net/qede/base: fix Rx queue access by malicious VFs

Rx queue access is still done prior to the index being validated by PF.
Hence move Rx queue and status block validation check before accessing
Rx queue to prevent malicious VFs from using out-of-bound queue indices.

Fixes: 98bc693e1938 ("net/qede/base: change queue start")
Signed-off-by: Rasesh Mody <rasesh.mody@cavium.com>

diff --git a/drivers/net/qede/base/ecore_sriov.c b/drivers/net/qede/base/ecore_sriov.c
index de54b9a08d57e50a4d2f853ecac37a46f74cb2e8..12552966363e8383aa8f212e80cfcf0442df2d64 100644 (file)
--- a/drivers/net/qede/base/ecore_sriov.c
+++ b/drivers/net/qede/base/ecore_sriov.c
@@ -1968,6 +1968,11 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn,
        enum _ecore_status_t rc;
 
        req = &mbx->req_virt->start_rxq;
+
+       if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
+           !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
+               goto out;
+
        OSAL_MEMSET(&p_params, 0, sizeof(p_params));
        p_params.queue_id = (u8)vf->vf_queues[req->rx_qid].fw_rx_qid;
        p_params.vf_qid = req->rx_qid;
@@ -1976,10 +1981,6 @@ static void ecore_iov_vf_mbx_start_rxq(struct ecore_hwfn *p_hwfn,
        p_params.sb = req->hw_sb;
        p_params.sb_idx = req->sb_index;
 
-       if (!ecore_iov_validate_rxq(p_hwfn, vf, req->rx_qid) ||
-           !ecore_iov_validate_sb(p_hwfn, vf, req->hw_sb))
-               goto out;
-
        /* Legacy VFs have their Producers in a different location, which they
         * calculate on their own and clean the producer prior to this.
         */