summaryrefslogtreecommitdiffstats
path: root/drivers/vdpa
diff options
context:
space:
mode:
authorEli Cohen <elic@nvidia.com>2022-01-11 19:33:59 +0100
committerMichael S. Tsirkin <mst@redhat.com>2022-01-15 00:50:54 +0100
commitf8ae3a489b21b05c39a0a1a7734f2a0188852177 (patch)
tree0f35a899de9f653482a351e3d4157e9a35d22660 /drivers/vdpa
parentvdpa: Protect vdpa reset with cf_mutex (diff)
downloadlinux-f8ae3a489b21b05c39a0a1a7734f2a0188852177.tar.xz
linux-f8ae3a489b21b05c39a0a1a7734f2a0188852177.zip
vdpa/mlx5: Fix is_index_valid() to refer to features
Make sure the decision whether an index received through a callback is valid or not consults the negotiated features. The motivation for this was due to a case encountered where I shut down the VM. After the reset operation was called features were already clear, I got get_vq_state() call which caused out array bounds access since is_index_valid() reported the index value. So this is more of not hit a bug since the call shouldn't have been made first place. Signed-off-by: Eli Cohen <elic@nvidia.com> Link: https://lore.kernel.org/r/20220111183400.38418-4-elic@nvidia.com Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Si-Wei Liu<si-wei.liu@oracle.com> Acked-by: Jason Wang <jasowang@redhat.com>
Diffstat (limited to 'drivers/vdpa')
-rw-r--r--drivers/vdpa/mlx5/net/mlx5_vnet.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index d1ff65065fb1..9eacfdb48434 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -133,10 +133,14 @@ struct mlx5_vdpa_virtqueue {
static bool is_index_valid(struct mlx5_vdpa_dev *mvdev, u16 idx)
{
- if (unlikely(idx > mvdev->max_idx))
- return false;
+ if (!(mvdev->actual_features & BIT_ULL(VIRTIO_NET_F_MQ))) {
+ if (!(mvdev->actual_features & BIT_ULL(VIRTIO_NET_F_CTRL_VQ)))
+ return idx < 2;
+ else
+ return idx < 3;
+ }
- return true;
+ return idx <= mvdev->max_idx;
}
struct mlx5_vdpa_net {