Add logic checks at critical points to detect potentially illegal
firmware information, preventing subsequent logic exceptions.
Fixes: 52aae4ed4ffb ("net/rnp: add device capabilities")
Fixes: 52dfb84e14be ("net/rnp: add device init and uninit")
Cc: sta...@dpdk.org
Signed-off-by: Wenbo Cao <caowe...@mucse.com>
---
drivers/net/rnp/base/rnp_fw_cmd.h | 1 +
drivers/net/rnp/base/rnp_mbx_fw.c | 15 ++++++++++++++-
drivers/net/rnp/rnp_ethdev.c | 16 ++++++++--------
3 files changed, 23 insertions(+), 9 deletions(-)
diff --git a/drivers/net/rnp/base/rnp_fw_cmd.h
b/drivers/net/rnp/base/rnp_fw_cmd.h
index 26db07ad36..f6c0d77f1d 100644
--- a/drivers/net/rnp/base/rnp_fw_cmd.h
+++ b/drivers/net/rnp/base/rnp_fw_cmd.h
@@ -159,6 +159,7 @@ struct rnp_mac_addr_rep {
#define RNP_SPEED_CAP_100M_HALF RTE_BIT32(11)
#define RNP_SPEED_CAP_1GB_HALF RTE_BIT32(12)
+#define RNP_SPEED_VALID_MASK RTE_GENMASK32(12, 2)
enum rnp_pma_phy_type {
RNP_PHY_TYPE_NONE = 0,
RNP_PHY_TYPE_1G_BASE_KX,
diff --git a/drivers/net/rnp/base/rnp_mbx_fw.c
b/drivers/net/rnp/base/rnp_mbx_fw.c
index 3e7cf7f9ad..9e0b1730c2 100644
--- a/drivers/net/rnp/base/rnp_mbx_fw.c
+++ b/drivers/net/rnp/base/rnp_mbx_fw.c
@@ -230,6 +230,7 @@ rnp_fw_get_phy_capability(struct rnp_eth_port *port,
return 0;
}
+#define RNP_MAX_LANE_MASK (0xf)
int rnp_mbx_fw_get_capability(struct rnp_eth_port *port)
{
struct rnp_phy_abilities_rep ability;
@@ -252,17 +253,29 @@ int rnp_mbx_fw_get_capability(struct rnp_eth_port *port)
hw->nic_mode = ability.nic_mode;
/* get phy<->lane mapping info */
lane_cnt = rte_popcount32(hw->lane_mask);
+ if (lane_cnt > RNP_MAX_PORT_OF_PF) {
+ RNP_PMD_LOG(ERR, "firmware invalid lane_mask");
+ return -EINVAL;
+ }
temp_mask = hw->lane_mask;
+ if (temp_mask == 0 || temp_mask > RNP_MAX_LANE_MASK) {
+ RNP_PMD_LOG(ERR, "lane_mask is invalid 0x%.2x",
temp_mask);
+ return -EINVAL;
+ }
if (ability.e.ports_is_sgmii_valid)
is_sgmii_bits = ability.e.lane_is_sgmii;
for (idx = 0; idx < lane_cnt; idx++) {
hw->phy_port_ids[idx] = port_ids[idx];
+ if (temp_mask == 0) {
+ RNP_PMD_LOG(ERR, "temp_mask is zero at idx=%d",
idx);
+ return -EINVAL;
+ }
lane_bit = ffs(temp_mask) - 1;
lane_idx = port_ids[idx] % lane_cnt;
hw->lane_of_port[lane_idx] = lane_bit;
is_sgmii = lane_bit & is_sgmii_bits ? 1 : 0;
hw->lane_is_sgmii[lane_idx] = is_sgmii;
- temp_mask &= ~RTE_BIT32(lane_bit);
+ temp_mask &= ~(1ULL << lane_bit);
}
hw->max_port_num = lane_cnt;
}
diff --git a/drivers/net/rnp/rnp_ethdev.c b/drivers/net/rnp/rnp_ethdev.c
index de1c077f61..7b996913c8 100644
--- a/drivers/net/rnp/rnp_ethdev.c
+++ b/drivers/net/rnp/rnp_ethdev.c
@@ -751,17 +751,17 @@ rnp_get_speed_caps(struct rte_eth_dev *dev)
{
struct rnp_eth_port *port = RNP_DEV_TO_PORT(dev);
uint32_t speed_cap = 0;
- uint32_t i = 0, speed;
uint32_t support_link;
- uint32_t link_types;
+ uint32_t speed = 0;
+ int bit_pos = 0;
support_link = port->attr.phy_meta.supported_link;
- link_types = rte_popcount64(support_link);
- if (!link_types)
+ if (support_link == 0)
return 0;
- for (i = 0; i < link_types; i++) {
- speed = ffs(support_link) - 1;
- switch (RTE_BIT32(speed)) {
+ while (support_link) {
+ bit_pos = ffs(support_link) - 1;
+ speed = RTE_BIT32(bit_pos) & RNP_SPEED_VALID_MASK;
+ switch (speed) {
case RNP_SPEED_CAP_10M_FULL:
speed_cap |= RTE_ETH_LINK_SPEED_10M;
break;
@@ -789,7 +789,7 @@ rnp_get_speed_caps(struct rte_eth_dev *dev)
default:
speed_cap |= 0;
}
- support_link &= ~RTE_BIT32(speed);
+ support_link &= ~(1ULL << bit_pos);
}
if (!port->attr.phy_meta.link_autoneg)
speed_cap |= RTE_ETH_LINK_SPEED_FIXED;
--
2.25.1
