diff --git a/sys/dev/sfxge/common/ef10_rx.c b/sys/dev/sfxge/common/ef10_rx.c index c237a9aeda14..e46fae0b95c5 100644 --- a/sys/dev/sfxge/common/ef10_rx.c +++ b/sys/dev/sfxge/common/ef10_rx.c @@ -64,6 +64,11 @@ efx_mcdi_init_rxq( EFSYS_ASSERT3U(ndescs, <=, EFX_RXQ_MAXNDESCS); + if ((esmp == NULL) || (EFSYS_MEM_SIZE(esmp) < EFX_RXQ_SIZE(ndescs))) { + rc = EINVAL; + goto fail1; + } + if (ps_bufsize > 0) dma_mode = MC_CMD_INIT_RXQ_EXT_IN_PACKED_STREAM; else @@ -130,11 +135,13 @@ efx_mcdi_init_rxq( if (req.emr_rc != 0) { rc = req.emr_rc; - goto fail1; + goto fail2; } return (0); +fail2: + EFSYS_PROBE(fail2); fail1: EFSYS_PROBE1(fail1, efx_rc_t, rc); diff --git a/sys/dev/sfxge/common/ef10_tx.c b/sys/dev/sfxge/common/ef10_tx.c index 36e577c81f1a..b37a0c8d7efa 100644 --- a/sys/dev/sfxge/common/ef10_tx.c +++ b/sys/dev/sfxge/common/ef10_tx.c @@ -69,10 +69,15 @@ efx_mcdi_init_txq( EFSYS_ASSERT(EFX_TXQ_MAX_BUFS >= EFX_TXQ_NBUFS(enp->en_nic_cfg.enc_txq_max_ndescs)); + if ((esmp == NULL) || (EFSYS_MEM_SIZE(esmp) < EFX_TXQ_SIZE(ndescs))) { + rc = EINVAL; + goto fail1; + } + npages = EFX_TXQ_NBUFS(ndescs); if (MC_CMD_INIT_TXQ_IN_LEN(npages) > sizeof (payload)) { rc = EINVAL; - goto fail1; + goto fail2; } (void) memset(payload, 0, sizeof (payload)); @@ -121,11 +126,13 @@ efx_mcdi_init_txq( if (req.emr_rc != 0) { rc = req.emr_rc; - goto fail2; + goto fail3; } return (0); +fail3: + EFSYS_PROBE(fail3); fail2: EFSYS_PROBE(fail2); fail1: diff --git a/sys/dev/sfxge/common/efsys.h b/sys/dev/sfxge/common/efsys.h index 7874f2b81cc0..d6d59af04224 100644 --- a/sys/dev/sfxge/common/efsys.h +++ b/sys/dev/sfxge/common/efsys.h @@ -392,8 +392,18 @@ typedef struct efsys_mem_s { bus_dmamap_t esm_map; caddr_t esm_base; efsys_dma_addr_t esm_addr; + size_t esm_size; } efsys_mem_t; +#define EFSYS_MEM_SIZE(_esmp) \ + ((_esmp)->esm_size) + +#define EFSYS_MEM_ADDR(_esmp) \ + ((_esmp)->esm_addr) + +#define EFSYS_MEM_IS_NULL(_esmp) \ + ((_esmp)->esm_base == NULL) + #define EFSYS_MEM_ZERO(_esmp, _size) \ do { \ @@ -617,12 +627,6 @@ typedef struct efsys_mem_s { } while (B_FALSE) #endif -#define EFSYS_MEM_ADDR(_esmp) \ - ((_esmp)->esm_addr) - -#define EFSYS_MEM_IS_NULL(_esmp) \ - ((_esmp)->esm_base == NULL) - /* BAR */ #define SFXGE_LOCK_NAME_MAX 16 diff --git a/sys/dev/sfxge/common/efx_intr.c b/sys/dev/sfxge/common/efx_intr.c index 911679656d13..279413807e7c 100644 --- a/sys/dev/sfxge/common/efx_intr.c +++ b/sys/dev/sfxge/common/efx_intr.c @@ -318,6 +318,12 @@ siena_intr_init( { efx_intr_t *eip = &(enp->en_intr); efx_oword_t oword; + efx_rc_t rc; + + if ((esmp == NULL) || (EFSYS_MEM_SIZE(esmp) < EFX_INTR_SIZE)) { + rc = EINVAL; + goto fail1; + } /* * bug17213 workaround. @@ -349,6 +355,11 @@ siena_intr_init( EFX_BAR_WRITEO(enp, FR_AZ_INT_ADR_REG_KER, &oword); return (0); + +fail1: + EFSYS_PROBE1(fail1, efx_rc_t, rc); + + return (rc); } static void diff --git a/sys/dev/sfxge/common/efx_mcdi.c b/sys/dev/sfxge/common/efx_mcdi.c index 5d90daeaa96f..0f278303b7ca 100644 --- a/sys/dev/sfxge/common/efx_mcdi.c +++ b/sys/dev/sfxge/common/efx_mcdi.c @@ -1844,11 +1844,13 @@ efx_mcdi_mac_stats( MAC_STATS_IN_PERIOD_MS, (enable | events) ? period_ms : 0); if (esmp != NULL) { - int bytes = MC_CMD_MAC_NSTATS * sizeof (uint64_t); + uint32_t bytes = MC_CMD_MAC_NSTATS * sizeof (uint64_t); EFX_STATIC_ASSERT(MC_CMD_MAC_NSTATS * sizeof (uint64_t) <= EFX_MAC_STATS_SIZE); + EFSYS_ASSERT3U(bytes, <=, (uint32_t)EFSYS_MEM_SIZE(esmp)); + MCDI_IN_SET_DWORD(req, MAC_STATS_IN_DMA_ADDR_LO, EFSYS_MEM_ADDR(esmp) & 0xffffffff); MCDI_IN_SET_DWORD(req, MAC_STATS_IN_DMA_ADDR_HI, diff --git a/sys/dev/sfxge/common/siena_phy.c b/sys/dev/sfxge/common/siena_phy.c index 3cbc72aa9fa1..aeba92338b2a 100644 --- a/sys/dev/sfxge/common/siena_phy.c +++ b/sys/dev/sfxge/common/siena_phy.c @@ -563,6 +563,11 @@ siena_phy_stats_update( MC_CMD_PHY_STATS_OUT_DMA_LEN)]; efx_rc_t rc; + if ((esmp == NULL) || (EFSYS_MEM_SIZE(esmp) < EFX_PHY_STATS_SIZE)) { + rc = EINVAL; + goto fail1; + } + (void) memset(payload, 0, sizeof (payload)); req.emr_cmd = MC_CMD_PHY_STATS; req.emr_in_buf = payload; @@ -579,7 +584,7 @@ siena_phy_stats_update( if (req.emr_rc != 0) { rc = req.emr_rc; - goto fail1; + goto fail2; } EFSYS_ASSERT3U(req.emr_out_length, ==, MC_CMD_PHY_STATS_OUT_DMA_LEN); @@ -588,6 +593,8 @@ siena_phy_stats_update( return (0); +fail2: + EFSYS_PROBE(fail2); fail1: EFSYS_PROBE1(fail1, efx_rc_t, rc); diff --git a/sys/dev/sfxge/sfxge_dma.c b/sys/dev/sfxge/sfxge_dma.c index f75fab016897..52b4403b3f97 100644 --- a/sys/dev/sfxge/sfxge_dma.c +++ b/sys/dev/sfxge/sfxge_dma.c @@ -136,6 +136,7 @@ sfxge_dma_free(efsys_mem_t *esmp) esmp->esm_addr = 0; esmp->esm_base = NULL; + esmp->esm_size = 0; } int @@ -175,6 +176,7 @@ sfxge_dma_alloc(struct sfxge_softc *sc, bus_size_t len, efsys_mem_t *esmp) goto fail_load_check; esmp->esm_base = vaddr; + esmp->esm_size = len; return (0);