice_vsi_setup+0x180/0x320 [ice] ice_start_vfs+0x1f3/0x590 [ice] ice_ena_vfs+0x66d/0x798 [ice] ice_sriov_configure.cold+0xe4/0x121 [ice] sriov_numvfs_store+0x279/0x480 kernfs_fop_write_iter+0x331/0x4f0 vfs_write+0x4c4/0xe40 ksys_write+0x10c/0x240 do_syscall_64+0xd9/0x650 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88810affea40 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes to the right of allocated 32-byte region [ffff88810affea40, ffff88810affea60) Fixes: 2a2cb4c6c181 ("ice: replace ice_vf_recreate_vsi() with ice_vf_reconfig_vsi()") Closes: https://redhat.atlassian.net/browse/RHEL-164321 Signed-off-by: Przemek Kitszel --- This is an alternative to the fix [1] by Michal Schmidt, which were blocked due to AI feedback. My fix was already developed before Michal's, just not public back then. We have agreed to go on with my version. [1] https://lore.kernel.org/netdev/20260520183501.3360810-3-anthony.l.nguyen@intel.com --- drivers/net/ethernet/intel/ice/ice_lib.c | 57 +++++------------------- 1 file changed, 11 insertions(+), 46 deletions(-) diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c index e48ee5940f17..ae167b42c558 100644 --- a/drivers/net/ethernet/intel/ice/ice_lib.c +++ b/drivers/net/ethernet/intel/ice/ice_lib.c @@ -513,51 +513,6 @@ static irqreturn_t ice_msix_clean_rings(int __always_unused irq, void *data) return IRQ_HANDLED; } -/** - * ice_vsi_alloc_stat_arrays - Allocate statistics arrays - * @vsi: VSI pointer - */ -static int ice_vsi_alloc_stat_arrays(struct ice_vsi *vsi) -{ - struct ice_vsi_stats *vsi_stat; - struct ice_pf *pf = vsi->back; - - if (vsi->type == ICE_VSI_CHNL) - return 0; - if (!pf->vsi_stats) - return -ENOENT; - - if (pf->vsi_stats[vsi->idx]) - /* realloc will happen in rebuild path */ - return 0; - - vsi_stat = kzalloc_obj(*vsi_stat); - if (!vsi_stat) - return -ENOMEM; - - vsi_stat->tx_ring_stats = - kzalloc_objs(*vsi_stat->tx_ring_stats, vsi->alloc_txq); - if (!vsi_stat->tx_ring_stats) - goto err_alloc_tx; - - vsi_stat->rx_ring_stats = - kzalloc_objs(*vsi_stat->rx_ring_stats, vsi->alloc_rxq); - if (!vsi_stat->rx_ring_stats) - goto err_alloc_rx; - - pf->vsi_stats[vsi->idx] = vsi_stat; - - return 0; - -err_alloc_rx: - kfree(vsi_stat->rx_ring_stats); -err_alloc_tx: - kfree(vsi_stat->tx_ring_stats); - kfree(vsi_stat); - pf->vsi_stats[vsi->idx] = NULL; - return -ENOMEM; -} - /** * ice_vsi_alloc_def - set default values for already allocated VSI * @vsi: ptr to VSI @@ -2319,7 +2274,17 @@ static int ice_vsi_realloc_stat_arrays(struct ice_vsi *vsi) u16 prev_txq = vsi->alloc_txq; u16 prev_rxq = vsi->alloc_rxq; + if (vsi->type == ICE_VSI_CHNL) + return 0; + vsi_stat = pf->vsi_stats[vsi->idx]; + if (!vsi_stat) { + vsi_stat = kzalloc_obj(*vsi_stat); + if (!vsi_stat) + return -ENOMEM; + + pf->vsi_stats[vsi->idx] = vsi_stat; + } if (req_txq < prev_txq) { for (int i = req_txq; i < prev_txq; i++) { @@ -2379,7 +2344,7 @@ static int ice_vsi_cfg_def(struct ice_vsi *vsi) return ret; /* allocate memory for Tx/Rx ring stat pointers */ - ret = ice_vsi_alloc_stat_arrays(vsi); + ret = ice_vsi_realloc_stat_arrays(vsi); if (ret) goto unroll_vsi_alloc; -- 2.54.0