diff options
| author | Erni Sri Satya Vennela <ernis@linux.microsoft.com> | 2026-03-07 00:12:06 +0300 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2026-03-10 15:39:51 +0300 |
| commit | 89fe91c65992a37863241e35aec151210efc53ce (patch) | |
| tree | a9c672afb386793a033ce310bbb7a7ed643e5d10 /include/linux/errqueue.h | |
| parent | 46097d011f77f5758fb47b7059b4f1f2e7403940 (diff) | |
| download | linux-89fe91c65992a37863241e35aec151210efc53ce.tar.xz | |
net: mana: hardening: Validate doorbell ID from GDMA_REGISTER_DEVICE response
As a part of MANA hardening for CVM, add validation for the doorbell
ID (db_id) received from hardware in the GDMA_REGISTER_DEVICE response
to prevent out-of-bounds memory access when calculating the doorbell
page address.
In mana_gd_ring_doorbell(), the doorbell page address is calculated as:
addr = db_page_base + db_page_size * db_index
= (bar0_va + db_page_off) + db_page_size * db_index
A hardware could return values that cause this address to fall outside
the BAR0 MMIO region. In Confidential VM environments, hardware responses
cannot be fully trusted.
Add the following validations:
- Store the BAR0 size (bar0_size) in gdma_context during probe.
- Validate the doorbell page offset (db_page_off) read from device
registers does not exceed bar0_size during initialization, converting
mana_gd_init_registers() to return an error code.
- Validate db_id from GDMA_REGISTER_DEVICE response against the
maximum number of doorbell pages that fit within BAR0.
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260306211212.543376-1-ernis@linux.microsoft.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'include/linux/errqueue.h')
0 files changed, 0 insertions, 0 deletions