From nobody Mon Jun  8 08:28:39 2026
Received: from PH8PR06CU001.outbound.protection.outlook.com
 (mail-westus3azon11012039.outbound.protection.outlook.com [40.107.209.39])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 43FAD47ECD4;
	Thu,  4 Jun 2026 13:52:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.107.209.39
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780581124; cv=fail;
 b=Mu5UIJuvaM/5oKEXghThBPhuaBVH3kSk43BO1Q0pp2fP2Ut1JHM9Xply62ZY2u1HewAF8BFtGNFytez71MnOc2XPJ8dY2+H977lsu3WsNfG/P03CPGj0TuVmC0Xn6S5pRjSDyiz8WAgSOl6gbWiDTQD5tpTf/wMQ+iT41sqPNXw=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780581124; c=relaxed/simple;
	bh=JfH7eC2xir5DBHqDXIG+9CPUaPIG27tBCjW+tcXmhWY=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=ONEZINX4Lw9C2v6clKvsV/hcRwHw8mZ9sixvwzmOfG4cDM+bQXaPkFWz+lQZUFYaPuLC6DMxfFzPKF3I0uRBfOiFgJesKYCiECjU+ScQpxX/gNMMWDUoPOnXYxnVUvZCkikTCd8u53cak/+xDe93Qqi3xPcx3Hxx1PwMUXG72ek=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=DPC69VB5; arc=fail smtp.client-ip=40.107.209.39
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="DPC69VB5"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=rKpViOUgCh0Dx9/29QjJFcg/tsprqguFrsdRfkVew3tnicSZ2PcMaCq5yvmJ7WOySX4tbxhR+cNNpXH+QphHloQbKL4qmJoNdcYioAw5rS14nvODQTLx4p1JxtClgDvf5DXHQZvw6iHEFeus4IfzoevtqHQr1l7USfC7U+q6txdQHvq0omgycujdE4GOkdDt/O7Dx2zBwY3nANYdcW+VGtvKwBRf7airgaU8d/+/nLCkPiU6YhfdEp6tT4+AJeSvOLwqpd69f6GF+rdbmMgDPYYYn/ojzPW2hlpfqtJ+NuCUZMIQcnQmGfX5CuTKbHaVXCr2FOb/M5zSv80KkzmTvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=PITvRE9bCzSQhcb5Q+awJpCDPK9jgj5CL5MlHF/hwRs=;
 b=Itnjr1iIm+aG13nwlZnLKs3+5qu3AjKwcsVXWTRjqp8gkJ4C/5QmY+TBxeBXWQr4keXY2k+RE9P843awG8sOb6U8PdL+9WKiJgDP9EzkIR+TG7G1wm6tc/T/ZIfibkLf1uY+03EuWK4Ii9qd2BsgFFCVHmMKJtBsh62ZItCWxFtwP0UyHWj8gCLCH4I4ZXdzfpLbOnytzfbOux7XGCSROOo1GxSsgoGP7m+GXchOsk+j79tgtW6p/LZ4PMuogtTFtSxC1joPTofrQ2Uyp9AJybjcgKgbQfrTwm6hHlpXELF4WFiNpDhmyVPUraoSctAVnOV6egKmuq8G60dGY0guQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=PITvRE9bCzSQhcb5Q+awJpCDPK9jgj5CL5MlHF/hwRs=;
 b=DPC69VB5DjoyhaRBnkMEeGT4IYtpiBL5n6+TMOM8qXmbHGUbXw4DLHEhkUyAAKJk4V/pAQ/Xii38V+1yfrpYwY2vtXKLlrc1We+nGnp4uvA5hg8zbM60dIL9i6jjE0VBlGyBb6KGEKu3Svp4LYtv2UktPlpioqmJXEBbJUh4x9kQl/+93gJkwoyt0ycDhXLqht2qc9qknpHUG17fMbbc+9MyyLjvpXBFLGvEu82ixG0ybKeYX+IrYdMIJCRZrTuJUV1DLPOv3tDQDr6tt+P+wPrJR/E7pwhkqHJMkJNBaok6TfQlXxGdKLmvFRLsGuqi697gpultwDXUrY4J0JYBsA==
Received: from PH8PR07CA0045.namprd07.prod.outlook.com (2603:10b6:510:2cf::14)
 by PH7PR12MB6953.namprd12.prod.outlook.com (2603:10b6:510:1ac::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.8; Thu, 4 Jun 2026
 13:51:53 +0000
Received: from SN1PEPF00036F3D.namprd05.prod.outlook.com
 (2603:10b6:510:2cf:cafe::a2) by PH8PR07CA0045.outlook.office365.com
 (2603:10b6:510:2cf::14) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.8 via Frontend Transport; Thu, 4
 Jun 2026 13:51:53 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 SN1PEPF00036F3D.mail.protection.outlook.com (10.167.248.21) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.21.92.5 via Frontend Transport; Thu, 4 Jun 2026 13:51:53 +0000
Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 4 Jun
 2026 06:51:35 -0700
Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail203.nvidia.com
 (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 4 Jun
 2026 06:51:34 -0700
Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.7)
 with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Thu, 4 Jun
 2026 06:51:28 -0700
From: Tariq Toukan <tariqt@nvidia.com>
To: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>, Andrew Lunn <andrew+netdev@lunn.ch>, "David
 S. Miller" <davem@davemloft.net>
CC: Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>, Mark Bloch <mbloch@nvidia.com>, "Eran Ben
 Elisha" <eranbe@nvidia.com>, Feng Liu <feliu@nvidia.com>, Cosmin Ratiu
	<cratiu@nvidia.com>, Gal Pressman <gal@nvidia.com>, Simon Horman
	<horms@kernel.org>, Alexei Lazar <alazar@nvidia.com>, Nimrod Oren
	<noren@nvidia.com>, Carolina Jubran <cjubran@nvidia.com>, Kees Cook
	<kees@kernel.org>, Lama Kayal <lkayal@nvidia.com>, Eran Ben Elisha
	<eranbe@mellanox.com>, Saeed Mahameed <saeedm@mellanox.com>, Haiyang Zhang
	<haiyangz@microsoft.com>, Joe Damato <joe@dama.to>, <netdev@vger.kernel.org>,
	<linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: [PATCH net 1/4] net/mlx5e: Fix HV VHCA stats zero-sized buffer
 allocation
Date: Thu, 4 Jun 2026 16:50:38 +0300
Message-ID: <20260604135041.455754-2-tariqt@nvidia.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20260604135041.455754-1-tariqt@nvidia.com>
References: <20260604135041.455754-1-tariqt@nvidia.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF00036F3D:EE_|PH7PR12MB6953:EE_
X-MS-Office365-Filtering-Correlation-Id: ed5924d6-d902-4607-f9f5-08dec2406f4f
X-LD-Processed: 43083d15-7273-40c1-b7db-39efd9ccc17a,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|1800799024|7416014|82310400026|376014|36860700016|56012099006|22082099003|18002099003|11063799006;
X-Microsoft-Antispam-Message-Info: 
	wGmNmjjwv34j8ZavyhAxvJXjwiAeZoJ/Phh6Svnf+YYBws5Kn2Z5DBlkQQ6OJwLOCc4qZCR9dQoVuF0N6DqcK8lU6G5thc6JaYe6kxtX/6b7bLDRlAgZPn7/oH0HiMa4eaL6DPmz765zVGrI+eLcC/jhIPukNnjYI54KwM03Nq2ojvq0Kf5Z9y0jUeBV2r7tNSy/1yHilAE117DgXw0t2Pzz4jGxe0602zGkOdpL0q0ifGZB2QMR1aU3umJdGxCd00XDNzaektgTAKZnAAh+m4YAAqskhiM97dQtSFwxVN6x6CYg88hdqCb0z12Cd6nRV98bXXuBy7QfeytD+RwAdSrAWJAr1KDSYTSybCKb7IYo7hrxW1r/X8U8RI16+vuQa2llbn0Ztm2gfJgmKIDPI6jK93v0y6TmiXKwgkmZKg9RLd5/HZOZnUbSC0FwjIpcHQXmFL9VRAG/n5ZGalJPgct346+68ciLKWm5cNMb3TSLiWh7rgJg5jGeoX/wmsg/xBVlHnDZY2+SAeaN/56pv6/pYYLS60rv31n4/X89SEbju/1MDjDd/wRFdrL2FW/yyawJJRmClMTacZb86yq2voLv0VQshCQfUdGkly2TSYZdhMk/xInxV91qDDh8vokV2UvTdOz1nbSFb1QfE49ENk7qTd3DbhB4U2arCv5GvKYXbjCo/hWe7SXHBlFfbXaXeSNzIpwCSfKX50foGOP8auhs85o0S2RB0j95o3jul5k=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(7416014)(82310400026)(376014)(36860700016)(56012099006)(22082099003)(18002099003)(11063799006);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	sv52emaWWIzzrB7lnry97scBVI6+92smeLu1909IuUq5ONlthodaA4cvo/zh3zIzG/0s7jF3KbshGLDdvW35zs66PRgWSjWoPfYHQf1cgaeaw1lvamaPiz0phWE43RiHH+dPxcQ0ijABh/oK96zxzDa6ascnzdnCeaD+KY16RJD6Oilh76d9oR++PVY3Oj/W/re0S6vNtmkMggJDE6MK3VbAvV5VRGZGRJ3dnQK+7x8gTK9N1FrEjXJZQWyFao7i3MybxfvL3AUwJrfHUGiHlxjsKHnusRwmGKZd2QiTrD15HUZIOqz1UraqC4/MkhIj4xXvUa8xc391Q0rBhGZSdqqVrcqBxYgaBdxUvAMFpWSS88FY7G8vZH1fNkxFl9vCBH5Ye0cC9rCc4nRCPm8lrOxS0KlmOxKUry6Ez0H2/0gs+dI/NEeIVR8+OB5Kc5lO
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jun 2026 13:51:53.3288
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 ed5924d6-d902-4607-f9f5-08dec2406f4f
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	SN1PEPF00036F3D.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB6953
Content-Type: text/plain; charset="utf-8"

From: Feng Liu <feliu@nvidia.com>

mlx5e_hv_vhca_stats_create() is called from mlx5e_nic_enable(),
before mlx5e_open(). At that point priv->stats_nch is still zero,
because it is only ever incremented in mlx5e_channel_stats_alloc(),
which is reached only from mlx5e_open_channel().

mlx5e_hv_vhca_stats_buf_size() therefore returns 0, and
kvzalloc(0, GFP_KERNEL) returns ZERO_SIZE_PTR ((void *)16) rather
than NULL. The "if (!buf)" guard does not catch this, and
mlx5e_hv_vhca_stats_create() completes "successfully" with
priv->stats_agent.buf set to ZERO_SIZE_PTR.

Once channels are opened (priv->stats_nch > 0) and the hypervisor
enables stats reporting, mlx5e_hv_vhca_stats_work() recomputes
buf_len using the new non-zero stats_nch and calls
memset(buf, 0, buf_len) on ZERO_SIZE_PTR, faulting at address 0x10.

Allocate the buffer based on priv->max_nch, which is set in
mlx5e_priv_init() and is the upper bound on stats_nch:

  - Add a separate helper mlx5e_hv_vhca_stats_buf_max_size() that
    returns sizeof(per_ring_stats) * max(max_nch, stats_nch), and
    use it for the kvzalloc() in mlx5e_hv_vhca_stats_create().
  - Keep mlx5e_hv_vhca_stats_buf_size() (which returns based on
    stats_nch) for the worker's active payload size, so the wire
    format (block->rings =3D stats_nch) and the amount of data filled
    by mlx5e_hv_vhca_fill_stats() are unchanged.

The max(max_nch, stats_nch) guard handles the rare case where
mlx5e_attach_netdev() recomputes max_nch downward across a
detach/resume cycle while priv->stats_nch persists (mlx5e_detach_netdev
does not call mlx5e_priv_cleanup, so stats_nch is only reset when
the netdev is destroyed). Without the guard, the worker could compute
buf_len from stats_nch and overrun the smaller buffer allocated based
on the reduced max_nch.

This mirrors the existing mlx5e pattern of preallocating arrays of
size max_nch (e.g. priv->channel_stats) and lazily populating
entries up to stats_nch on demand.

Fixes: fa691d0c9c08 ("net/mlx5e: Allocate per-channel stats dynamically at =
first usage")
Signed-off-by: Feng Liu <feliu@nvidia.com>
Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
---
 .../net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c    | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c b/d=
rivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
index 195863b2c013..06cbd49d4e98 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
@@ -54,6 +54,12 @@ static int mlx5e_hv_vhca_stats_buf_size(struct mlx5e_pri=
v *priv)
 		priv->stats_nch);
 }
=20
+static int mlx5e_hv_vhca_stats_buf_max_size(struct mlx5e_priv *priv)
+{
+	return (sizeof(struct mlx5e_hv_vhca_per_ring_stats) *
+		max(priv->max_nch, priv->stats_nch));
+}
+
 static void mlx5e_hv_vhca_stats_work(struct work_struct *work)
 {
 	struct mlx5e_hv_vhca_stats_agent *sagent;
@@ -122,7 +128,7 @@ static void mlx5e_hv_vhca_stats_cleanup(struct mlx5_hv_=
vhca_agent *agent)
=20
 void mlx5e_hv_vhca_stats_create(struct mlx5e_priv *priv)
 {
-	int buf_len =3D mlx5e_hv_vhca_stats_buf_size(priv);
+	int buf_len =3D mlx5e_hv_vhca_stats_buf_max_size(priv);
 	struct mlx5_hv_vhca_agent *agent;
=20
 	priv->stats_agent.buf =3D kvzalloc(buf_len, GFP_KERNEL);
--=20
2.44.0
From nobody Mon Jun  8 08:28:39 2026
Received: from PH8PR06CU001.outbound.protection.outlook.com
 (mail-westus3azon11012011.outbound.protection.outlook.com [40.107.209.11])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C699147ECCB;
	Thu,  4 Jun 2026 13:52:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.107.209.11
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780581133; cv=fail;
 b=u4X+dEjvogh4raiEKodiWM51xquqFw8DwM0a/u1wnRl0XS2fcHpEj/cpAsl14vLlcmYxANoi8tq48rwTEUyByGypmqAhnpQhKjGSECSkYuXPA/Ktkvee1t2TueL9SQLEJlbzJUQJfluNk+cZS3+INA9stcvg7/Dpp8lzCUVlvNY=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780581133; c=relaxed/simple;
	bh=LpdaMvFNnPJLVeWUSoSb8fviGJQA+wM27clxRxKX3oE=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=DvINDevMknuAbO2VOPbfIdxdTBVpJZ+LYFKxhtPnZamF9xtQXfHN+CMk/CCb37CLyvU2V+OBIP6h8n4zvCZWtbR+JMrZLYFBS4qI9e2NS1HTQU+Sqhz3NG5WAyOvthse3+Q4s2ZjryE6XIPeSf5JNlCG8CUcs5a/cZoe75qssls=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=Q1Y1Bsxh; arc=fail smtp.client-ip=40.107.209.11
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="Q1Y1Bsxh"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=UBSAACv0sBuhXlMoJF4sNgHHcGNsRBytTdRAz/ZYmweZwfABSEgHFGA52sdHXInutlZktQJJ4S/nnyC12KrSX3RhRWstk41X8Rc5+0zXMF5NBSgWcEX7Wzx/8aUFlkFiSCzxr2egfGnvWJc0OVxMkaWGKnpeNB+fPSx4DaQ9RYnmQ6Akh1UwfrN2Y8Se86iH5vH7rdCHFmPjulrp29eAybVw4CbmOeTIj/T8odzaufGc1IVqSrByWOHoLqYlbZ/Mu2w8x/ECHj8hVdBsdTGtoN9ADHqe4aGDM4yopKH8cSU9qqoLj6YBbKg9tWLbyqcIwiC7Y1qdNs1yLX5ymm2L5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=z0K5e4mrUgNtQo4YqNdaChmxqWfZZ+KtHkOqkA6VdPA=;
 b=PCTXmQbkX7oZB2ZzdMjIYiNz8d1GXi/Ytf42XSjaYMvDMeVnSkURb11dHPyNQ9q9Z0gQtQlT77Xc31OgB4pX3r9ghvR60TTul6WLrLKvIhTxRXA/LafGTkhZRkWGf4narRq8BCdJc29U8dMyiN+GGOZuCdd7r1gv0QT1YLV34H2+RecxAPlbNsis9FsmI06J+NJgRQYQmwgNAZW1JSOZzXec6UWBqMt1akrNpq+fQp2OY+XdyaldomKQ6ScgB5dCiic5xqhWlq3nZIyQ3wXCZ4BMdG0cITW4goSWVH7RnhpG3JblkiRyTUdMSY8etKo+LV4syOIz7TAxgNM7Ac4kfg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=z0K5e4mrUgNtQo4YqNdaChmxqWfZZ+KtHkOqkA6VdPA=;
 b=Q1Y1Bsxh5DGroNMXs+VMz9oJczix50OF/uDD1RMQ+O2P4XWCe2bketl75yXsYtiERRvjFzFuTvL4hQ+00n57eS8eRcBcjSBtTF9MMu/pMxahoTV+f6G8DvvEwZssHlNhyv+Zz/9ptmOhF5zg7r+2ZPVPpr7CfjxRc84n4y4+z0IPfFWdxHqtRO1zQVQfQUuv5VLe5KJGgtEo+Rn+RBWWY7p/17HVLveaTHQEXbWXATJG+m465hqm5sCmGw5jhIfbxdYsvvd6SXvDFRz5oVrQ4vDsK7B2i1036SVKnmfK+ZiKeyfiYgYv7EbLxX3j0wFMlIh2HkkJZE39wp/ld3gdZQ==
Received: from SA1P222CA0092.NAMP222.PROD.OUTLOOK.COM (2603:10b6:806:35e::12)
 by DM4PR12MB6352.namprd12.prod.outlook.com (2603:10b6:8:a0::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.8; Thu, 4 Jun 2026
 13:52:00 +0000
Received: from SN1PEPF00036F41.namprd05.prod.outlook.com
 (2603:10b6:806:35e:cafe::11) by SA1P222CA0092.outlook.office365.com
 (2603:10b6:806:35e::12) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.8 via Frontend Transport; Thu, 4
 Jun 2026 13:51:59 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 SN1PEPF00036F41.mail.protection.outlook.com (10.167.248.25) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.21.92.5 via Frontend Transport; Thu, 4 Jun 2026 13:51:59 +0000
Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 4 Jun
 2026 06:51:41 -0700
Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail203.nvidia.com
 (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 4 Jun
 2026 06:51:41 -0700
Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.7)
 with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Thu, 4 Jun
 2026 06:51:35 -0700
From: Tariq Toukan <tariqt@nvidia.com>
To: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>, Andrew Lunn <andrew+netdev@lunn.ch>, "David
 S. Miller" <davem@davemloft.net>
CC: Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>, Mark Bloch <mbloch@nvidia.com>, "Eran Ben
 Elisha" <eranbe@nvidia.com>, Feng Liu <feliu@nvidia.com>, Cosmin Ratiu
	<cratiu@nvidia.com>, Gal Pressman <gal@nvidia.com>, Simon Horman
	<horms@kernel.org>, Alexei Lazar <alazar@nvidia.com>, Nimrod Oren
	<noren@nvidia.com>, Carolina Jubran <cjubran@nvidia.com>, Kees Cook
	<kees@kernel.org>, Lama Kayal <lkayal@nvidia.com>, Eran Ben Elisha
	<eranbe@mellanox.com>, Saeed Mahameed <saeedm@mellanox.com>, Haiyang Zhang
	<haiyangz@microsoft.com>, Joe Damato <joe@dama.to>, <netdev@vger.kernel.org>,
	<linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: [PATCH net 2/4] net/mlx5e: Fix HV VHCA stats agent registration race
Date: Thu, 4 Jun 2026 16:50:39 +0300
Message-ID: <20260604135041.455754-3-tariqt@nvidia.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20260604135041.455754-1-tariqt@nvidia.com>
References: <20260604135041.455754-1-tariqt@nvidia.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF00036F41:EE_|DM4PR12MB6352:EE_
X-MS-Office365-Filtering-Correlation-Id: 059b32bb-20af-48a7-a77c-08dec240731a
X-LD-Processed: 43083d15-7273-40c1-b7db-39efd9ccc17a,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|1800799024|7416014|82310400026|376014|36860700016|6133799003|3023799007|56012099006|5023799004|22082099003|18002099003|11063799006;
X-Microsoft-Antispam-Message-Info: 
	GRGKG3p7X0A82dcy1b/eJWhMgJCLAHtJQ0h80EzYenvYop5kIeVHfKFBz+rfC6DKjvGKX55Tz/1LkQc6eLH/sl0lSsXJYGKqu/ZMpRJetvAdGHlqPfYsSOqVd9TvQQ2SolFoxh6dxyMwgc8PzJp71dLYqIKYs0L/T2p5FkP1O65cVfStLDUS2i5M8lc+C3tCkdvK0GFhw7fvB1+H8jFjleyf4sTvz4oHBcACr2tFGJcgjwdnRUTqmrs+GxU3pN/9jT57Rg6NENKvTlrcoDZHrIQPCSvQMw8Zm3wfKqE2Qluad7mWn8TjZeeV8ZP1pj/NM4rg+F2O+dKVpDuDL+Oa3kE7nN0yHF9SYgs2bBw97bMPkoAKoAJq8CGPr7DeGeKvPA9yvgpxUC9z4xak/J78uy6EAOisM45LFqK1+12jxze0/9Z758lH1qqX2f1rZTlnlNp59ZRrHGs17A805d7WqGow9Y1R+cDFWr4UctQ+deJ4k1SwDNSWQeBgdSoaCPrDc126Zj88D9kGgiAK3Ojr4xDsPOz/9JYiFg4jpWqN5hM5leCAVYGtiPGwYs2HUJn6RPlQJGQzYnovxePhSdx/sYWyfT5rDjQxKD8AM19us34CHT8RkIXiwClftDIzGbUETPh1Sa/IDuOVUIkTXrDLnIcPe86GWLgFGVqCoGb++Vtkv1sjiyNILZiXz96q6zUU+osTHZL0CYx2ef+R9i1ECb/UTP+O/RIUKJN9iGCDka4=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(7416014)(82310400026)(376014)(36860700016)(6133799003)(3023799007)(56012099006)(5023799004)(22082099003)(18002099003)(11063799006);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	2PnfmvjleszzMFlI9v0ZiuoRuwXNQezoyRnXjC182ZsjTtmd0rsWcGfDU7R07FZLDUamLpvA71hd6IZbvHxFmWRqQU1tIVLY2lClUhOzj8aY0u/qJtIo0zHOa6GoqClkd8ESORNzLhTTG5WDlxXil87/C9WmTRum5GkBnhx1rfx6UlSSvMbwNaQSOqpmDVTNPYkjGVJfoTHg9MbM0ZB4mkWbvIPWeuKPA8fns/hvSETuC3InzgHHt4eleOAengcpuYzB3YNEK2s9OLq05xHesaysgKnDRJRE7jIo7m5zsdjQI+qZInWuspD722jIsU4MWQ2aG3BsnvR9RDG1v/mRXSw3Ql6jCoRbnch5cvNZyD6BWylRoQqUJxN/R0+qij+vjg6V/weh07hEM0LYYCf4w3gSDoEI3rt4r+8ghVgGB+qtud2ibwuUWTqEsYbqK0e3
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jun 2026 13:51:59.6704
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 059b32bb-20af-48a7-a77c-08dec240731a
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	SN1PEPF00036F41.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6352
Content-Type: text/plain; charset="utf-8"

From: Feng Liu <feliu@nvidia.com>

mlx5e_hv_vhca_stats_create() registers the stats agent through
mlx5_hv_vhca_agent_create(). The helper publishes the agent in
hv_vhca->agents[type] under agents_lock and immediately schedules an
asynchronous control invalidation on the HV VHCA workqueue before
returning to mlx5e.

The asynchronous invalidation invokes the control agent's invalidate
callback, which reads the hypervisor control block and forwards the
command to mlx5e_hv_vhca_stats_control(). That callback may either:

  - call cancel_delayed_work_sync(&priv->stats_agent.work), or
  - call queue_delayed_work(priv->wq, &sagent->work, sagent->delay).

However, the delayed_work and priv->stats_agent.agent are only
initialized after mlx5_hv_vhca_agent_create() returns to mlx5e:

    agent =3D mlx5_hv_vhca_agent_create(...);   /* publish + invalidate */
    ...
    priv->stats_agent.agent =3D agent;          /* too late */
    INIT_DELAYED_WORK(&priv->stats_agent.work, ...); /* too late */

If the asynchronous control path runs before the two assignments
above, it can:

  - Operate on an uninitialized delayed_work whose timer.function is
    NULL. queue_delayed_work() calls add_timer() unconditionally, so
    when the timer expires the timer softirq invokes a NULL function
    pointer.
  - Re-initialize the timer later through INIT_DELAYED_WORK() while
    the timer is already enqueued in the timer wheel, corrupting the
    hlist (entry.pprev cleared while the previous bucket node still
    points at this entry).
  - When the worker eventually runs, mlx5e_hv_vhca_stats_work() reads
    sagent->agent (NULL) and dereferences it inside
    mlx5_hv_vhca_agent_write().

Fix this by:

  - Initializing priv->stats_agent.work before invoking
    mlx5_hv_vhca_agent_create(), so the work is always in a valid
    state when the control callback observes it.
  - Adding a struct mlx5_hv_vhca_agent **ctx_update out-parameter
    to mlx5_hv_vhca_agent_create(). The helper writes the agent
    pointer to *ctx_update before publishing into hv_vhca->agents[]
    and triggering the agents_update flow, so any callback
    subsequently invoked from that flow already sees a valid
    priv->stats_agent.agent. This avoids having the control
    callback participate in agent initialization.

While at it, clear priv->stats_agent.{agent,buf} after teardown and
on the agent_create() failure path. Without this, an enable/disable
cycle hitting an early-return in create can lead to a UAF or
double-destroy of stale pointers from the previous cycle.

Fixes: cef35af34d6d ("net/mlx5e: Add mlx5e HV VHCA stats agent")
Signed-off-by: Feng Liu <feliu@nvidia.com>
Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
---
 .../mellanox/mlx5/core/en/hv_vhca_stats.c     | 22 ++++++++++++-------
 .../ethernet/mellanox/mlx5/core/lib/hv_vhca.c |  8 +++++--
 .../ethernet/mellanox/mlx5/core/lib/hv_vhca.h |  6 +++--
 3 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c b/d=
rivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
index 06cbd49d4e98..2e495442a547 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
@@ -73,7 +73,7 @@ static void mlx5e_hv_vhca_stats_work(struct work_struct *=
work)
 	sagent =3D container_of(dwork, struct mlx5e_hv_vhca_stats_agent, work);
 	priv =3D container_of(sagent, struct mlx5e_priv, stats_agent);
 	buf_len =3D mlx5e_hv_vhca_stats_buf_size(priv);
-	agent =3D sagent->agent;
+	agent =3D READ_ONCE(sagent->agent);
 	buf =3D sagent->buf;
=20
 	memset(buf, 0, buf_len);
@@ -135,11 +135,14 @@ void mlx5e_hv_vhca_stats_create(struct mlx5e_priv *pr=
iv)
 	if (!priv->stats_agent.buf)
 		return;
=20
+	INIT_DELAYED_WORK(&priv->stats_agent.work, mlx5e_hv_vhca_stats_work);
+
 	agent =3D mlx5_hv_vhca_agent_create(priv->mdev->hv_vhca,
 					  MLX5_HV_VHCA_AGENT_STATS,
 					  mlx5e_hv_vhca_stats_control, NULL,
 					  mlx5e_hv_vhca_stats_cleanup,
-					  priv);
+					  priv,
+					  &priv->stats_agent.agent);
=20
 	if (IS_ERR_OR_NULL(agent)) {
 		if (IS_ERR(agent))
@@ -148,18 +151,21 @@ void mlx5e_hv_vhca_stats_create(struct mlx5e_priv *pr=
iv)
 				    agent);
=20
 		kvfree(priv->stats_agent.buf);
-		return;
+		priv->stats_agent.buf =3D NULL;
 	}
-
-	priv->stats_agent.agent =3D agent;
-	INIT_DELAYED_WORK(&priv->stats_agent.work, mlx5e_hv_vhca_stats_work);
 }
=20
 void mlx5e_hv_vhca_stats_destroy(struct mlx5e_priv *priv)
 {
-	if (IS_ERR_OR_NULL(priv->stats_agent.agent))
+	struct mlx5_hv_vhca_agent *agent;
+
+	agent =3D READ_ONCE(priv->stats_agent.agent);
+	if (IS_ERR_OR_NULL(agent))
 		return;
=20
-	mlx5_hv_vhca_agent_destroy(priv->stats_agent.agent);
+	mlx5_hv_vhca_agent_destroy(agent);
 	kvfree(priv->stats_agent.buf);
+
+	WRITE_ONCE(priv->stats_agent.agent, NULL);
+	priv->stats_agent.buf =3D NULL;
 }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/hv_vhca.c b/driver=
s/net/ethernet/mellanox/mlx5/core/lib/hv_vhca.c
index d6dc7bce855e..305752dab7bd 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/hv_vhca.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/hv_vhca.c
@@ -190,7 +190,7 @@ mlx5_hv_vhca_control_agent_create(struct mlx5_hv_vhca *=
hv_vhca)
 	return mlx5_hv_vhca_agent_create(hv_vhca, MLX5_HV_VHCA_AGENT_CONTROL,
 					 NULL,
 					 mlx5_hv_vhca_control_agent_invalidate,
-					 NULL, NULL);
+					 NULL, NULL, NULL);
 }
=20
 static void mlx5_hv_vhca_control_agent_destroy(struct mlx5_hv_vhca_agent *=
agent)
@@ -256,7 +256,8 @@ mlx5_hv_vhca_agent_create(struct mlx5_hv_vhca *hv_vhca,
 			  void (*invalidate)(struct mlx5_hv_vhca_agent*,
 					     u64 block_mask),
 			  void (*cleaup)(struct mlx5_hv_vhca_agent *agent),
-			  void *priv)
+			  void *priv,
+			  struct mlx5_hv_vhca_agent **ctx_update)
 {
 	struct mlx5_hv_vhca_agent *agent;
=20
@@ -284,6 +285,9 @@ mlx5_hv_vhca_agent_create(struct mlx5_hv_vhca *hv_vhca,
 	agent->invalidate =3D invalidate;
 	agent->cleanup   =3D cleaup;
=20
+	if (ctx_update)
+		WRITE_ONCE(*ctx_update, agent);
+
 	mutex_lock(&hv_vhca->agents_lock);
 	hv_vhca->agents[type] =3D agent;
 	mutex_unlock(&hv_vhca->agents_lock);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/hv_vhca.h b/driver=
s/net/ethernet/mellanox/mlx5/core/lib/hv_vhca.h
index f240ffe5116c..8b3974cf0ee4 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/hv_vhca.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/hv_vhca.h
@@ -43,7 +43,8 @@ mlx5_hv_vhca_agent_create(struct mlx5_hv_vhca *hv_vhca,
 			  void (*invalidate)(struct mlx5_hv_vhca_agent*,
 					     u64 block_mask),
 			  void (*cleanup)(struct mlx5_hv_vhca_agent *agent),
-			  void *context);
+			  void *context,
+			  struct mlx5_hv_vhca_agent **ctx_update);
=20
 void mlx5_hv_vhca_agent_destroy(struct mlx5_hv_vhca_agent *agent);
 int mlx5_hv_vhca_agent_write(struct mlx5_hv_vhca_agent *agent,
@@ -84,7 +85,8 @@ mlx5_hv_vhca_agent_create(struct mlx5_hv_vhca *hv_vhca,
 			  void (*invalidate)(struct mlx5_hv_vhca_agent*,
 					     u64 block_mask),
 			  void (*cleanup)(struct mlx5_hv_vhca_agent *agent),
-			  void *context)
+			  void *context,
+			  struct mlx5_hv_vhca_agent **ctx_update)
 {
 	return NULL;
 }
--=20
2.44.0
From nobody Mon Jun  8 08:28:39 2026
Received: from CY3PR05CU001.outbound.protection.outlook.com
 (mail-westcentralusazon11013064.outbound.protection.outlook.com
 [40.93.201.64])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6107747ECCD;
	Thu,  4 Jun 2026 13:52:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.93.201.64
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780581134; cv=fail;
 b=FSqXb8albyAm2T6cisUFZIVpoiIU+2og8X7ZEkIJnOPOP/NJWeIHGDeKC5UdVNdafVYyD5fTDFgEqrh61BwyDLjEqdkujxWyuGaH9Rne2ahBQrHeP7RIDLO0N91Ls/MurE9CPaxTDm9zGQ81MH+9CV0DG/0IYtse99A2UNsbUOY=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780581134; c=relaxed/simple;
	bh=SKP70qoqi/sMXup6G/5jw9ua3wPAdCRRiwfyo+qzqpQ=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=M69m9mbWTbNW12+KJsciDM/SA6HQFZp69jAtDhGZnAHfJomTfLJ28kAKfzIqHpkcgmZLCazR83yrvmFSfXr0aqmyyE+HpFOhEZWMZotpSE547vz9sSueb1rcMniJxzzqSb4N+H8bI6o+cxd7GSCoyOicMvJgtM49aiOwOBRgkCw=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=c+Ky7cjZ; arc=fail smtp.client-ip=40.93.201.64
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="c+Ky7cjZ"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=ybGqwUCTaWEpLPlNz4vh4E6KGT9fDbcsiC/QRP+x81I5XGEBBlnbuf3WY7xCMt2NaBez7diI0znHFtsYAPPtMK44mhTQ2UzHM28xK/HvG2WHPpPmIQ03pGEK82DAeKzk/qQUmaEriDY+wP8+SAilDFZZPQysbMxSKWHFLh2G/CiaAAHoaAvBOqj9NNFB+W8yqbY8fcqYgDDDujEJRdIMtEaXXKmtVine18Xx73Y25ZcPCdQrczZPFdXQYUjsyfuVMTUCDyfuo4HfEnSOl+XoM9FOMHTUheyl/pR9byh7cb66TO3MdlJUzf630CcgVo1xeNp/zpZv7obdWnhIMmbHOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=DNKrBYStiWSZP+zyG2In9c8w+YSrOQLbIhHJrRpTkyY=;
 b=aT4utAlorqZPz/tZdff7/FY2aA+xYqmM35VTUKu93JGFCgka2NgOCa9Mgg3wZyY3c7K8gO6SFcByy6yns1q06UdyCQHNAe5IqFZ3dKGBmZfOYYBdSPNagDlky2x0Kla3P3yp++8XiiPfLsjadeq8JE2OTLRtcKIj6ygwJiISJDF8CqaCf0RmusF84E6d1K8SbWipf+nucFRTBLwqEYkhjYasX+piCYrucT66O95lPgaJow8rWY8FH4c/0uvLWsWOGToLQ98HsR6tH0prGBl+KIkEbF8CR5p1MqHeHPlkT29RcxYgsMRc/tQEOR4S2KvlaktPAcPK5dOtnybnGPhIRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=DNKrBYStiWSZP+zyG2In9c8w+YSrOQLbIhHJrRpTkyY=;
 b=c+Ky7cjZgNQTkrcf8xYxSrsMMr1atCbRcWLQhw6vB07k6MB6+XtgfUxxcYLXBd9VHBNHcgbTqaLidJRNPuaca12hfdhnCsoNEkbt1VwO7cmhh1XhTMfyUzPLyPzGq9/7fTOsF5kpKXslSUd7Sm7kX+RSwZcgwyk1WwsQQuZDzJvGwOxFwth1d+ozBeC6JPcg5evzvljxMC/1UgUO63Q8CtjkF3gceUBBWX+qsUWMfpW5DMbqkPp+OnHURKW21a9goeCk7CgVjYm3gVBcfQemgEPYoJyWeBKKVrHHioZH4buyIsyuGXBLbUr7lQcESkkZE6p/KvYOPz0ch8IITKRXKQ==
Received: from PH0PR07CA0072.namprd07.prod.outlook.com (2603:10b6:510:f::17)
 by SJ2PR12MB8832.namprd12.prod.outlook.com (2603:10b6:a03:4d0::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.8; Thu, 4 Jun 2026
 13:52:04 +0000
Received: from SN1PEPF00036F3E.namprd05.prod.outlook.com
 (2603:10b6:510:f:cafe::35) by PH0PR07CA0072.outlook.office365.com
 (2603:10b6:510:f::17) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.8 via Frontend Transport; Thu, 4
 Jun 2026 13:52:04 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 SN1PEPF00036F3E.mail.protection.outlook.com (10.167.248.22) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.21.92.5 via Frontend Transport; Thu, 4 Jun 2026 13:52:04 +0000
Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 4 Jun
 2026 06:51:48 -0700
Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail204.nvidia.com
 (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 4 Jun
 2026 06:51:48 -0700
Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.7)
 with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Thu, 4 Jun
 2026 06:51:41 -0700
From: Tariq Toukan <tariqt@nvidia.com>
To: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>, Andrew Lunn <andrew+netdev@lunn.ch>, "David
 S. Miller" <davem@davemloft.net>
CC: Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>, Mark Bloch <mbloch@nvidia.com>, "Eran Ben
 Elisha" <eranbe@nvidia.com>, Feng Liu <feliu@nvidia.com>, Cosmin Ratiu
	<cratiu@nvidia.com>, Gal Pressman <gal@nvidia.com>, Simon Horman
	<horms@kernel.org>, Alexei Lazar <alazar@nvidia.com>, Nimrod Oren
	<noren@nvidia.com>, Carolina Jubran <cjubran@nvidia.com>, Kees Cook
	<kees@kernel.org>, Lama Kayal <lkayal@nvidia.com>, Eran Ben Elisha
	<eranbe@mellanox.com>, Saeed Mahameed <saeedm@mellanox.com>, Haiyang Zhang
	<haiyangz@microsoft.com>, Joe Damato <joe@dama.to>, <netdev@vger.kernel.org>,
	<linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: [PATCH net 3/4] net/mlx5e: Bounds-check stats_nch in
 mlx5e_get_queue_stats_rx()
Date: Thu, 4 Jun 2026 16:50:40 +0300
Message-ID: <20260604135041.455754-4-tariqt@nvidia.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20260604135041.455754-1-tariqt@nvidia.com>
References: <20260604135041.455754-1-tariqt@nvidia.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF00036F3E:EE_|SJ2PR12MB8832:EE_
X-MS-Office365-Filtering-Correlation-Id: 4800d244-2661-4c05-0b42-08dec24075e7
X-LD-Processed: 43083d15-7273-40c1-b7db-39efd9ccc17a,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|1800799024|7416014|376014|36860700016|82310400026|6133799003|56012099006|11063799006|5023799004|22082099003|18002099003;
X-Microsoft-Antispam-Message-Info: 
	RzErhIUNOdv9AQ8vUJ3BDBOWaaAdhMw5WrVsgs8k5KmGWUc6UPGAUGUzwFa/VV00pkBzbVAVL2Bx8t9ZbldzxY4i+UpxWdwmg24gs74mc9l3znyPnGd1GqhDAPjfL5gCJt1y7udqynM/G3q0wAF4jjdSnZnCQQA538dCOEWdcZWw/0WWplEVm1KM0BBt8wXG8sv2Nj7fiJSmvq+56paUuziyE717btHhTFGT3GVj/BVZG7cqv9iA34pA1O4yRualywp1XowOD+12EqDJYgGElVyByHuz5c6iXrNoom3oZ14oSpj8vdjVS/qFpXvc35ELvhd42pdb5kShhqS9TZJNVL+uRSGO/Sv8KkLzKv0SzYyv1p2cY32c6Xfo2R1P1UkHR1QBOdl5YTdPSDXxqS3AtstMzKZnh9c3RwIGazzQzqzJMu3pA0lxEbfaEk58rdHDvr1EHKVLGSprtt0iccgez9NnqrtvggzVbHexi7HIcdA804GaKagmcx/ALkTaZ+gBiXcXtGdeo8mxB8J2sT5KRYahyTJqJQY3qrnJQFWEXuodcaiYpkGu2VXbl0xwgLuo85tNvCBhlj5XeHN1vJqDjr9nlzLR/N+pfBLJwp+eZcLFVoXON98+Uvu7JeJE9Bo5bC4Jfv9000D5thcJdIPme1oZJyZ3WS/pIvca29jDSm7lIrCv4B/wtVBC+ruNK5ByHnFqDieYm9ZHIMwJ8zrRtrKUa05Q6sONfraW/7QweTQ=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(7416014)(376014)(36860700016)(82310400026)(6133799003)(56012099006)(11063799006)(5023799004)(22082099003)(18002099003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	BT7rn1gwGW0ohB9gtrQxUZO4j1cibHCVXnrf6GvbPuvTzY4v5uYEYXC4SURia8MYW/84s+klxVgMahaD8T91g2CpCnMZh043CLsmr247vP8wxVABgmgUn/gywLej11iYFaVy5z93bjacDUskFx/yqjnVDkEFwF6/DQ+1PlX5QvphDVAjPXQumdE3YabzbeEqDgnIA9N49FGYgTxNvuDejmt9HZucnsIN4imST0IrA9geqyZIQCs+AtBnzzvzMopp2A3xhTj5/nOuI0F/CtKKBbnPtkvSMRAQA1yol8q46fqeKUXA7K4rtsMfyMJVOh+v2byUwSIjKqpCqQ4k9Hd7HJTaBpyrKBDEwMYFiTnEpSPjpnCkShW+GLBUeBBRIWRAlvBfUgC4WJP0Xk9V0L4hrgKakIe1D1juUGfs+imDPdEFPJemlWOUmFxn7kWzmmJO
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jun 2026 13:52:04.3716
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 4800d244-2661-4c05-0b42-08dec24075e7
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	SN1PEPF00036F3E.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR12MB8832
Content-Type: text/plain; charset="utf-8"

From: Feng Liu <feliu@nvidia.com>

mlx5e_get_queue_stats_rx() is invoked by the netdev stats core with
an RX queue index 'i' from real_num_rx_queues. Today it only guards
against priv->stats_nch =3D=3D 0 and then dereferences
priv->channel_stats[i] unconditionally.

During interface bring-up channel_stats[] is populated incrementally
by mlx5e_channel_stats_alloc(), so a concurrent QSTATS netlink dump
can call into the helper with i >=3D stats_nch. The non-zero check
passes, channel_stats[i] is NULL, and the dereference panics.

Replace the non-zero check with an upper-bound check against
stats_nch, which subsumes the zero check and prevents the
out-of-bounds dereference.

Fixes: 7b66ae536a78 ("net/mlx5e: Add per queue netdev-genl stats")
Signed-off-by: Feng Liu <feliu@nvidia.com>
Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com>
Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Nimrod Oren <noren@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/ne=
t/ethernet/mellanox/mlx5/core/en_main.c
index 8f2b3abe0092..42a658402592 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -5489,7 +5489,7 @@ static void mlx5e_get_queue_stats_rx(struct net_devic=
e *dev, int i,
 	struct mlx5e_rq_stats *xskrq_stats;
 	struct mlx5e_rq_stats *rq_stats;
=20
-	if (mlx5e_is_uplink_rep(priv) || !priv->stats_nch)
+	if (mlx5e_is_uplink_rep(priv) || i >=3D priv->stats_nch)
 		return;
=20
 	channel_stats =3D priv->channel_stats[i];
--=20
2.44.0
From nobody Mon Jun  8 08:28:39 2026
Received: from SN4PR2101CU001.outbound.protection.outlook.com
 (mail-southcentralusazon11012020.outbound.protection.outlook.com
 [40.93.195.20])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A4B347DF89;
	Thu,  4 Jun 2026 13:52:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.93.195.20
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780581142; cv=fail;
 b=Q0AJ06LHeagv1PLtbcnIhWVFZQ1o08eidysWQYBpJrSZQhHybPhYyHslFcoiLqDxvCOkAz5fLrMmEa4ram1+OZceUSvHRX70uSwCi2a1WQfA06MH48vOAeNqoJ2yO/j5FNol8jwDzpaUjtlwUqT16jkF16XnLKZepMzr3/YprIM=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780581142; c=relaxed/simple;
	bh=GiKxY/q0cVKu5dF+b8TadOzUrDuedb5HUvQiuIRQKtA=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=Wngp2dqYc5NEGC5A+JJw7bt9Jhp4kNj3yXCKxRA56wAkyOtRGaD0lLovHFEdx3xqzKkWR59aTI/2jq7G1u+ZweN+lKXLWBwm0MJCYPiGOz55OAuaCBAj0J+d5kKyzgQjI1Kp57MRsz/hGOh/FqrJRSkAvvwHkQuMi8cIfmu3HSw=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=QaKRd/UR; arc=fail smtp.client-ip=40.93.195.20
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="QaKRd/UR"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=R9ekozg/knyKYStk0CECWAWf0OCGUVaqrWTYlJTI05TGweNZ78czFnFTIc+fQYu+s8dfPy84LpjSYNoZNhYK6h6P1uog29T1Hqb5TzFujEJqYonmmL2X+uH6j0ftpONJ6KtoHHd11p7Td5puu5enaofzbeMd+0hJAGb3lJaryh5UXKUJOv+QNvh5KHk9rY7Y/zmySyca7EJMel7PqkJ2HuURkvwhlI6PekCLXang9Rgn+fZms2AL11Ruo0xdwoatipAiy7j7Cfln9d97wh4nbDIFCFK/DgSSwfvE3ZoV8h5IpkZ3ZP+rO3/WZMixsnB62aszLlxopRbWPyMx+FdWSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=w7Fk0JpDN7IXmQNIaswAt5T2jcHhkibb1VJXHGALHcI=;
 b=a922X5BdCEe4AaZj13n29HVC6ddauer0n1jGXLShHFDJS8bG5v405QEztuF/Mk8BtGXQrDAFvIVFQ7WDehuAsYH35IXwQKeF3Ja6wvmWlQrdbIMa7F9UaPUL4xavwxhIDZ/XsRvTCiNsAD8qZhUAOzco5L2wKG57rkNsH3unKKpFSaTL/V4an7+yG2agmyruE7LhWIiJUqTolKTWXgzPUkt1sxYLFQ74TXoYsV1ypetL7fwhovpjN7zMZYCwMByRUFh/CWjarhUfdisn5t0N5iKC3ZHVLyvk0JGVvdqvB+C2IRwAupKjXu3o0GgQWxu+Vs/tYBfmHtqh0R3piHcRIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=w7Fk0JpDN7IXmQNIaswAt5T2jcHhkibb1VJXHGALHcI=;
 b=QaKRd/URcg+7CC2xFxwFPq7z7yevlTspI8vOEV70xzsymnXnun8hmCC1F726X9MCd7BtxV1bCXG2fAmOKoJm9qcF5C2QTbz1YI+eWua9ePAXxvjbc/ROUQOb4NyJnt2DAXIVIU1sr7smp7w5+NRVJHyaSio2exY+7fFo9kXd0iy5uaZeJ1Z9/rrim1gS7HIClU+jJ62484JMCaSI6nBFFtQZQiSNpVl0PcvVrw83sCSeaXi1LeqtP/OvwyUXMC7Fdf5ohKduMwskwWIO59kLwDm1ftlavSgFWZoFrrsCbNp7Xt5iFVlNHDbaMtUkprvGnVtmJ/t89YnQUX6BwOGQcw==
Received: from PH0PR07CA0074.namprd07.prod.outlook.com (2603:10b6:510:f::19)
 by DS7PR12MB5960.namprd12.prod.outlook.com (2603:10b6:8:7f::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.7; Thu, 4 Jun 2026
 13:52:11 +0000
Received: from SN1PEPF00036F3E.namprd05.prod.outlook.com
 (2603:10b6:510:f:cafe::7c) by PH0PR07CA0074.outlook.office365.com
 (2603:10b6:510:f::19) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.21.92.8 via Frontend Transport; Thu, 4
 Jun 2026 13:52:11 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 SN1PEPF00036F3E.mail.protection.outlook.com (10.167.248.22) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.21.92.5 via Frontend Transport; Thu, 4 Jun 2026 13:52:11 +0000
Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 4 Jun
 2026 06:51:55 -0700
Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail204.nvidia.com
 (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 4 Jun
 2026 06:51:54 -0700
Received: from vdi.nvidia.com (10.127.8.10) by mail.nvidia.com (10.129.68.7)
 with Microsoft SMTP Server id 15.2.2562.20 via Frontend Transport; Thu, 4 Jun
 2026 06:51:48 -0700
From: Tariq Toukan <tariqt@nvidia.com>
To: Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>, Andrew Lunn <andrew+netdev@lunn.ch>, "David
 S. Miller" <davem@davemloft.net>
CC: Saeed Mahameed <saeedm@nvidia.com>, Leon Romanovsky <leon@kernel.org>,
	Tariq Toukan <tariqt@nvidia.com>, Mark Bloch <mbloch@nvidia.com>, "Eran Ben
 Elisha" <eranbe@nvidia.com>, Feng Liu <feliu@nvidia.com>, Cosmin Ratiu
	<cratiu@nvidia.com>, Gal Pressman <gal@nvidia.com>, Simon Horman
	<horms@kernel.org>, Alexei Lazar <alazar@nvidia.com>, Nimrod Oren
	<noren@nvidia.com>, Carolina Jubran <cjubran@nvidia.com>, Kees Cook
	<kees@kernel.org>, Lama Kayal <lkayal@nvidia.com>, Eran Ben Elisha
	<eranbe@mellanox.com>, Saeed Mahameed <saeedm@mellanox.com>, Haiyang Zhang
	<haiyangz@microsoft.com>, Joe Damato <joe@dama.to>, <netdev@vger.kernel.org>,
	<linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: [PATCH net 4/4] net/mlx5e: Fix publication race for
 priv->channel_stats[]
Date: Thu, 4 Jun 2026 16:50:41 +0300
Message-ID: <20260604135041.455754-5-tariqt@nvidia.com>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20260604135041.455754-1-tariqt@nvidia.com>
References: <20260604135041.455754-1-tariqt@nvidia.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF00036F3E:EE_|DS7PR12MB5960:EE_
X-MS-Office365-Filtering-Correlation-Id: 3844ae9a-f032-47e1-418c-08dec2407a04
X-LD-Processed: 43083d15-7273-40c1-b7db-39efd9ccc17a,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|1800799024|7416014|36860700016|82310400026|376014|18002099003|11063799006|56012099006|22082099003;
X-Microsoft-Antispam-Message-Info: 
	jpfVBxMDgG8X8iShGZNkHSRJVKZXuVHZtc5UovOvwcUVMW5XvNIBTkSGmnOsW1NOrJxTN/m426US1UWon81MidbL75M6kgqeVCH5E8t/4SiaRD8O2KSCPDy4Pg4Lm/57gyxBeQ+vuMywVjdykd+Sc0mFj3mKZfqQBcnTIte+rjW0tELG3zaFSKgA5VAq45YRFSaXmzGEEXlZDxvl3fPh3lmDjeoC/0YIzvoqRvPKS/mYxAwEdo+QgyDHheRhRaolvTxi8hagdZMv+Q3iIiqfcIjRzu/gPYcW1z8TXAlAcAwouDHHUg0eJu2Ajo7gNuh/5RSa7dKy1eQ7912i1V0Be4sCow7lrdK4KoWLccFV4Qh7IUK4K7tLm35z+croDnFZKpwUzw7knwkZGXb/4+lETFdaCFO1PFoks/J/LxUgSlgiS170KUXY+SbEUiXox7UjTU2VDET6Av6VfiiBJz6i6yPkxUZELMgTAG5DR8BkBmzrmcUYdfSzoa8J0ojo/mNDy/hhsv11VBpFaGQ7AeyHObSSwEryTrliIrwSqrZJssRT5KlcrKf2UuzgYqpe/fnB2w32q0Q/UeN9s3Le0DBZ5Wq6PEiTcOYpcoddfA1/BrqZtNImqs0jFQULfWpn4Vdqb6BED0O7OweuMaqyR0JJgzn9UY/cioTOt+BFLksUFYLui/cKxXWB1ZMVuk54lkN5bZM6DR/UIPOqnCDLBO5hNb1to8tlM3EQVrSfPx2+ZoI=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(7416014)(36860700016)(82310400026)(376014)(18002099003)(11063799006)(56012099006)(22082099003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	s7Y7CXWMdKCTs1gA5uppskZgMXQzJJ5FDVv+HpJTgaAO/GjHJseRvQByTJlYzhH8Q0wUdnafs3t2I8sN3Ak/Te6kgDRjlX4vprcz+JdTpjRwRXreKlM/rCLPoQRElUD2UkaqGY9/+WdzcMtIyUOvtyvHdAkZ+CbeDHyiqLYb+JHO+YrBojqifiCDgVm8YapdPiGKBWk7jj/TEDIOxUjY8dhN+aim8h4LANqqcRi74h9TtJS72DU4N4nV/ldIRMkG4tX4Mpchx+Q3IpT2zmtlDYCQLCPqmGHmSZFhezs4RlwgJiiK/AF+m1uAeh+hSHYaRbLL7MK05/9Wi2AsxGI+iyqVRiRmbcrePLDCDRW4A2pbUMcsWk2KGCP3njY3MtaxsfYudBLypQQuPDRvHRQ+s4D4sX/9/LVNISCdgorl1CGX4GS7lRapZOGMcIedOc4s
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jun 2026 13:52:11.2736
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 3844ae9a-f032-47e1-418c-08dec2407a04
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	SN1PEPF00036F3E.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB5960
Content-Type: text/plain; charset="utf-8"

From: Feng Liu <feliu@nvidia.com>

mlx5e_channel_stats_alloc() publishes a new entry to
priv->channel_stats[] and then increments priv->stats_nch as a
publication token, but neither store carries any memory barrier:

	priv->channel_stats[ix] =3D kvzalloc_node(...);
	if (!priv->channel_stats[ix])
		return -ENOMEM;
	priv->stats_nch++;

Concurrent readers compute the loop bound from priv->stats_nch and
then dereference priv->channel_stats[i] using plain accesses, e.g.

	for (i =3D 0; i < priv->stats_nch; i++) {
		struct mlx5e_channel_stats *cs =3D priv->channel_stats[i];
		... cs->rq.packets ...
	}

On weakly-ordered architectures (ARM, PowerPC, RISC-V) the writes to
channel_stats[ix] and stats_nch may become visible to other CPUs out
of program order. A reader can observe stats_nch =3D=3D N while still
seeing channel_stats[N-1] =3D=3D NULL, leading to a NULL pointer
dereference in the channel_stats loop.

This has been observed in production on BlueField-3 DPUs (arm64),
where ovs-vswitchd queries netdev statistics over netlink during NIC
bringup, racing mlx5e_open_channel() -> mlx5e_channel_stats_alloc()
on another CPU:

  Unable to handle kernel NULL pointer dereference at virtual address 0x840
  Hardware name: BlueField-3 DPU
  pc : mlx5e_fold_sw_stats64+0x30/0x180 [mlx5_core]
  Call trace:
   mlx5e_fold_sw_stats64+0x30/0x180 [mlx5_core]
   dev_get_stats+0x50/0xc0
   ovs_vport_get_stats+0x38/0xac [openvswitch]
   ovs_vport_cmd_fill_info+0x194/0x290 [openvswitch]
   ovs_vport_cmd_get+0xbc/0x10c [openvswitch]
   genl_family_rcv_msg_doit+0xd0/0x160
   genl_rcv_msg+0xec/0x1f0
   netlink_rcv_skb+0x64/0x130
   genl_rcv+0x40/0x60
   netlink_unicast+0x2fc/0x370
   netlink_sendmsg+0x1dc/0x454
   ...
   __arm64_sys_sendmsg+0x2c/0x40

Order the stats_nch increment through smp_store_release() in the
writer, paired with smp_load_acquire() of stats_nch in every reader.
The release/acquire pair establishes the contract:

  stats_nch =3D=3D N  =3D>  channel_stats[0..N-1] are visible and non-NULL.

Update all readers of priv->stats_nch in mlx5e RX/TX queue stats,
mlx5e_get_base_stats(), ethtool channels stats, IPoIB stats, the
sw_stats fold and the HV VHCA stats agent to use smp_load_acquire().
mlx5e_channel_stats_alloc() (the writer, serialized by state_lock)
and mlx5e_priv_cleanup() (single-owner teardown) are intentionally
not modified.

Fixes: fa691d0c9c08 ("net/mlx5e: Allocate per-channel stats dynamically at =
first usage")
Signed-off-by: Feng Liu <feliu@nvidia.com>
Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com>
Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Nimrod Oren <noren@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en.h      | 12 ++++++++++++
 .../mellanox/mlx5/core/en/hv_vhca_stats.c         | 10 ++++++----
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++------
 .../net/ethernet/mellanox/mlx5/core/en_stats.c    |  9 +++++----
 .../net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c |  3 ++-
 5 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/eth=
ernet/mellanox/mlx5/core/en.h
index 2270e2e550dd..d507289096c2 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
@@ -987,6 +987,18 @@ struct mlx5e_priv {
 	struct ethtool_fec_hist_range *fec_ranges;
 };
=20
+static inline u16 mlx5e_stats_nch_read(const struct mlx5e_priv *priv)
+{
+	/* Pairs with smp_store_release in mlx5e_stats_nch_write(). */
+	return smp_load_acquire(&priv->stats_nch);
+}
+
+static inline void mlx5e_stats_nch_write(struct mlx5e_priv *priv, u16 n)
+{
+	/* Pairs with smp_load_acquire in mlx5e_stats_nch_read(). */
+	smp_store_release(&priv->stats_nch, n);
+}
+
 struct mlx5e_dev {
 	struct net_device *netdev;
 	struct devlink_port dl_port;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c b/d=
rivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
index 2e495442a547..9747d7736d37 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/hv_vhca_stats.c
@@ -33,9 +33,10 @@ mlx5e_hv_vhca_fill_ring_stats(struct mlx5e_priv *priv, i=
nt ch,
 static void mlx5e_hv_vhca_fill_stats(struct mlx5e_priv *priv, void *data,
 				     int buf_len)
 {
+	u16 nch =3D mlx5e_stats_nch_read(priv);
 	int ch, i =3D 0;
=20
-	for (ch =3D 0; ch < priv->stats_nch; ch++) {
+	for (ch =3D 0; ch < nch; ch++) {
 		void *buf =3D data + i;
=20
 		if (WARN_ON_ONCE(buf +
@@ -50,8 +51,9 @@ static void mlx5e_hv_vhca_fill_stats(struct mlx5e_priv *p=
riv, void *data,
=20
 static int mlx5e_hv_vhca_stats_buf_size(struct mlx5e_priv *priv)
 {
-	return (sizeof(struct mlx5e_hv_vhca_per_ring_stats) *
-		priv->stats_nch);
+	u16 nch =3D mlx5e_stats_nch_read(priv);
+
+	return sizeof(struct mlx5e_hv_vhca_per_ring_stats) * nch;
 }
=20
 static int mlx5e_hv_vhca_stats_buf_max_size(struct mlx5e_priv *priv)
@@ -106,7 +108,7 @@ static void mlx5e_hv_vhca_stats_control(struct mlx5_hv_=
vhca_agent *agent,
 	sagent =3D &priv->stats_agent;
=20
 	block->version =3D MLX5_HV_VHCA_STATS_VERSION;
-	block->rings   =3D priv->stats_nch;
+	block->rings   =3D mlx5e_stats_nch_read(priv);
=20
 	if (!block->command) {
 		cancel_delayed_work_sync(&priv->stats_agent.work);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/ne=
t/ethernet/mellanox/mlx5/core/en_main.c
index 42a658402592..42ca7cb0eac1 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -2773,7 +2773,7 @@ static int mlx5e_channel_stats_alloc(struct mlx5e_pri=
v *priv, int ix, int cpu)
 						GFP_KERNEL, cpu_to_node(cpu));
 	if (!priv->channel_stats[ix])
 		return -ENOMEM;
-	priv->stats_nch++;
+	mlx5e_stats_nch_write(priv, priv->stats_nch + 1);
=20
 	return 0;
 }
@@ -4043,9 +4043,10 @@ static int mlx5e_setup_tc(struct net_device *dev, en=
um tc_setup_type type,
=20
 void mlx5e_fold_sw_stats64(struct mlx5e_priv *priv, struct rtnl_link_stats=
64 *s)
 {
+	u16 nch =3D mlx5e_stats_nch_read(priv);
 	int i;
=20
-	for (i =3D 0; i < priv->stats_nch; i++) {
+	for (i =3D 0; i < nch; i++) {
 		struct mlx5e_channel_stats *channel_stats =3D priv->channel_stats[i];
 		struct mlx5e_rq_stats *xskrq_stats =3D &channel_stats->xskrq;
 		struct mlx5e_rq_stats *rq_stats =3D &channel_stats->rq;
@@ -5486,10 +5487,11 @@ static void mlx5e_get_queue_stats_rx(struct net_dev=
ice *dev, int i,
 {
 	struct mlx5e_priv *priv =3D netdev_priv(dev);
 	struct mlx5e_channel_stats *channel_stats;
+	u16 nch =3D mlx5e_stats_nch_read(priv);
 	struct mlx5e_rq_stats *xskrq_stats;
 	struct mlx5e_rq_stats *rq_stats;
=20
-	if (mlx5e_is_uplink_rep(priv) || i >=3D priv->stats_nch)
+	if (mlx5e_is_uplink_rep(priv) || i >=3D nch)
 		return;
=20
 	channel_stats =3D priv->channel_stats[i];
@@ -5508,7 +5510,7 @@ static void mlx5e_get_queue_stats_tx(struct net_devic=
e *dev, int i,
 	struct mlx5e_priv *priv =3D netdev_priv(dev);
 	struct mlx5e_sq_stats *sq_stats;
=20
-	if (!priv->stats_nch)
+	if (!mlx5e_stats_nch_read(priv))
 		return;
=20
 	/* no special case needed for ptp htb etc since txq2sq_stats is kept up
@@ -5525,6 +5527,7 @@ static void mlx5e_get_base_stats(struct net_device *d=
ev,
 				 struct netdev_queue_stats_tx *tx)
 {
 	struct mlx5e_priv *priv =3D netdev_priv(dev);
+	u16 nch =3D mlx5e_stats_nch_read(priv);
 	struct mlx5e_ptp *ptp_channel;
 	int i, tc;
=20
@@ -5533,7 +5536,7 @@ static void mlx5e_get_base_stats(struct net_device *d=
ev,
 		rx->bytes =3D 0;
 		rx->alloc_fail =3D 0;
=20
-		for (i =3D priv->channels.params.num_channels; i < priv->stats_nch; i++)=
 {
+		for (i =3D priv->channels.params.num_channels; i < nch; i++) {
 			struct netdev_queue_stats_rx rx_i =3D {0};
=20
 			mlx5e_get_queue_stats_rx(dev, i, &rx_i);
@@ -5558,7 +5561,7 @@ static void mlx5e_get_base_stats(struct net_device *d=
ev,
 	tx->packets =3D 0;
 	tx->bytes =3D 0;
=20
-	for (i =3D 0; i < priv->stats_nch; i++) {
+	for (i =3D 0; i < nch; i++) {
 		struct mlx5e_channel_stats *channel_stats =3D priv->channel_stats[i];
=20
 		/* handle two cases:
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/n=
et/ethernet/mellanox/mlx5/core/en_stats.c
index 1a3ecf073913..8632b73179cb 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
@@ -516,6 +516,7 @@ static void mlx5e_stats_update_stats_rq_page_pool(struc=
t mlx5e_channel *c)
 static MLX5E_DECLARE_STATS_GRP_OP_UPDATE_STATS(sw)
 {
 	struct mlx5e_sw_stats *s =3D &priv->stats.sw;
+	u16 nch =3D mlx5e_stats_nch_read(priv);
 	int i;
=20
 	memset(s, 0, sizeof(*s));
@@ -523,7 +524,7 @@ static MLX5E_DECLARE_STATS_GRP_OP_UPDATE_STATS(sw)
 	for (i =3D 0; i < priv->channels.num; i++) /* for active channels only */
 		mlx5e_stats_update_stats_rq_page_pool(priv->channels.c[i]);
=20
-	for (i =3D 0; i < priv->stats_nch; i++) {
+	for (i =3D 0; i < nch; i++) {
 		struct mlx5e_channel_stats *channel_stats =3D
 			priv->channel_stats[i];
=20
@@ -2615,7 +2616,7 @@ static MLX5E_DECLARE_STATS_GRP_OP_UPDATE_STATS(ptp) {=
 return; }
=20
 static MLX5E_DECLARE_STATS_GRP_OP_NUM_STATS(channels)
 {
-	int max_nch =3D priv->stats_nch;
+	int max_nch =3D mlx5e_stats_nch_read(priv);
=20
 	return (NUM_RQ_STATS * max_nch) +
 	       (NUM_CH_STATS * max_nch) +
@@ -2628,8 +2629,8 @@ static MLX5E_DECLARE_STATS_GRP_OP_NUM_STATS(channels)
=20
 static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(channels)
 {
+	int max_nch =3D mlx5e_stats_nch_read(priv);
 	bool is_xsk =3D priv->xsk.ever_used;
-	int max_nch =3D priv->stats_nch;
 	int i, j, tc;
=20
 	for (i =3D 0; i < max_nch; i++)
@@ -2661,8 +2662,8 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(channels)
=20
 static MLX5E_DECLARE_STATS_GRP_OP_FILL_STATS(channels)
 {
+	int max_nch =3D mlx5e_stats_nch_read(priv);
 	bool is_xsk =3D priv->xsk.ever_used;
-	int max_nch =3D priv->stats_nch;
 	int i, j, tc;
=20
 	for (i =3D 0; i < max_nch; i++)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c b/driver=
s/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
index 0a6003fe60e9..674bed721e63 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
@@ -135,10 +135,11 @@ void mlx5i_cleanup(struct mlx5e_priv *priv)
=20
 static void mlx5i_grp_sw_update_stats(struct mlx5e_priv *priv)
 {
+	u16 nch =3D mlx5e_stats_nch_read(priv);
 	struct rtnl_link_stats64 s =3D {};
 	int i, j;
=20
-	for (i =3D 0; i < priv->stats_nch; i++) {
+	for (i =3D 0; i < nch; i++) {
 		struct mlx5e_channel_stats *channel_stats;
 		struct mlx5e_rq_stats *rq_stats;
=20
--=20
2.44.0