From: qianjiaru A logic vulnerability exists in the `bnxt_rfs_capable()` function of the Linux kernel's bnxt_en network driver. The vulnerability allows the driver to incorrectly report RFS (Receive Flow Steering) capability on older firmware versions without performing necessary resource validation, potentially leading to system crashes when RFS features are enabled. The vulnerability exists in the RFS capability check logic where older firmware versions bypass essential resource validation. Signed-off-by: qianjiaru --- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c index 207a8bb36..b59ce7f45 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c @@ -13610,8 +13610,11 @@ bool bnxt_rfs_capable(struct bnxt *bp, bool new_rss_ctx) return false; } - if (!BNXT_NEW_RM(bp)) - return true; + // FIXED: Apply consistent validation for all firmware versions + if (!BNXT_NEW_RM(bp)) { + // Basic validation even for old firmware + return (hwr.vnic <= max_vnics && hwr.rss_ctx <= max_rss_ctxs); + } /* Do not reduce VNIC and RSS ctx reservations. There is a FW * issue that will mess up the default VNIC if we reduce the -- 2.34.1