lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACKFLimTo8EZwhV2qGs07O9B=BuCGrrC7x3HECorTet1wrsbsw@mail.gmail.com>
Date: Sat, 8 Jun 2024 08:40:40 -0700
From: Michael Chan <michael.chan@...adcom.com>
To: Aleksandr Mishin <amishin@...rgos.ru>
Cc: Edwin Peer <edwin.peer@...adcom.com>, "David S. Miller" <davem@...emloft.net>, 
	Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 
	lvc-project@...uxtesting.org
Subject: Re: [PATCH net] bnxt_en: Adjust logging of firmware messages in case
 of released token in __hwrm_send()

On Fri, Jun 7, 2024 at 12:08 AM Aleksandr Mishin <amishin@...rgos.ru> wrote:
>
> In case of token is released due to token->state == BNXT_HWRM_DEFERRED,
> released token (set to NULL) is used in log messages. This issue is
> expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But
> this error code is returned by recent firmware. So some firmware may not
> return it. This may lead to NULL pointer dereference.
> Adjust this issue by adding token pointer check.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 8fa4219dba8e ("bnxt_en: add dynamic debug support for HWRM messages")
> Signed-off-by: Aleksandr Mishin <amishin@...rgos.ru>
> ---
>  drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
> index 1df3d56cc4b5..14585ac476c8 100644
> --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
> +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
> @@ -678,7 +678,7 @@ static int __hwrm_send(struct bnxt *bp, struct bnxt_hwrm_ctx *ctx)
>         if (rc == HWRM_ERR_CODE_BUSY && !(ctx->flags & BNXT_HWRM_CTX_SILENT))
>                 netdev_warn(bp->dev, "FW returned busy, hwrm req_type 0x%x\n",
>                             req_type);
> -       else if (rc && rc != HWRM_ERR_CODE_PF_UNAVAILABLE)
> +       else if (rc && token && rc != HWRM_ERR_CODE_PF_UNAVAILABLE)
>                 hwrm_err(bp, ctx, "hwrm req_type 0x%x seq id 0x%x error 0x%x\n",
>                          req_type, token->seq_id, rc);

Thanks for the patch.  I think doing this will be better to preserve
the error message:

hwrm_err(bp, ctx, "hwrm req_type 0x%x seq id 0x%x error 0x%x\n",
        req_type, le16_to_cpu(ctx->req->seq_id), rc);

The seq id is saved in ctx->req so we can use it.

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4209 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ