8.10.x.x was supposed to prevent malicious VFs from using out-of-bound
queue indices, but apparently Rx queue access is still done prior to the
index being validated by PF.
Fixes: 98bc693e ("net/qede/base: change queue start")
Signed-off-by: Rasesh Mody <rasesh.m...@cavium.com>
---
drivers/net/qede/base/ecore_sriov.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/qede/base/ecore_sriov.c
b/drivers/net/qede/base/ecore_sriov.c
index de54b9a0..12552966 100644
--- a/drivers/net/qede/base/ecore_sriov.c
+++ b/drivers/net/qede/base/ecore_sriov.c
@@ -1968,6 +1968,11 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn
*p_hwfn,
enum _ecore_status_t rc;
req = &mbx->req_virt->start_rxq;
+
+ if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
+ !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
+ goto out;
+
OSAL_MEMSET(&p_params, 0, sizeof(p_params));
p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid;
p_params.vf_qid = req->rx_qid;
@@ -1976,10 +1981,6 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn
*p_hwfn,
p_params.sb = req->hw_sb;
p_params.sb_idx = req->sb_index;
- if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
- !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
- goto out;
-
/* Legacy VFs have their Producers in a different location, which they
* calculate on their own and clean the producer prior to this.
*/
--
2.11.0.rc1
