eth: bnxt: fix out-of-range access of vnic_info array

JIRA: https://issues.redhat.com/browse/RHEL-106550
CVE: CVE-2025-22112

commit 919f9f4
Author: Taehee Yoo <[email protected]>
Date:   Sun Mar 16 02:58:37 2025 +0000

    eth: bnxt: fix out-of-range access of vnic_info array

    The bnxt_queue_{start | stop}() access vnic_info as much as allocated,
    which indicates bp->nr_vnics.
    So, it should not reach bp->vnic_info[bp->nr_vnics].

    Fixes: 6619585 ("eth: bnxt: do not use BNXT_VNIC_NTUPLE unconditionally in queue restart logic")
    Signed-off-by: Taehee Yoo <[email protected]>
    Reviewed-by: Michael Chan <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Paolo Abeni <[email protected]>

Signed-off-by: Michal Schmidt <[email protected]>

Author: michich

drivers/net/ethernet/broadcom/bnxt/bnxt.c

@@ -15797,7 +15797,7 @@ static int bnxt_queue_start(struct net_device *dev, void *qmem, int idx)
 	napi_enable(&bnapi->napi);
 	bnxt_db_nq_arm(bp, &cpr->cp_db, cpr->cp_raw_cons);
 
-	for (i = 0; i <= bp->nr_vnics; i++) {
+	for (i = 0; i < bp->nr_vnics; i++) {
 		vnic = &bp->vnic_info[i];
 
 		rc = bnxt_hwrm_vnic_set_rss_p5(bp, vnic, true);
@@ -15831,7 +15831,7 @@ static int bnxt_queue_stop(struct net_device *dev, void *qmem, int idx)
 	struct bnxt_napi *bnapi;
 	int i;
 
-	for (i = 0; i <= bp->nr_vnics; i++) {
+	for (i = 0; i < bp->nr_vnics; i++) {
 		vnic = &bp->vnic_info[i];
 		vnic->mru = 0;
 		bnxt_hwrm_vnic_update(bp, vnic,