From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-0016ce01.pphosted.com (0016ce01.pphosted.com [67.231.156.153]) by dpdk.org (Postfix) with ESMTP id D3A6C68A5 for ; Sat, 3 Dec 2016 07:35:29 +0100 (CET) Received: from pps.filterd (m0085408.ppops.net [127.0.0.1]) by mx0b-0016ce01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id uB36VvRf005754; Fri, 2 Dec 2016 22:35:27 -0800 Received: from avcashub1.qlogic.com ([198.186.0.115]) by mx0b-0016ce01.pphosted.com with ESMTP id 26ya8v8qeh-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 02 Dec 2016 22:35:27 -0800 Received: from avluser05.qlc.com (10.1.113.115) by avcashub1.qlogic.org (10.1.4.190) with Microsoft SMTP Server (TLS) id 14.3.235.1; Fri, 2 Dec 2016 22:35:26 -0800 Received: (from rmody@localhost) by avluser05.qlc.com (8.14.4/8.14.4/Submit) id uB36ZR9X025772; Fri, 2 Dec 2016 22:35:27 -0800 X-Authentication-Warning: avluser05.qlc.com: rmody set sender to Rasesh.Mody@cavium.com using -f From: Rasesh Mody To: CC: , Rasesh Mody Date: Fri, 2 Dec 2016 22:35:07 -0800 Message-ID: <1480746909-25686-6-git-send-email-Rasesh.Mody@cavium.com> X-Mailer: git-send-email 1.7.10.3 In-Reply-To: <1480746909-25686-1-git-send-email-Rasesh.Mody@cavium.com> References: <1480746909-25686-1-git-send-email-Rasesh.Mody@cavium.com> MIME-Version: 1.0 Content-Type: text/plain disclaimer: bypass X-Proofpoint-Virus-Version: vendor=nai engine=5800 definitions=8367 signatures=670762 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609300000 definitions=main-1612030113 Subject: [dpdk-dev] [PATCH 6/8] net/qede/base: fix Rx queue access by malicious VFs X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2016 06:35:30 -0000 8.10.x.x was supposed to prevent malicious VFs from using out-of-bound queue indices, but apparently Rx queue access is still done prior to the index being validated by PF. Fixes: 98bc693e ("net/qede/base: change queue start") Signed-off-by: Rasesh Mody --- drivers/net/qede/base/ecore_sriov.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/qede/base/ecore_sriov.c b/drivers/net/qede/base/ecore_sriov.c index de54b9a0..12552966 100644 --- a/drivers/net/qede/base/ecore_sriov.c +++ b/drivers/net/qede/base/ecore_sriov.c @@ -1968,6 +1968,11 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn, enum _ecore_status_t rc; req = &mbx->req_virt->start_rxq; + + if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) || + !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb)) + goto out; + OSAL_MEMSET(&p_params, 0, sizeof(p_params)); p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid; p_params.vf_qid = req->rx_qid; @@ -1976,10 +1981,6 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn, p_params.sb = req->hw_sb; p_params.sb_idx = req->sb_index; - if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) || - !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb)) - goto out; - /* Legacy VFs have their Producers in a different location, which they * calculate on their own and clean the producer prior to this. */ -- 2.11.0.rc1