net/mlx4_core: Disallow creation of RAW QPs on a VF

This is considered a security breach since RAW QPs, implemented using
MLX transport QPs, can send any message they wish to.

Orabug: 257846022

Tested-by: Pierre Orzechowski <pierre.e.orzechowski@oracle.com>
Reviewed-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Mukesh Kacker <mukesh.kacker@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
index b25e12a1d4176009b6d577602603c361d0549e7e..441d062d468d2782c886ab761f87b7224c06aa47 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -2705,6 +2705,11 @@ static u32 qp_get_srqn(struct mlx4_qp_context *qpc)
        return be32_to_cpu(qpc->srqn) & 0x1ffffff;
 }
 
+static u32 qp_get_st(struct mlx4_qp_context *qpc)
+{
+       return (be32_to_cpu(qpc->flags) >> 16) & 0xff;
+}
+
 static void adjust_proxy_tun_qkey(struct mlx4_dev *dev, struct mlx4_vhcr *vhcr,
                                  struct mlx4_qp_context *context)
 {
@@ -2739,6 +2744,10 @@ int mlx4_RST2INIT_QP_wrapper(struct mlx4_dev *dev, int slave,
        int use_srq = (qp_get_srqn(qpc) >> 24) & 1;
        struct res_srq *srq;
        int local_qpn = be32_to_cpu(qpc->local_qpn) & 0xffffff;
+       int st = qp_get_st(qpc);
+
+       if ((slave !=  mlx4_master_func_num(dev)) && (st == MLX4_QP_ST_MLX))
+               return -EPERM;
 
        err = qp_res_start_move_to(dev, slave, qpn, RES_QP_HW, &qp, 0);
        if (err)