Re: [PATCH v2] bnxt_en: validate firmware backing store types

[Pavan Chebbi]

On Mon, Mar 23, 2026 at 1:39 PM Pengpeng Hou <pengpeng@xxxxxxxxxxx> wrote:
>
> bnxt_hwrm_func_backing_store_qcaps_v2() trusts resp->type from the
> firmware response and stores it in ctxm->type. That value is later used
> to index fixed backing-store metadata arrays such as ctx_arr[] and
> bnxt_bstore_to_trace[] without a local range check.
>
> Validate the returned type before storing it and abort the query when
> firmware reports a type outside BNXT_CTX_V2_MAX. This keeps the fix at
> the point where the untrusted value enters driver state.
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> v2:
> - add commit message context and fix rationale
> - no code changes

Patch should be marked "net" and should have 'fixes'.
You must wait at least 24 hours before sending a new revision of the patch.

>
>  drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> index 0751c0e4581a..d0446f851d66 100644
> --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> @@ -8692,6 +8692,7 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
>                 u8 init_val, init_off, i;
>                 u32 max_entries;
>                 u16 entry_size;
> +               u16 resp_type;
>                 __le32 *p;
>                 u32 flags;
>
> @@ -8715,7 +8716,15 @@ static int bnxt_hwrm_func_backing_store_qcaps_v2(struct bnxt *bp)
>                         else
>                                 continue;
>                 }
> -               ctxm->type = le16_to_cpu(resp->type);
> +               resp_type = le16_to_cpu(resp->type);

What's the logic behind having additional 'resp_type' ?

> +               if (resp_type >= BNXT_CTX_V2_MAX) {
> +                       netdev_warn(bp->dev,
> +                                   "invalid backing store type %u returned by firmware\n",
> +                                   resp_type);
> +                       rc = -EINVAL;
> +                       goto ctx_done;
> +               }
> +               ctxm->type = resp_type;
>                 ctxm->entry_size = entry_size;
>                 ctxm->flags = flags;
>                 ctxm->instance_bmap = le32_to_cpu(resp->instance_bit_map);
> --
> 2.50.1 (Apple Git-155)
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature