* [PATCH v2 1/1] RFS Capability Bypass Vulnerability in Linux bnxt_en Driver
@ 2025-08-27 13:50 qianjiaru77
2025-08-27 22:15 ` Michael Chan
0 siblings, 1 reply; 2+ messages in thread
From: qianjiaru77 @ 2025-08-27 13:50 UTC (permalink / raw)
To: michael.chan, pavan.chebbi, davem, edumazet, kuba, pabeni,
andrew+netdev
Cc: netdev, linux-kernel, qianjiaru
From: qianjiaru <qianjiaru77@gmail.com>
A logic vulnerability exists in the `bnxt_rfs_capable()` function of the
Linux kernel's bnxt_en network driver. The vulnerability allows the driver
to incorrectly report RFS (Receive Flow Steering) capability on older
firmware versions without performing necessary resource validation,
potentially leading to system crashes when RFS features are enabled.
The vulnerability exists in the RFS capability check logic where older
firmware versions bypass essential resource validation.
Signed-off-by: qianjiaru <qianjiaru77@gmail.com>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 207a8bb36..b59ce7f45 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -13610,8 +13610,11 @@ bool bnxt_rfs_capable(struct bnxt *bp, bool new_rss_ctx)
return false;
}
- if (!BNXT_NEW_RM(bp))
- return true;
+ // FIXED: Apply consistent validation for all firmware versions
+ if (!BNXT_NEW_RM(bp)) {
+ // Basic validation even for old firmware
+ return (hwr.vnic <= max_vnics && hwr.rss_ctx <= max_rss_ctxs);
+ }
/* Do not reduce VNIC and RSS ctx reservations. There is a FW
* issue that will mess up the default VNIC if we reduce the
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2 1/1] RFS Capability Bypass Vulnerability in Linux bnxt_en Driver
2025-08-27 13:50 [PATCH v2 1/1] RFS Capability Bypass Vulnerability in Linux bnxt_en Driver qianjiaru77
@ 2025-08-27 22:15 ` Michael Chan
0 siblings, 0 replies; 2+ messages in thread
From: Michael Chan @ 2025-08-27 22:15 UTC (permalink / raw)
To: qianjiaru77
Cc: pavan.chebbi, davem, edumazet, kuba, pabeni, andrew+netdev,
netdev, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 889 bytes --]
On Wed, Aug 27, 2025 at 6:50 AM <qianjiaru77@gmail.com> wrote:
> diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> index 207a8bb36..b59ce7f45 100644
> --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> @@ -13610,8 +13610,11 @@ bool bnxt_rfs_capable(struct bnxt *bp, bool new_rss_ctx)
> return false;
> }
>
> - if (!BNXT_NEW_RM(bp))
> - return true;
> + // FIXED: Apply consistent validation for all firmware versions
> + if (!BNXT_NEW_RM(bp)) {
> + // Basic validation even for old firmware
> + return (hwr.vnic <= max_vnics && hwr.rss_ctx <= max_rss_ctxs);
This added logic makes no difference. We already did the same check a
few lines above and would have returned false if the opposite was
true.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4196 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-27 22:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-27 13:50 [PATCH v2 1/1] RFS Capability Bypass Vulnerability in Linux bnxt_en Driver qianjiaru77
2025-08-27 22:15 ` Michael Chan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).