eth: bnxt: fix out-of-range access of vnic_info array

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The bnxt_queue_{start | stop}() access vnic_info as much as allocated,
which indicates bp->nr_vnics.
So, it should not reach bp->vnic_info[bp->nr_vnics].

Fixes: 661958552eda ("eth: bnxt: do not use BNXT_VNIC_NTUPLE unconditionally in queue restart logic")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20250316025837.939527-1-ap420073@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

authored by

Taehee Yoo and committed by

Paolo Abeni 1 year ago 919f9f49 f653b608

+2 -2

1 changed file

expand all

drivers

net

ethernet

broadcom

bnxt

bnxt.c

+2 -2

drivers/net/ethernet/broadcom/bnxt/bnxt.c

··· 15651 15651 cpr = &rxr->bnapi->cp_ring; 15652 15652 cpr->sw_stats->rx.rx_resets++; 15653 15653 15654 - for (i = 0; i <= bp->nr_vnics; i++) { 15654 + for (i = 0; i < bp->nr_vnics; i++) { 15655 15655 vnic = &bp->vnic_info[i]; 15656 15656 15657 15657 rc = bnxt_hwrm_vnic_set_rss_p5(bp, vnic, true); ··· 15679 15679 struct bnxt_vnic_info *vnic; 15680 15680 int i; 15681 15681 15682 - for (i = 0; i <= bp->nr_vnics; i++) { 15682 + for (i = 0; i < bp->nr_vnics; i++) { 15683 15683 vnic = &bp->vnic_info[i]; 15684 15684 vnic->mru = 0; 15685 15685 bnxt_hwrm_vnic_update(bp, vnic,