2024-06-11 08:29:37

by Aleksandr Mishin

[permalink] [raw]
Subject: [PATCH net v3] bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()

In case of token is released due to token->state == BNXT_HWRM_DEFERRED,
released token (set to NULL) is used in log messages. This issue is
expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But
this error code is returned by recent firmware. So some firmware may not
return it. This may lead to NULL pointer dereference.
Adjust this issue by adding token pointer check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 8fa4219dba8e ("bnxt_en: add dynamic debug support for HWRM messages")
Suggested-by: Michael Chan <[email protected]>
Signed-off-by: Aleksandr Mishin <[email protected]>
Reviewed-by: Wojciech Drewek <[email protected]>
---
v1->v2: Preserve the error message by replacing 'token' with 'ctx->req->seq_id' as suggested by Michael.
As the patch didn't change significantly, add Wojciech's Reviewed-by tag from the previous version.
v2->v3: Fix missing alignment.

drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
index 1df3d56cc4b5..d2fd2d04ed47 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
@@ -680,7 +680,7 @@ static int __hwrm_send(struct bnxt *bp, struct bnxt_hwrm_ctx *ctx)
req_type);
else if (rc && rc != HWRM_ERR_CODE_PF_UNAVAILABLE)
hwrm_err(bp, ctx, "hwrm req_type 0x%x seq id 0x%x error 0x%x\n",
- req_type, token->seq_id, rc);
+ req_type, le16_to_cpu(ctx->req->seq_id), rc);
rc = __hwrm_to_stderr(rc);
exit:
if (token)
--
2.30.2



2024-06-11 16:40:02

by Michael Chan

[permalink] [raw]
Subject: Re: [PATCH net v3] bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()

On Tue, Jun 11, 2024 at 1:28 AM Aleksandr Mishin <[email protected]> wrote:
>
> In case of token is released due to token->state == BNXT_HWRM_DEFERRED,
> released token (set to NULL) is used in log messages. This issue is
> expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But
> this error code is returned by recent firmware. So some firmware may not
> return it. This may lead to NULL pointer dereference.
> Adjust this issue by adding token pointer check.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 8fa4219dba8e ("bnxt_en: add dynamic debug support for HWRM messages")
> Suggested-by: Michael Chan <[email protected]>
> Signed-off-by: Aleksandr Mishin <[email protected]>
> Reviewed-by: Wojciech Drewek <[email protected]>
> ---
> v1->v2: Preserve the error message by replacing 'token' with 'ctx->req->seq_id' as suggested by Michael.
> As the patch didn't change significantly, add Wojciech's Reviewed-by tag from the previous version.
> v2->v3: Fix missing alignment.

Thanks.
Reviewed-by: Michael Chan <[email protected]>

Attachments:
smime.p7s (4.11 kB)
S/MIME Cryptographic Signature

2024-06-13 15:10:47

by patchwork-bot+netdevbpf

[permalink] [raw]
Subject: Re: [PATCH net v3] bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <[email protected]>:

On Tue, 11 Jun 2024 11:25:46 +0300 you wrote:
> In case of token is released due to token->state == BNXT_HWRM_DEFERRED,
> released token (set to NULL) is used in log messages. This issue is
> expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But
> this error code is returned by recent firmware. So some firmware may not
> return it. This may lead to NULL pointer dereference.
> Adjust this issue by adding token pointer check.
>
> [...]

Here is the summary with links:
- [net,v3] bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()
https://git.kernel.org/netdev/net/c/a9b9741854a9

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html