]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
octeontx2-af: cn10k: restrict VF LMTLINE sharing to its own PF
authorJunrui Luo <moonafterrain@outlook.com>
Mon, 15 Jun 2026 15:04:27 +0000 (23:04 +0800)
committerJakub Kicinski <kuba@kernel.org>
Fri, 19 Jun 2026 01:01:57 +0000 (18:01 -0700)
rvu_mbox_handler_lmtst_tbl_setup() uses req->base_pcifunc as a direct
index into the LMT map table to read another function's LMTLINE
physical base address and copy it into the caller's own LMT map table
entry. The mailbox dispatcher authenticates req->hdr.pcifunc from the
IRQ source, but req->base_pcifunc is a separate payload field and is
not sanitized.

Reject the request with -EPERM when a VF caller's base_pcifunc is not a
valid function under its own PF. is_pf_func_valid() bounds the FUNC field
to the PF's configured VF count, keeping the computed index inside the
caller's own slot block.

Fixes: 893ae97214c3 ("octeontx2-af: cn10k: Support configurable LMTST regions")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78811656934E713B77DA6CEDAFE62@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c

index d2163da28d18f065270ccc4eec14aad171adafa6..fa4ea1258d29d5ad9a3cc23452dac17e782659c7 100644 (file)
@@ -178,6 +178,15 @@ int rvu_mbox_handler_lmtst_tbl_setup(struct rvu *rvu,
         * pcifunc (will be the one who is calling this mailbox).
         */
        if (req->base_pcifunc) {
+               /* A VF is untrusted and must not redirect its LMTLINE to
+                * another PF's region, so confine VF callers to their own PF.
+                */
+               if (is_vf(req->hdr.pcifunc) &&
+                   (!is_pf_func_valid(rvu, req->base_pcifunc) ||
+                    rvu_get_pf(rvu->pdev, req->hdr.pcifunc) !=
+                    rvu_get_pf(rvu->pdev, req->base_pcifunc)))
+                       return -EPERM;
+
                /* Calculating the LMT table index equivalent to primary
                 * pcifunc.
                 */