lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANXQDtZr8-_hVARZyt9xZR-ej8fTZNc-pvg4r3fAPB1ActM2fw@mail.gmail.com>
Date: Tue, 27 Jan 2026 23:28:46 +0530
From: Bhargava Chenna Marreddy <bhargava.marreddy@...adcom.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: pabeni@...hat.com, pavan.chebbi@...adcom.com, rahul-rg.gupta@...adcom.com, 
	edumazet@...gle.com, ajit.khaparde@...adcom.com, linux-kernel@...r.kernel.org, 
	netdev@...r.kernel.org, vsrama-krishna.nemani@...adcom.com, 
	andrew+netdev@...n.ch, horms@...nel.org, davem@...emloft.net, 
	michael.chan@...adcom.com, rajashekar.hudumula@...adcom.com, 
	vikas.gupta@...adcom.com
Subject: Re: [v6,net-next,8/8] bng_en: Add support for TPA events

On Tue, Jan 27, 2026 at 8:53 AM Jakub Kicinski <kuba@...nel.org> wrote:
>
> This is an AI-generated review of your patch. The human sending this
> email has considered the AI review valid, or at least plausible.
>
> For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
> ---
> bng_en: Add support for TPA events
>
> This commit enables TPA (Transport Protocol Aggregation) functionality
> in the VNIC and adds functions to handle TPA events for LRO/GRO
> processing.
>
> > +static void bnge_tpa_agg(struct bnge_net *bn, struct bnge_rx_ring_info *rxr,
> > +                      struct rx_agg_cmp *rx_agg)
> > +{
> > +     u16 agg_id = TPA_AGG_AGG_ID(rx_agg);
> > +     struct bnge_tpa_info *tpa_info;
> > +
> > +     agg_id = bnge_lookup_agg_idx(rxr, agg_id);
> > +     tpa_info = &rxr->rx_tpa[agg_id];
> > +
> > +     tpa_info->agg_arr[tpa_info->agg_count++] = *rx_agg;
>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> The agg_arr is allocated with MAX_SKB_FRAGS entries, but there is no
> bounds check before writing to it. The bnxt driver has a BUG_ON guard
> at this location:
>
>     BUG_ON(tpa_info->agg_count >= MAX_SKB_FRAGS);
>
> Is there a reason this check was omitted? While the check in
> bnge_tpa_end() catches agg_bufs > MAX_SKB_FRAGS, that happens after
> the aggregation completions have already been stored. If hardware
> misbehaves and sends more aggregation completions than expected, could
> this overflow agg_arr[]?

We didn't include the BUG_ON as per this discussion,
https://lore.kernel.org/netdev/20251225125229.GL11869@unreal/

We plan to address this HW misbehavior using a recovery mechanism in a
follow-up patch series.
Please let me know if you agree with this plan.

Thanks,
Bhargava Marreddy

>
> > +}
> --
> pw-bot: cr

Download attachment "smime.p7s" of type "application/pkcs7-signature" (5496 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ