lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 19 Mar 2017 13:08:14 +0200 From: Yuval Mintz <Yuval.Mintz@...ium.com> To: <davem@...emloft.net>, <netdev@...r.kernel.org> CC: Yuval Mintz <Yuval.Mintz@...ium.com> Subject: [PATCH net-next 3/9] qed: Set HW-channel to ready before ACKing VF When PF responds to the VF requests it also cleans the HW-channel indication in firmware to allow further VF messages to arrive, but the order currently applied is wrong - The PF is copying by DMAE the response the VF is polling on for completion, and only afterwards sets the HW-channel to ready state. This creates a race condition where the VF would be able to send an additional message to the PF before the channel would get ready again, causing the firmware to consider the VF as malicious. Signed-off-by: Yuval Mintz <Yuval.Mintz@...ium.com> --- drivers/net/ethernet/qlogic/qed/qed_sriov.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c index 2403d58..aea1e4c 100644 --- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c +++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c @@ -1136,13 +1136,17 @@ static void qed_iov_send_response(struct qed_hwfn *p_hwfn, (sizeof(union pfvf_tlvs) - sizeof(u64)) / 4, ¶ms); - qed_dmae_host2host(p_hwfn, p_ptt, mbx->reply_phys, - mbx->req_virt->first_tlv.reply_address, - sizeof(u64) / 4, ¶ms); - + /* Once PF copies the rc to the VF, the latter can continue + * and send an additional message. So we have to make sure the + * channel would be re-set to ready prior to that. + */ REG_WR(p_hwfn, GTT_BAR0_MAP_REG_USDM_RAM + USTORM_VF_PF_CHANNEL_READY_OFFSET(eng_vf_id), 1); + + qed_dmae_host2host(p_hwfn, p_ptt, mbx->reply_phys, + mbx->req_virt->first_tlv.reply_address, + sizeof(u64) / 4, ¶ms); } static u16 qed_iov_vport_to_tlv(struct qed_hwfn *p_hwfn, -- 1.9.3
Powered by blists - more mailing lists