* [PATCH] bnxt_en: validate firmware backing store types
@ 2026-03-23 8:03 Pengpeng Hou
2026-03-26 14:20 ` [PATCH net v3] " Pengpeng Hou
0 siblings, 1 reply; 6+ messages in thread
From: Pengpeng Hou @ 2026-03-23 8:03 UTC (permalink / raw)
To: Michael Chan, Pavan Chebbi, Andrew Lunn, David S . Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev
Cc: linux-kernel, Pengpeng Hou
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 0751c0e4581a..d0446f851d66 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -8692,6 +8692,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
u8 init_val, init_off, i;
u32 max_entries;
u16 entry_size;
+ u16 resp_type;
__le32 *p;
u32 flags;
@@ -8715,7 +8716,15 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
else
continue;
}
- ctxm->type = le16_to_cpu(resp->type);
+ resp_type = le16_to_cpu(resp->type);
+ if (resp_type >= BNXT_CTX_V2_MAX) {
+ netdev_warn(bp->dev,
+ "invalid backing store type %u returned by firmware\n",
+ resp_type);
+ rc = -EINVAL;
+ goto ctx_done;
+ }
+ ctxm->type = resp_type;
ctxm->entry_size = entry_size;
ctxm->flags = flags;
ctxm->instance_bmap = le32_to_cpu(resp->instance_bit_map);
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH net v3] bnxt_en: validate firmware backing store types
2026-03-23 8:03 [PATCH] bnxt_en: validate firmware backing store types Pengpeng Hou
@ 2026-03-26 14:20 ` Pengpeng Hou
2026-03-26 15:31 ` Michael Chan
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Pengpeng Hou @ 2026-03-26 14:20 UTC (permalink / raw)
To: michael.chan
Cc: pavan.chebbi, andrew+netdev, davem, edumazet, kuba, pabeni,
netdev, linux-kernel, pengpeng
bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the
firmware response in ctxm->type and later uses that value to index
fixed backing-store metadata arrays such as ctx_arr[] and
bnxt_bstore_to_trace[] without a local range check.
Validate the returned type before storing it and abort the query when
firmware reports a type outside BNXT_CTX_V2_MAX. Keep next_valid_type in
a dedicated variable so loop control stays clear for non-valid or
unchanged entries while resp->type is validated directly before use.
Fixes: 6a4d0774f02d ("bnxt_en: Add support for new backing store query firmware API")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v3:
- mark the patch for net
- add a Fixes tag
- replace resp_type with next_type for loop control and validate resp->type directly
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 0751c0e4581a..59ddf7a0c0ba 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -8692,6 +8692,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
u8 init_val, init_off, i;
u32 max_entries;
u16 entry_size;
+ u16 next_type;
__le32 *p;
u32 flags;
@@ -8700,7 +8701,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
if (rc)
goto ctx_done;
flags = le32_to_cpu(resp->flags);
- type = le16_to_cpu(resp->next_valid_type);
+ next_type = le16_to_cpu(resp->next_valid_type);
if (!(flags & BNXT_CTX_MEM_TYPE_VALID)) {
bnxt_free_one_ctx_mem(bp, ctxm, true);
continue;
@@ -8708,12 +8709,21 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
entry_size = le16_to_cpu(resp->entry_size);
max_entries = le32_to_cpu(resp->max_num_entries);
if (ctxm->mem_valid) {
- if (!(flags & BNXT_CTX_MEM_PERSIST) ||
- ctxm->entry_size != entry_size ||
- ctxm->max_entries != max_entries)
- bnxt_free_one_ctx_mem(bp, ctxm, true);
- else
+ if ((flags & BNXT_CTX_MEM_PERSIST) &&
+ ctxm->entry_size == entry_size &&
+ ctxm->max_entries == max_entries) {
+ type = next_type;
continue;
+ }
+
+ bnxt_free_one_ctx_mem(bp, ctxm, true);
+ }
+ if (le16_to_cpu(resp->type) >= BNXT_CTX_V2_MAX) {
+ netdev_warn(bp->dev,
+ "invalid backing store type %u returned by firmware\n",
+ le16_to_cpu(resp->type));
+ rc = -EINVAL;
+ goto ctx_done;
}
ctxm->type = le16_to_cpu(resp->type);
ctxm->entry_size = entry_size;
@@ -8731,6 +8741,8 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
for (i = 0, p = &resp->split_entry_0; i < ctxm->split_entry_cnt;
i++, p++)
ctxm->split[i] = le32_to_cpu(*p);
+
+ type = next_type;
}
rc = bnxt_alloc_all_ctx_pg_info(bp, BNXT_CTX_V2_MAX);
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net v3] bnxt_en: validate firmware backing store types
2026-03-26 14:20 ` [PATCH net v3] " Pengpeng Hou
@ 2026-03-26 15:31 ` Michael Chan
2026-03-26 19:29 ` Jakub Kicinski
2026-03-27 0:38 ` [PATCH net v4] " Pengpeng Hou
2 siblings, 0 replies; 6+ messages in thread
From: Michael Chan @ 2026-03-26 15:31 UTC (permalink / raw)
To: Pengpeng Hou
Cc: pavan.chebbi, andrew+netdev, davem, edumazet, kuba, pabeni,
netdev, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1633 bytes --]
On Thu, Mar 26, 2026 at 7:21 AM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
> @@ -8708,12 +8709,21 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
> entry_size = le16_to_cpu(resp->entry_size);
> max_entries = le32_to_cpu(resp->max_num_entries);
> if (ctxm->mem_valid) {
> - if (!(flags & BNXT_CTX_MEM_PERSIST) ||
> - ctxm->entry_size != entry_size ||
> - ctxm->max_entries != max_entries)
> - bnxt_free_one_ctx_mem(bp, ctxm, true);
> - else
> + if ((flags & BNXT_CTX_MEM_PERSIST) &&
> + ctxm->entry_size == entry_size &&
> + ctxm->max_entries == max_entries) {
> + type = next_type;
> continue;
> + }
> +
> + bnxt_free_one_ctx_mem(bp, ctxm, true);
> + }
> + if (le16_to_cpu(resp->type) >= BNXT_CTX_V2_MAX) {
The type in the FW response (resp->type) is defined to be the type in
the FW input message (req->type). If you want to validate it, it
should be equal to the loop variable type or req->type. Thanks.
> + netdev_warn(bp->dev,
> + "invalid backing store type %u returned by firmware\n",
> + le16_to_cpu(resp->type));
> + rc = -EINVAL;
> + goto ctx_done;
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5469 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net v3] bnxt_en: validate firmware backing store types
2026-03-26 14:20 ` [PATCH net v3] " Pengpeng Hou
2026-03-26 15:31 ` Michael Chan
@ 2026-03-26 19:29 ` Jakub Kicinski
2026-03-27 0:38 ` [PATCH net v4] " Pengpeng Hou
2 siblings, 0 replies; 6+ messages in thread
From: Jakub Kicinski @ 2026-03-26 19:29 UTC (permalink / raw)
To: Pengpeng Hou
Cc: michael.chan, pavan.chebbi, andrew+netdev, davem, edumazet,
pabeni, netdev, linux-kernel
On Thu, 26 Mar 2026 22:20:33 +0800 Pengpeng Hou wrote:
> bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the
> firmware response in ctxm->type and later uses that value to index
> fixed backing-store metadata arrays such as ctx_arr[] and
> bnxt_bstore_to_trace[] without a local range check.
please don't post the next version in reply to the old one.
Add a lore.kernel.org link to the previous posting in the change log
instead.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net v4] bnxt_en: validate firmware backing store types
2026-03-26 14:20 ` [PATCH net v3] " Pengpeng Hou
2026-03-26 15:31 ` Michael Chan
2026-03-26 19:29 ` Jakub Kicinski
@ 2026-03-27 0:38 ` Pengpeng Hou
2026-03-27 1:06 ` Jakub Kicinski
2 siblings, 1 reply; 6+ messages in thread
From: Pengpeng Hou @ 2026-03-27 0:38 UTC (permalink / raw)
To: michael.chan
Cc: pavan.chebbi, andrew+netdev, davem, edumazet, kuba, pabeni,
netdev, linux-kernel, pengpeng
bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the
firmware response in ctxm->type and later uses that value to index
fixed backing-store metadata arrays such as ctx_arr[] and
bnxt_bstore_to_trace[].
The firmware response type is defined to match the queried request type.
Validate that resp->type matches the current request before storing it,
and keep next_valid_type in a dedicated variable so loop control stays
clear for non-valid or unchanged entries.
Fixes: 6a4d0774f02d ("bnxt_en: Add support for new backing store query firmware API")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v4:
- validate that resp->type matches the queried type
- keep next_type only for loop control
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 30 +++++++++++++++++------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 0751c0e4581a..6dd35942640d 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -8692,15 +8692,18 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
u8 init_val, init_off, i;
u32 max_entries;
u16 entry_size;
+ u16 req_type;
__le32 *p;
+ u16 next_type;
u32 flags;
- req->type = cpu_to_le16(type);
+ req_type = type;
+ req->type = cpu_to_le16(req_type);
rc = hwrm_req_send(bp, req);
if (rc)
goto ctx_done;
flags = le32_to_cpu(resp->flags);
- type = le16_to_cpu(resp->next_valid_type);
+ next_type = le16_to_cpu(resp->next_valid_type);
if (!(flags & BNXT_CTX_MEM_TYPE_VALID)) {
bnxt_free_one_ctx_mem(bp, ctxm, true);
continue;
@@ -8708,14 +8711,23 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
entry_size = le16_to_cpu(resp->entry_size);
max_entries = le32_to_cpu(resp->max_num_entries);
if (ctxm->mem_valid) {
- if (!(flags & BNXT_CTX_MEM_PERSIST) ||
- ctxm->entry_size != entry_size ||
- ctxm->max_entries != max_entries)
- bnxt_free_one_ctx_mem(bp, ctxm, true);
- else
+ if ((flags & BNXT_CTX_MEM_PERSIST) &&
+ ctxm->entry_size == entry_size &&
+ ctxm->max_entries == max_entries) {
+ type = next_type;
continue;
+ }
+
+ bnxt_free_one_ctx_mem(bp, ctxm, true);
}
- ctxm->type = le16_to_cpu(resp->type);
+ if (le16_to_cpu(resp->type) != req_type) {
+ netdev_warn(bp->dev,
+ "unexpected backing store type %u returned for request type %u\n",
+ le16_to_cpu(resp->type), req_type);
+ rc = -EINVAL;
+ goto ctx_done;
+ }
+ ctxm->type = req_type;
ctxm->entry_size = entry_size;
ctxm->flags = flags;
ctxm->instance_bmap = le32_to_cpu(resp->instance_bit_map);
@@ -8731,6 +8743,8 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
for (i = 0, p = &resp->split_entry_0; i < ctxm->split_entry_cnt;
i++, p++)
ctxm->split[i] = le32_to_cpu(*p);
+
+ type = next_type;
}
rc = bnxt_alloc_all_ctx_pg_info(bp, BNXT_CTX_V2_MAX);
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net v4] bnxt_en: validate firmware backing store types
2026-03-27 0:38 ` [PATCH net v4] " Pengpeng Hou
@ 2026-03-27 1:06 ` Jakub Kicinski
0 siblings, 0 replies; 6+ messages in thread
From: Jakub Kicinski @ 2026-03-27 1:06 UTC (permalink / raw)
To: Pengpeng Hou
Cc: michael.chan, pavan.chebbi, andrew+netdev, davem, edumazet,
pabeni, netdev, linux-kernel
On Fri, 27 Mar 2026 08:38:45 +0800 Pengpeng Hou wrote:
> bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the
> firmware response in ctxm->type and later uses that value to index
> fixed backing-store metadata arrays such as ctx_arr[] and
> bnxt_bstore_to_trace[].
Again, please do not post in replay to previous posting.
And wait 24h before reposting. Read this:
https://www.kernel.org/doc/html/next/process/maintainer-netdev.html#tl-dr
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-03-27 1:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 8:03 [PATCH] bnxt_en: validate firmware backing store types Pengpeng Hou
2026-03-26 14:20 ` [PATCH net v3] " Pengpeng Hou
2026-03-26 15:31 ` Michael Chan
2026-03-26 19:29 ` Jakub Kicinski
2026-03-27 0:38 ` [PATCH net v4] " Pengpeng Hou
2026-03-27 1:06 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox