RE: [EXTERNAL] [PATCH net v2] octeontx2-af: cn10k: restrict VF LMTLINE sharing to its own PF
From: Geethasowjanya Akula
Date: Mon Jun 01 2026 - 05:17:54 EST
>-----Original Message-----
>From: Junrui Luo <moonafterrain@xxxxxxxxxxx>
>Sent: Monday, June 1, 2026 11:25 AM
>To: Sunil Kovvuri Goutham <sgoutham@xxxxxxxxxxx>; Linu Cherian
><lcherian@xxxxxxxxxxx>; Geethasowjanya Akula <gakula@xxxxxxxxxxx>;
>Hariprasad Kelam <hkelam@xxxxxxxxxxx>; Subbaraya Sundeep Bhatta
><sbhatta@xxxxxxxxxxx>; Andrew Lunn <andrew+netdev@xxxxxxx>; David S.
>Miller <davem@xxxxxxxxxxxxx>; Eric Dumazet <edumazet@xxxxxxxxxx>; Jakub
>Kicinski <kuba@xxxxxxxxxx>; Paolo Abeni <pabeni@xxxxxxxxxx>
>Cc: netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Yuhao Jiang
><danisjiang@xxxxxxxxx>; stable@xxxxxxxxxxxxxxx; Junrui Luo
><moonafterrain@xxxxxxxxxxx>
>Subject: [EXTERNAL] [PATCH net v2] octeontx2-af: cn10k: restrict VF LMTLINE
>sharing to its own PF
>rvu_mbox_handler_lmtst_tbl_setup() uses req->base_pcifunc as a direct index
>into the LMT map table to read another function's LMTLINE physical base address
>and copy it into the caller's own LMT map table entry. The mailbox dispatcher
>authenticates req->hdr.pcifunc from the IRQ source, but req->base_pcifunc is a
>separate payload field and is not sanitized.
>
>Reject with -EPERM when a VF caller and the base function do not share a parent
>PF. PF callers are trusted and may still share LMTLINEs across PFs.
>
>Fixes: 893ae97214c3 ("octeontx2-af: cn10k: Support configurable LMTST
>regions")
>Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
>Cc: stable@xxxxxxxxxxxxxxx
>Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
>---
>Changes in v2:
>- Restrict the check to VF callers only. PF callers are trusted and may
> still share LMTLINEs across PFs.
>- Link to v1: https://urldefense.proofpoint.com/v2/url?u=https-
>3A__lore.kernel.org_r_SYBPR01MB7881F8D11D2930BB84215253AF0D2-
>40SYBPR01MB7881.ausprd01.prod.outlook.com&d=DwICaQ&c=nKjWec2b6R0m
>OyPaz7xtfQ&r=UiEt_nUeYFctu7JVLXVlXDhTmq_EAfooaZEYInfGuEQ&m=xuYymVG
>Ze1qq-oeBKE-_xOE_HuutAdE4D-
>lF9ezsL5AvB8RYG06YF9gySBv8fXhy&s=DKDPlH9M4tsGPjYPWOjPXQTKFR_spOogL
>CfJW1rIagI&e=
>---
> drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
>diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c
>b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c
>index d2163da28d18..33f25e2fc262 100644
>--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c
>+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c
>@@ -178,6 +178,14 @@ int rvu_mbox_handler_lmtst_tbl_setup(struct rvu
>*rvu,
> * pcifunc (will be the one who is calling this mailbox).
> */
> if (req->base_pcifunc) {
>+ /* A VF is untrusted and must not redirect its LMTLINE to
>+ * another PF's region, so confine VF callers to their own PF.
>+ */
>+ if (is_vf(req->hdr.pcifunc) &&
>+ rvu_get_pf(rvu->pdev, req->hdr.pcifunc) !=
>+ rvu_get_pf(rvu->pdev, req->base_pcifunc))
>+ return -EPERM;
>+
> /* Calculating the LMT table index equivalent to primary
> * pcifunc.
> */
>
>---
>base-commit: c369299895a591d96745d6492d4888259b004a9e
>change-id: 20260601-fixes-a06620632bac
>
>Best regards,
>--
>Junrui Luo <moonafterrain@xxxxxxxxxxx>
Reviewed-by: Geetha sowjanya <gakula@xxxxxxxxxxx>