[dpdk-stable] patch 'net/mlx5: fix crash in NVGRE item translation' has been queued to stable release 19.11.4

luca.boccassi at gmail.com luca.boccassi at gmail.com
Thu Aug 6 11:53:42 CEST 2020

Previous message: [dpdk-stable] patch 'net/mlx5: fix initialization of steering registers' has been queued to stable release 19.11.4
Next message: [dpdk-stable] patch 'net/mlx5: remove ineffective increment in hairpin split' has been queued to stable release 19.11.4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 19.11.4

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/08/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From 82d236c020b0e875a39d06cc79c16dcafbb4774e Mon Sep 17 00:00:00 2001
From: Michael Baum <michaelba at mellanox.com>
Date: Tue, 21 Jul 2020 11:59:04 +0000
Subject: [PATCH] net/mlx5: fix crash in NVGRE item translation

[ upstream commit e71e90938bef6012dea460d3d94fbd0ee643e132 ]

The flow_dv_translate_item_nvgre function add NVGRE item to matcher and
to the value.
It defines a pointer named nvrge_m that receives the item's mask into
it, and then copies some of it to the matcher.

Before copying, it checks for mask validation, and in case the mask is
NULL the function gives it a pointer to rte_flow_item_nvgre_mask.
However, the function calls from the vni mask's field before the check,
and if there is no mask, it actually does dereference to the NULL
pointer and indeed the program crashes with segfault.

Move the call from the vni field to post-validation.

Fixes: cd18e1b72f73 ("net/mlx5: fix build on Arm")

Signed-off-by: Michael Baum <michaelba at mellanox.com>
Acked-by: Matan Azrad <matan at mellanox.com>
---
 drivers/net/mlx5/mlx5_flow_dv.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
index e40cf3c2a..9cf38be7e 100644
--- a/drivers/net/mlx5/mlx5_flow_dv.c
+++ b/drivers/net/mlx5/mlx5_flow_dv.c
@@ -5836,8 +5836,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
 	const struct rte_flow_item_nvgre *nvgre_v = item->spec;
 	void *misc_m = MLX5_ADDR_OF(fte_match_param, matcher, misc_parameters);
 	void *misc_v = MLX5_ADDR_OF(fte_match_param, key, misc_parameters);
-	const char *tni_flow_id_m = (const char *)nvgre_m->tni;
-	const char *tni_flow_id_v = (const char *)nvgre_v->tni;
+	const char *tni_flow_id_m;
+	const char *tni_flow_id_v;
 	char *gre_key_m;
 	char *gre_key_v;
 	int size;
@@ -5862,6 +5862,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
 		return;
 	if (!nvgre_m)
 		nvgre_m = &rte_flow_item_nvgre_mask;
+	tni_flow_id_m = (const char *)nvgre_m->tni;
+	tni_flow_id_v = (const char *)nvgre_v->tni;
 	size = sizeof(nvgre_m->tni) + sizeof(nvgre_m->flow_id);
 	gre_key_m = MLX5_ADDR_OF(fte_match_set_misc, misc_m, gre_key_h);
 	gre_key_v = MLX5_ADDR_OF(fte_match_set_misc, misc_v, gre_key_h);
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-08-06 10:53:16.336080321 +0100
+++ 0014-net-mlx5-fix-crash-in-NVGRE-item-translation.patch	2020-08-06 10:53:15.748596372 +0100
@@ -1,8 +1,10 @@
-From e71e90938bef6012dea460d3d94fbd0ee643e132 Mon Sep 17 00:00:00 2001
+From 82d236c020b0e875a39d06cc79c16dcafbb4774e Mon Sep 17 00:00:00 2001
 From: Michael Baum <michaelba at mellanox.com>
 Date: Tue, 21 Jul 2020 11:59:04 +0000
 Subject: [PATCH] net/mlx5: fix crash in NVGRE item translation
 
+[ upstream commit e71e90938bef6012dea460d3d94fbd0ee643e132 ]
+
 The flow_dv_translate_item_nvgre function add NVGRE item to matcher and
 to the value.
 It defines a pointer named nvrge_m that receives the item's mask into
@@ -17,7 +19,6 @@
 Move the call from the vni field to post-validation.
 
 Fixes: cd18e1b72f73 ("net/mlx5: fix build on Arm")
-Cc: stable at dpdk.org
 
 Signed-off-by: Michael Baum <michaelba at mellanox.com>
 Acked-by: Matan Azrad <matan at mellanox.com>
@@ -26,10 +27,10 @@
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
-index 0909cb661..2ba320d2d 100644
+index e40cf3c2a..9cf38be7e 100644
 --- a/drivers/net/mlx5/mlx5_flow_dv.c
 +++ b/drivers/net/mlx5/mlx5_flow_dv.c
-@@ -6544,8 +6544,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
+@@ -5836,8 +5836,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
  	const struct rte_flow_item_nvgre *nvgre_v = item->spec;
  	void *misc_m = MLX5_ADDR_OF(fte_match_param, matcher, misc_parameters);
  	void *misc_v = MLX5_ADDR_OF(fte_match_param, key, misc_parameters);
@@ -40,7 +41,7 @@
  	char *gre_key_m;
  	char *gre_key_v;
  	int size;
-@@ -6570,6 +6570,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
+@@ -5862,6 +5862,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
  		return;
  	if (!nvgre_m)
  		nvgre_m = &rte_flow_item_nvgre_mask;

Previous message: [dpdk-stable] patch 'net/mlx5: fix initialization of steering registers' has been queued to stable release 19.11.4
Next message: [dpdk-stable] patch 'net/mlx5: remove ineffective increment in hairpin split' has been queued to stable release 19.11.4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list