Rx queue access is still done prior to the index being validated by PF.
Hence move Rx queue and status block validation check before accessing
Rx queue to prevent malicious VFs from using out-of-bound queue indices.
Fixes:
98bc693e1938 ("net/qede/base: change queue start")
Signed-off-by: Rasesh Mody <rasesh.mody@cavium.com>
enum _ecore_status_t rc;
req = &mbx->req_virt->start_rxq;
enum _ecore_status_t rc;
req = &mbx->req_virt->start_rxq;
+
+ if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
+ !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
+ goto out;
+
OSAL_MEMSET(&p_params, 0, sizeof(p_params));
p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid;
p_params.vf_qid = req->rx_qid;
OSAL_MEMSET(&p_params, 0, sizeof(p_params));
p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid;
p_params.vf_qid = req->rx_qid;
p_params.sb = req->hw_sb;
p_params.sb_idx = req->sb_index;
p_params.sb = req->hw_sb;
p_params.sb_idx = req->sb_index;
- if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
- !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
- goto out;
-
/* Legacy VFs have their Producers in a different location, which they
* calculate on their own and clean the producer prior to this.
*/
/* Legacy VFs have their Producers in a different location, which they
* calculate on their own and clean the producer prior to this.
*/