drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
bnxt_hwrm_func_backing_store_qcaps_v2() trusts resp->type from the
firmware response and stores it in ctxm->type. That value is later used
to index fixed backing-store metadata arrays such as ctx_arr[] and
bnxt_bstore_to_trace[] without a local range check.
Validate the returned type before storing it and abort the query when
firmware reports a type outside BNXT_CTX_V2_MAX. This keeps the fix at
the point where the untrusted value enters driver state.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v2:
- add commit message context and fix rationale
- no code changes
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 0751c0e4581a..d0446f851d66 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -8692,6 +8692,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
u8 init_val, init_off, i;
u32 max_entries;
u16 entry_size;
+ u16 resp_type;
__le32 *p;
u32 flags;
@@ -8715,7 +8716,15 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
else
continue;
}
- ctxm->type = le16_to_cpu(resp->type);
+ resp_type = le16_to_cpu(resp->type);
+ if (resp_type >= BNXT_CTX_V2_MAX) {
+ netdev_warn(bp->dev,
+ "invalid backing store type %u returned by firmware\n",
+ resp_type);
+ rc = -EINVAL;
+ goto ctx_done;
+ }
+ ctxm->type = resp_type;
ctxm->entry_size = entry_size;
ctxm->flags = flags;
ctxm->instance_bmap = le32_to_cpu(resp->instance_bit_map);
--
2.50.1 (Apple Git-155)On Mon, Mar 23, 2026 at 1:39 PM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
>
> bnxt_hwrm_func_backing_store_qcaps_v2() trusts resp->type from the
> firmware response and stores it in ctxm->type. That value is later used
> to index fixed backing-store metadata arrays such as ctx_arr[] and
> bnxt_bstore_to_trace[] without a local range check.
>
> Validate the returned type before storing it and abort the query when
> firmware reports a type outside BNXT_CTX_V2_MAX. This keeps the fix at
> the point where the untrusted value enters driver state.
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
> v2:
> - add commit message context and fix rationale
> - no code changes
Patch should be marked "net" and should have 'fixes'.
You must wait at least 24 hours before sending a new revision of the patch.
>
> drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> index 0751c0e4581a..d0446f851d66 100644
> --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> @@ -8692,6 +8692,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
> u8 init_val, init_off, i;
> u32 max_entries;
> u16 entry_size;
> + u16 resp_type;
> __le32 *p;
> u32 flags;
>
> @@ -8715,7 +8716,15 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
> else
> continue;
> }
> - ctxm->type = le16_to_cpu(resp->type);
> + resp_type = le16_to_cpu(resp->type);
What's the logic behind having additional 'resp_type' ?
> + if (resp_type >= BNXT_CTX_V2_MAX) {
> + netdev_warn(bp->dev,
> + "invalid backing store type %u returned by firmware\n",
> + resp_type);
> + rc = -EINVAL;
> + goto ctx_done;
> + }
> + ctxm->type = resp_type;
> ctxm->entry_size = entry_size;
> ctxm->flags = flags;
> ctxm->instance_bmap = le32_to_cpu(resp->instance_bit_map);
> --
> 2.50.1 (Apple Git-155)
>
© 2016 - 2026 Red Hat, Inc.