patch 'net/mlx5: fix stack buffer overflow in drop action' has been queued to stable release 21.11.2

[Kevin Traynor]

Hi,

FYI, your patch has been queued to stable release 21.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/27/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/02017fcad3748e8f32e7e022572d524ae0a9fd71

Thanks.

Kevin

---
>From 02017fcad3748e8f32e7e022572d524ae0a9fd71 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian at huawei.com>
Date: Fri, 24 Dec 2021 11:06:19 +0800
Subject: [PATCH] net/mlx5: fix stack buffer overflow in drop action

[ upstream commit a73b78554aee830605c8d8714239dc53fa443d5e ]

The mlx5_drop_action_create function use mlx5_malloc for allocating
'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
cause buffer overflow.

Detected with address sanitizer:
0 (/usr/lib64/libasan.so.4+0x7b8e2)
1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
11 in mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
14 in pci_probe ../drivers/bus/pci/pci_common.c:380
15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
16 in rte_eal_init ../lib/eal/linux/eal.c:1286
17 in main ../app/test-pmd/testpmd.c:4112

Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")

Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo at nvidia.com>
---
 drivers/net/mlx5/mlx5_rxq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
index 4f32ae3b8d..807aaf2fc9 100644
--- a/drivers/net/mlx5/mlx5_rxq.c
+++ b/drivers/net/mlx5/mlx5_rxq.c
@@ -2918,5 +2918,5 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
 	if (priv->drop_queue.hrxq)
 		return priv->drop_queue.hrxq;
-	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
+	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
 	if (!hrxq) {
 		DRV_LOG(WARNING,
-- 
2.34.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-06-24 16:54:05.948741925 +0100
+++ 0013-net-mlx5-fix-stack-buffer-overflow-in-drop-action.patch	2022-06-24 16:54:05.596165198 +0100
@@ -1 +1 @@
-From a73b78554aee830605c8d8714239dc53fa443d5e Mon Sep 17 00:00:00 2001
+From 02017fcad3748e8f32e7e022572d524ae0a9fd71 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit a73b78554aee830605c8d8714239dc53fa443d5e ]
+
@@ -31 +32,0 @@
-Cc: stable at dpdk.org
@@ -40 +41 @@
-index a2d03f9f67..eaf23d0df4 100644
+index 4f32ae3b8d..807aaf2fc9 100644
@@ -43 +44 @@
-@@ -3079,5 +3079,5 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
+@@ -2918,5 +2918,5 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)