From nobody Sat Feb 22 02:51:37 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z0BN973Zmz5ntbs; Sat, 22 Feb 2025 02:51:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Z0BN96N4hz3nF9; Sat, 22 Feb 2025 02:51:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1740192697; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rPwy6ew7rDkeblYlawYP/86WcigO6ofeSWhWk72Z2rA=; b=RJ+QRwV8Nvg6xpnokXXgMesjqnh8iUAUX4DyhtnGXNvKleeHle5ccrC8ApPJKyhSTx4ArP afi7ahjGwKF7Y4hI9yTPatuu6hn1d4kbNt2JR/Sx/tflAjJfJOOC+StufLFKFBrseZca4p kEx11I7UotbSx1K1y5QzQxIFDZYX9hpEQT2bc6sClChakfAZyCTJ9oDNK+kYqiR4srWom/ dlvMmOvfgKDJSbDRRXOm05WNJAp+SypIWXWaNz8Pi52AuXeG85nG0/lWAtBJ7NT4vdQShF /d5+Fb2h4lztNBwgxNJqDACz7a7zKsbkgzWN8vGk3Etfk0WjqQaWtHgDBYpmFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1740192697; a=rsa-sha256; cv=none; b=mOyjf8Jl4HJtXPFOpFdknffTzxCGZl7L3p4lFzM1xZD7e1BZcTRti1GE42VX+qU5lNM9DO GHlIHc1mQRii/lfMqHRdFpsWNA273O1u/QCfejDcVBT1+HFQgO7YEqwWiE5zDviI1DaxGS WyzPAIgiantzVfhNB/7twfDMabNuNtO5ojH6OCQsuLpredUraaN4S2ty89JMu+UoA3T8VS z4PJbW1VG4HD14UfIK+YkwJ8hmkEwjupos/1LPG/GQBXYTagtDFMOrpsvfhdDt+Ip6HI8E sw+w38HjIaYtOOgkO/HHWBGWvdnE+KRps8c6QztuZg1EjT5eQHANhvVCO9C+EQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1740192697; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rPwy6ew7rDkeblYlawYP/86WcigO6ofeSWhWk72Z2rA=; b=WPOOUrdt5br+YQGrjDZeXzbshiAn20Ln/qJTy/B1K6+xFgshm93zJqkHJrN+eMkOvokGQU FuUXw8h6/89AJ7/CNst4F8vedtb8RXMCQNY9oT2VhMrCVvSrgltMp6YJCke+eROOJD0Cjg I6cuiMm2K3Mh+HJUajYaSJWxCANqgjKxn3bBe+mEuUS7BPAfko33P2/uTW510M4UidG9+l 0Tr2Jbinoi0eOysjD7awRdCYZisWw9XFRpglhXNGfxIzTZyQHFZoG18hkM3F2KtK1smEPE LaANj5E0CY4FEPc0X1xmgOiA6NwoMz4YtXd5fYyKNmFny1twQ/HFm1S4PsDUqw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Z0BN95LmSzqBV; Sat, 22 Feb 2025 02:51:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51M2pbjb069760; Sat, 22 Feb 2025 02:51:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51M2pb5X069757; Sat, 22 Feb 2025 02:51:37 GMT (envelope-from git) Date: Sat, 22 Feb 2025 02:51:37 GMT Message-Id: <202502220251.51M2pb5X069757@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Zhenlei Huang Subject: git: acc2d4712391 - stable/14 - bnxt_en: Retrieve maximum of 128 APP TLVs List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zlei X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: acc2d47123913d3d5582da2e1eaaacb3096faca8 Auto-Submitted: auto-generated The branch stable/14 has been updated by zlei: URL: https://cgit.FreeBSD.org/src/commit/?id=acc2d47123913d3d5582da2e1eaaacb3096faca8 commit acc2d47123913d3d5582da2e1eaaacb3096faca8 Author: Zhenlei Huang AuthorDate: 2025-02-14 10:38:29 +0000 Commit: Zhenlei Huang CommitDate: 2025-02-22 02:50:55 +0000 bnxt_en: Retrieve maximum of 128 APP TLVs It appears that the maximum number of APP TLVs supported by the hardware is 128 according to D45005. Well Daniel Porsch reported an issue PR284073 which shows that the number can exceed the limit, causing out of bound write to on-stack allocated variable app[128] and the kernel panics. Limit to 128 while retrieving APP TLVs. PR: 284073 Reviewed by: markj Tested by: Daniel Porsch Fixes: 35b53f8c989f bnxt_en: Add PFC, ETS & App TLVs protocols support MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D48589 (cherry picked from commit 3de231b4d956f7b9c22e31f75805030a417f7bf3) --- sys/dev/bnxt/bnxt_en/bnxt.h | 3 ++- sys/dev/bnxt/bnxt_en/bnxt_dcb.c | 17 ++++++++++------- sys/dev/bnxt/bnxt_en/bnxt_mgmt.c | 1 + sys/dev/bnxt/bnxt_en/bnxt_sysctl.c | 2 +- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/sys/dev/bnxt/bnxt_en/bnxt.h b/sys/dev/bnxt/bnxt_en/bnxt.h index cf4f99077b58..e615566595ec 100644 --- a/sys/dev/bnxt/bnxt_en/bnxt.h +++ b/sys/dev/bnxt/bnxt_en/bnxt.h @@ -1309,6 +1309,7 @@ int bnxt_dcb_ieee_getpfc(struct bnxt_softc *softc, struct bnxt_ieee_pfc *pfc); int bnxt_dcb_ieee_setpfc(struct bnxt_softc *softc, struct bnxt_ieee_pfc *pfc); int bnxt_dcb_ieee_setapp(struct bnxt_softc *softc, struct bnxt_dcb_app *app); int bnxt_dcb_ieee_delapp(struct bnxt_softc *softc, struct bnxt_dcb_app *app); -int bnxt_dcb_ieee_listapp(struct bnxt_softc *softc, struct bnxt_dcb_app *app, int *num_inputs); +int bnxt_dcb_ieee_listapp(struct bnxt_softc *softc, struct bnxt_dcb_app *app, + size_t nitems, int *num_inputs); #endif /* _BNXT_H */ diff --git a/sys/dev/bnxt/bnxt_en/bnxt_dcb.c b/sys/dev/bnxt/bnxt_en/bnxt_dcb.c index e1e0581d3c24..e0643f200021 100644 --- a/sys/dev/bnxt/bnxt_en/bnxt_dcb.c +++ b/sys/dev/bnxt/bnxt_en/bnxt_dcb.c @@ -313,7 +313,8 @@ bnxt_hwrm_queue_pfc_qcfg(struct bnxt_softc *softc, struct bnxt_ieee_pfc *pfc) } static int -bnxt_hwrm_get_dcbx_app(struct bnxt_softc *softc, struct bnxt_dcb_app *app, int *num_inputs) +bnxt_hwrm_get_dcbx_app(struct bnxt_softc *softc, struct bnxt_dcb_app *app, + size_t nitems, int *num_inputs) { struct hwrm_fw_get_structured_data_input get = {0}; struct hwrm_struct_data_dcbx_app *fw_app; @@ -350,7 +351,7 @@ bnxt_hwrm_get_dcbx_app(struct bnxt_softc *softc, struct bnxt_dcb_app *app, int * } n = data->count; - for (i = 0; i < n; i++, fw_app++) { + for (i = 0; i < n && *num_inputs < nitems; i++, fw_app++) { app[*num_inputs].priority = fw_app->priority; app[*num_inputs].protocol = htobe16(fw_app->protocol_id); app[*num_inputs].selector = fw_app->protocol_selector; @@ -472,7 +473,8 @@ bnxt_hwrm_queue_dscp_qcaps(struct bnxt_softc *softc) } static int -bnxt_hwrm_queue_dscp2pri_qcfg(struct bnxt_softc *softc, struct bnxt_dcb_app *app, int *num_inputs) +bnxt_hwrm_queue_dscp2pri_qcfg(struct bnxt_softc *softc, struct bnxt_dcb_app *app, + size_t nitems, int *num_inputs) { struct hwrm_queue_dscp2pri_qcfg_input req = {0}; struct hwrm_queue_dscp2pri_qcfg_output *resp = @@ -503,7 +505,7 @@ bnxt_hwrm_queue_dscp2pri_qcfg(struct bnxt_softc *softc, struct bnxt_dcb_app *app goto end; entry_cnt = le16toh(resp->entry_cnt); - for (i = 0; i < entry_cnt; i++) { + for (i = 0; i < entry_cnt && *num_inputs < nitems; i++) { app[*num_inputs].priority = dscp2pri[i].pri; app[*num_inputs].protocol = dscp2pri[i].dscp; app[*num_inputs].selector = BNXT_IEEE_8021QAZ_APP_SEL_DSCP; @@ -774,10 +776,11 @@ bnxt_dcb_ieee_delapp(struct bnxt_softc *softc, struct bnxt_dcb_app *app) } int -bnxt_dcb_ieee_listapp(struct bnxt_softc *softc, struct bnxt_dcb_app *app, int *num_inputs) +bnxt_dcb_ieee_listapp(struct bnxt_softc *softc, struct bnxt_dcb_app *app, + size_t nitems, int *num_inputs) { - bnxt_hwrm_get_dcbx_app(softc, app, num_inputs); - bnxt_hwrm_queue_dscp2pri_qcfg(softc, app, num_inputs); + bnxt_hwrm_get_dcbx_app(softc, app, nitems, num_inputs); + bnxt_hwrm_queue_dscp2pri_qcfg(softc, app, nitems, num_inputs); return 0; } diff --git a/sys/dev/bnxt/bnxt_en/bnxt_mgmt.c b/sys/dev/bnxt/bnxt_en/bnxt_mgmt.c index 72704c3db452..bbc12b96d8c6 100644 --- a/sys/dev/bnxt/bnxt_en/bnxt_mgmt.c +++ b/sys/dev/bnxt/bnxt_en/bnxt_mgmt.c @@ -139,6 +139,7 @@ bnxt_mgmt_process_dcb(struct cdev *dev, u_long cmd, caddr_t data, break; case BNXT_MGMT_DCB_LIST_APP: bnxt_dcb_ieee_listapp(softc, &mgmt_dcb.req.app_tlv.app[0], + nitems(mgmt_dcb.req.app_tlv.app), &mgmt_dcb.req.app_tlv.num_app); break; default: diff --git a/sys/dev/bnxt/bnxt_en/bnxt_sysctl.c b/sys/dev/bnxt/bnxt_en/bnxt_sysctl.c index cf4e995e1aba..78e531362db4 100644 --- a/sys/dev/bnxt/bnxt_en/bnxt_sysctl.c +++ b/sys/dev/bnxt/bnxt_en/bnxt_sysctl.c @@ -1953,7 +1953,7 @@ bnxt_dcb_list_app(SYSCTL_HANDLER_ARGS) if (!buf) return ENOMEM; - bnxt_dcb_ieee_listapp(softc, app, &num_inputs); + bnxt_dcb_ieee_listapp(softc, app, nitems(app), &num_inputs); bnxt_app_tlv_get_string(softc, buf, app, num_inputs); rc = sysctl_handle_string(oidp, buf, BNXT_APP_TLV_STR_LEN, req);