]> git.ipfire.org Git - thirdparty/linux.git/commit
octeontx2-af: cn10k: restrict VF LMTLINE sharing to its own PF
authorJunrui Luo <moonafterrain@outlook.com>
Mon, 15 Jun 2026 15:04:27 +0000 (23:04 +0800)
committerJakub Kicinski <kuba@kernel.org>
Fri, 19 Jun 2026 01:01:57 +0000 (18:01 -0700)
commit8cdcf3d2caacdee7ddd363705fb4d93b0c1a0915
tree5d7bbf29ddd0be87c16fc399dc1ed25138b93e75
parenta0aa6bf985aa5f22f7d398ddfff3aa0754892aea
octeontx2-af: cn10k: restrict VF LMTLINE sharing to its own PF

rvu_mbox_handler_lmtst_tbl_setup() uses req->base_pcifunc as a direct
index into the LMT map table to read another function's LMTLINE
physical base address and copy it into the caller's own LMT map table
entry. The mailbox dispatcher authenticates req->hdr.pcifunc from the
IRQ source, but req->base_pcifunc is a separate payload field and is
not sanitized.

Reject the request with -EPERM when a VF caller's base_pcifunc is not a
valid function under its own PF. is_pf_func_valid() bounds the FUNC field
to the PF's configured VF count, keeping the computed index inside the
caller's own slot block.

Fixes: 893ae97214c3 ("octeontx2-af: cn10k: Support configurable LMTST regions")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78811656934E713B77DA6CEDAFE62@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c