> -----Original Message----- > From: Intel-wired-lan <[email protected]> On Behalf Of > Przemek Kitszel > Sent: Monday, May 4, 2026 3:09 PM > To: Schmidt, Michal <[email protected]> > Cc: [email protected]; [email protected]; Andrew > Lunn > <[email protected]>; Eric Dumazet <[email protected]>; Nguyen, > Anthony L <[email protected]>; [email protected]; Keller, Jacob > E <[email protected]>; Jakub Kicinski <[email protected]>; Paolo Abeni > <[email protected]>; David S. Miller <[email protected]> > Subject: Re: [Intel-wired-lan] [PATCH net] ice: fix stats array overflow when > VF > requests more queues > > On 4/27/26 17:18, Michal Schmidt wrote: > > When a VF increases its queue count via VIRTCHNL_OP_REQUEST_QUEUES, > > ice_vc_request_qs_msg() sets vf->num_req_qs and triggers a VF reset. > > The reset calls ice_vf_reconfig_vsi(), which does ice_vsi_decfg() > > followed by ice_vsi_cfg(). ice_vsi_decfg() does not free the per-ring > > stats arrays. Inside ice_vsi_cfg_def(), ice_vsi_set_num_qs() updates > > alloc_txq/alloc_rxq to the new larger value, but > > ice_vsi_alloc_stat_arrays() returns early because the stats already > > exist. ice_vsi_alloc_ring_stats() then iterates using the new larger > > alloc_txq and writes beyond the bounds of the old, smaller > > tx_ring_stats/rx_ring_stats pointer arrays, corrupting adjacent SLUB > > metadata. > > > > KASAN detects the bug: > > [...] > > > > > ice_vsi_rebuild() handles this correctly by calling > > ice_vsi_realloc_stat_arrays() before reconfiguration, but > > ice_vf_reconfig_vsi() was missing this call. > > > > Fix by calling ice_vsi_realloc_stat_arrays() in ice_vf_reconfig_vsi() > > before ice_vsi_decfg(), mirroring the ice_vsi_rebuild() pattern. Set > > vsi->req_txq/req_rxq from vf->num_req_qs so the realloc function knows > > the target array size. > > > > See the linked RHEL Jira item for a reproducer. > > > > Fixes: 2a2cb4c6c181 ("ice: replace ice_vf_recreate_vsi() with > > ice_vf_reconfig_vsi()") > > Closes: https://redhat.atlassian.net/browse/RHEL-164321 > > Signed-off-by: Michal Schmidt <[email protected]> > > I have an unpublished fix for the same issue, but your patch is smaller, and > thus > more suitable for net- > > Reviewed-by: Przemek Kitszel <[email protected]> > > thank you > > > Assisted-by: Claude:claude-opus-4-6 semcode > > --- > > drivers/net/ethernet/intel/ice/ice_lib.c | 2 +- > > drivers/net/ethernet/intel/ice/ice_lib.h | 1 + > > drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 +++++++ > > 3 files changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c > > b/drivers/net/ethernet/intel/ice/ice_lib.c > > index 837b71b7b2b7..fc78176a2a8d 100644 > > --- a/drivers/net/ethernet/intel/ice/ice_lib.c > > +++ b/drivers/net/ethernet/intel/ice/ice_lib.c > > @@ -3015,7 +3015,7 @@ ice_vsi_rebuild_set_coalesce(struct ice_vsi *vsi,
Tested-by: Rafal Romanowski <[email protected]>
