From nobody Fri Apr 3 22:50:16 2026 Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2995C36B06F; Mon, 23 Mar 2026 08:03:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774253030; cv=none; b=JS3aI2Tb9ArwGzdXG9qJIbDxc4gI4OenjdfL8OJsy+ifeAp+qtimYhQEVzj5K+hvYVykhDocryOJUGyu+2CdWbWEuqIT1pm2TjQfgY5Z3wxiskeLPyKfDThQgr8dz/1q4uFqcWcVhNf1E4JR/1WuN6g7CIpeyp57TAYnHjb5Ne0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774253030; c=relaxed/simple; bh=J7Vd188rDLpignfhsLQ1sTR+sYGEMdN9NZocKWAVCY8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=joHrqxL74fVQQZkc+9QAWFU08302TNzm+oMxrUppzFxTAiMlXUhbct8+apnf4QHF+ntJYiRrxCCOwiQneT+vNAw8+L4DOpO1KN2nd9dPTMwtgQp5AH1IayMGbozk4hUpPC6PyrnNlJpGjgJ2HIjnA5m2/3KJ82RwGxo1/M+zit0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-03 (Coremail) with SMTP id rQCowABnhdzY88BpfyyHCw--.58791S2; Mon, 23 Mar 2026 16:03:37 +0800 (CST) From: Pengpeng Hou To: Michael Chan , Pavan Chebbi , Andrew Lunn , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Pengpeng Hou Subject: [PATCH] bnxt_en: validate firmware backing store types Date: Mon, 23 Mar 2026 16:03:36 +0800 Message-ID: <20260323080336.36905-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: rQCowABnhdzY88BpfyyHCw--.58791S2 X-Coremail-Antispam: 1UD129KBjvdXoW7GFWUtF1UCFy5Ww1xGr1DAwb_yoWktFc_ur y3ZFyrtr45AFyq9FWDCr4fC34FkF4qqw48ZFn7trZxAwnIyr1UX3yxZa45Jw13GrWxXFyD Gry293yj934rKjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUb3xFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr0_ Cr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s 1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E2Ix0 cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r4j6F4UMcvjeVCFs4IE7xkEbVWUJVW8Jw ACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka 0xkIwI1lc7CjxVAaw2AFwI0_Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7 v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF 1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIx AIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI 42IY6I8E87Iv67AKxVW8JVWxJwCI42IY6I8E87Iv6xkF7I0E14v26r4UJVWxJrUvcSsGvf C2KfnxnUUI43ZEXa7VUb8hL5UUUUU== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" Signed-off-by: Pengpeng Hou --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethern= et/broadcom/bnxt/bnxt.c index 0751c0e4581a..d0446f851d66 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -8692,6 +8692,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(stru= ct bnxt *bp) u8 init_val, init_off, i; u32 max_entries; u16 entry_size; + u16 resp_type; __le32 *p; u32 flags; =20 @@ -8715,7 +8716,15 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(str= uct bnxt *bp) else continue; } - ctxm->type =3D le16_to_cpu(resp->type); + resp_type =3D le16_to_cpu(resp->type); + if (resp_type >=3D BNXT_CTX_V2_MAX) { + netdev_warn(bp->dev, + "invalid backing store type %u returned by firmware\n", + resp_type); + rc =3D -EINVAL; + goto ctx_done; + } + ctxm->type =3D resp_type; ctxm->entry_size =3D entry_size; ctxm->flags =3D flags; ctxm->instance_bmap =3D le32_to_cpu(resp->instance_bit_map); --=20 2.50.1 (Apple Git-155)