Index: sys/dev/sfxge/common/ef10_rx.c =================================================================== --- sys/dev/sfxge/common/ef10_rx.c +++ sys/dev/sfxge/common/ef10_rx.c @@ -64,6 +64,11 @@ EFSYS_ASSERT3U(ndescs, <=, EFX_RXQ_MAXNDESCS); + if ((esmp == NULL) || (EFSYS_MEM_SIZE(esmp) < EFX_RXQ_SIZE(ndescs))) { + rc = EINVAL; + goto fail1; + } + if (ps_bufsize > 0) dma_mode = MC_CMD_INIT_RXQ_EXT_IN_PACKED_STREAM; else @@ -130,11 +135,13 @@ if (req.emr_rc != 0) { rc = req.emr_rc; - goto fail1; + goto fail2; } return (0); +fail2: + EFSYS_PROBE(fail2); fail1: EFSYS_PROBE1(fail1, efx_rc_t, rc); Index: sys/dev/sfxge/common/ef10_tx.c =================================================================== --- sys/dev/sfxge/common/ef10_tx.c +++ sys/dev/sfxge/common/ef10_tx.c @@ -69,10 +69,15 @@ EFSYS_ASSERT(EFX_TXQ_MAX_BUFS >= EFX_TXQ_NBUFS(enp->en_nic_cfg.enc_txq_max_ndescs)); + if ((esmp == NULL) || (EFSYS_MEM_SIZE(esmp) < EFX_TXQ_SIZE(ndescs))) { + rc = EINVAL; + goto fail1; + } + npages = EFX_TXQ_NBUFS(ndescs); if (MC_CMD_INIT_TXQ_IN_LEN(npages) > sizeof (payload)) { rc = EINVAL; - goto fail1; + goto fail2; } (void) memset(payload, 0, sizeof (payload)); @@ -121,11 +126,13 @@ if (req.emr_rc != 0) { rc = req.emr_rc; - goto fail2; + goto fail3; } return (0); +fail3: + EFSYS_PROBE(fail3); fail2: EFSYS_PROBE(fail2); fail1: Index: sys/dev/sfxge/common/efsys.h =================================================================== --- sys/dev/sfxge/common/efsys.h +++ sys/dev/sfxge/common/efsys.h @@ -392,8 +392,18 @@ bus_dmamap_t esm_map; caddr_t esm_base; efsys_dma_addr_t esm_addr; + size_t esm_size; } efsys_mem_t; +#define EFSYS_MEM_SIZE(_esmp) \ + ((_esmp)->esm_size) + +#define EFSYS_MEM_ADDR(_esmp) \ + ((_esmp)->esm_addr) + +#define EFSYS_MEM_IS_NULL(_esmp) \ + ((_esmp)->esm_base == NULL) + #define EFSYS_MEM_ZERO(_esmp, _size) \ do { \ @@ -617,12 +627,6 @@ } while (B_FALSE) #endif -#define EFSYS_MEM_ADDR(_esmp) \ - ((_esmp)->esm_addr) - -#define EFSYS_MEM_IS_NULL(_esmp) \ - ((_esmp)->esm_base == NULL) - /* BAR */ #define SFXGE_LOCK_NAME_MAX 16 Index: sys/dev/sfxge/common/efx_intr.c =================================================================== --- sys/dev/sfxge/common/efx_intr.c +++ sys/dev/sfxge/common/efx_intr.c @@ -318,6 +318,12 @@ { efx_intr_t *eip = &(enp->en_intr); efx_oword_t oword; + efx_rc_t rc; + + if ((esmp == NULL) || (EFSYS_MEM_SIZE(esmp) < EFX_INTR_SIZE)) { + rc = EINVAL; + goto fail1; + } /* * bug17213 workaround. @@ -349,6 +355,11 @@ EFX_BAR_WRITEO(enp, FR_AZ_INT_ADR_REG_KER, &oword); return (0); + +fail1: + EFSYS_PROBE1(fail1, efx_rc_t, rc); + + return (rc); } static void Index: sys/dev/sfxge/common/efx_mcdi.c =================================================================== --- sys/dev/sfxge/common/efx_mcdi.c +++ sys/dev/sfxge/common/efx_mcdi.c @@ -1844,11 +1844,13 @@ MAC_STATS_IN_PERIOD_MS, (enable | events) ? period_ms : 0); if (esmp != NULL) { - int bytes = MC_CMD_MAC_NSTATS * sizeof (uint64_t); + uint32_t bytes = MC_CMD_MAC_NSTATS * sizeof (uint64_t); EFX_STATIC_ASSERT(MC_CMD_MAC_NSTATS * sizeof (uint64_t) <= EFX_MAC_STATS_SIZE); + EFSYS_ASSERT3U(bytes, <=, (uint32_t)EFSYS_MEM_SIZE(esmp)); + MCDI_IN_SET_DWORD(req, MAC_STATS_IN_DMA_ADDR_LO, EFSYS_MEM_ADDR(esmp) & 0xffffffff); MCDI_IN_SET_DWORD(req, MAC_STATS_IN_DMA_ADDR_HI, Index: sys/dev/sfxge/common/siena_phy.c =================================================================== --- sys/dev/sfxge/common/siena_phy.c +++ sys/dev/sfxge/common/siena_phy.c @@ -563,6 +563,11 @@ MC_CMD_PHY_STATS_OUT_DMA_LEN)]; efx_rc_t rc; + if ((esmp == NULL) || (EFSYS_MEM_SIZE(esmp) < EFX_PHY_STATS_SIZE)) { + rc = EINVAL; + goto fail1; + } + (void) memset(payload, 0, sizeof (payload)); req.emr_cmd = MC_CMD_PHY_STATS; req.emr_in_buf = payload; @@ -579,7 +584,7 @@ if (req.emr_rc != 0) { rc = req.emr_rc; - goto fail1; + goto fail2; } EFSYS_ASSERT3U(req.emr_out_length, ==, MC_CMD_PHY_STATS_OUT_DMA_LEN); @@ -588,6 +593,8 @@ return (0); +fail2: + EFSYS_PROBE(fail2); fail1: EFSYS_PROBE1(fail1, efx_rc_t, rc); Index: sys/dev/sfxge/sfxge_dma.c =================================================================== --- sys/dev/sfxge/sfxge_dma.c +++ sys/dev/sfxge/sfxge_dma.c @@ -136,6 +136,7 @@ esmp->esm_addr = 0; esmp->esm_base = NULL; + esmp->esm_size = 0; } int @@ -175,6 +176,7 @@ goto fail_load_check; esmp->esm_base = vaddr; + esmp->esm_size = len; return (0);