patch 'net/iavf: fix tainted scalar' has been queued to stable release 20.11.7

luca.boccassi at gmail.com luca.boccassi at gmail.com
Fri Nov 18 00:08:44 CET 2022

Previous message (by thread): patch 'net/i40e: fix jumbo frame Rx with X722' has been queued to stable release 20.11.7
Next message (by thread): patch 'net/ice: fix scalar Rx path segment' has been queued to stable release 20.11.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 20.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/19/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/37255d7be5d69fed1f4d0a56fee72fcd711237bf

Thanks.

Luca Boccassi

---
>From 37255d7be5d69fed1f4d0a56fee72fcd711237bf Mon Sep 17 00:00:00 2001
From: Steve Yang <stevex.yang at intel.com>
Date: Thu, 10 Nov 2022 08:30:52 +0000
Subject: [PATCH] net/iavf: fix tainted scalar

[ upstream commit b125c0e721ac7803ee2fa16cd6b3d97bc575de6f ]

tainted_data_downcast: Downcasting match_item->meta from void * to
struct virtchnl_proto_hdrs implies that the data that this pointer points
to is tainted.

var_assign_var: Assigning: proto_hdrs = match_item->meta.
Both are now tainted.

var_assign_var: Assigning: rss_meta->proto_hdrs = *proto_hdrs. Both are
now tainted.

Passing tainted expression "rss_meta->proto_hdrs.count" to
"iavf_refine_proto_hdrs", which uses it as a loop boundary.

Removed temporary variable 'proto_hdrs', and copied whole memory of
match_item meta with exact structure size to avoid data downcast.

Coverity issue: 381131
Fixes: 91f27b2e39ab ("net/iavf: refactor RSS")

Signed-off-by: Steve Yang <stevex.yang at intel.com>
Acked-by: Qi Zhang <qi.z.zhang at intel.com>
---
 drivers/net/iavf/iavf_hash.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/net/iavf/iavf_hash.c b/drivers/net/iavf/iavf_hash.c
index eb7fd3f66f..81b1bd9ec0 100644
--- a/drivers/net/iavf/iavf_hash.c
+++ b/drivers/net/iavf/iavf_hash.c
@@ -904,7 +904,6 @@ iavf_hash_parse_action(struct iavf_pattern_match_item *match_item,
 		       uint64_t pattern_hint, struct iavf_rss_meta *rss_meta,
 		       struct rte_flow_error *error)
 {
-	struct virtchnl_proto_hdrs *proto_hdrs;
 	enum rte_flow_action_type action_type;
 	const struct rte_flow_action_rss *rss;
 	const struct rte_flow_action *action;
@@ -961,8 +960,10 @@ iavf_hash_parse_action(struct iavf_pattern_match_item *match_item,
 				return rte_flow_error_set(error, ENOTSUP,
 						RTE_FLOW_ERROR_TYPE_ACTION,
 						action, "RSS type not supported");
-			proto_hdrs = match_item->meta;
-			rss_meta->proto_hdrs = *proto_hdrs;
+
+			memcpy(&rss_meta->proto_hdrs, match_item->meta,
+			       sizeof(struct virtchnl_proto_hdrs));
+
 			iavf_refine_proto_hdrs(&rss_meta->proto_hdrs,
 					       rss_type, pattern_hint);
 			break;
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-11-17 23:07:56.376852430 +0000
+++ 0020-net-iavf-fix-tainted-scalar.patch	2022-11-17 23:07:55.524331088 +0000
@@ -1 +1 @@
-From b125c0e721ac7803ee2fa16cd6b3d97bc575de6f Mon Sep 17 00:00:00 2001
+From 37255d7be5d69fed1f4d0a56fee72fcd711237bf Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit b125c0e721ac7803ee2fa16cd6b3d97bc575de6f ]
+
@@ -24 +25,0 @@
-Cc: stable at dpdk.org
@@ -29,2 +30,2 @@
- drivers/net/iavf/iavf_hash.c | 22 +++++++++-------------
- 1 file changed, 9 insertions(+), 13 deletions(-)
+ drivers/net/iavf/iavf_hash.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
@@ -33 +34 @@
-index 67b05313eb..ae6fb38594 100644
+index eb7fd3f66f..81b1bd9ec0 100644
@@ -36,73 +37 @@
-@@ -992,10 +992,9 @@ iavf_refine_proto_hdrs_l234(struct virtchnl_proto_hdrs *proto_hdrs,
- 			    uint64_t rss_type)
- {
- 	struct virtchnl_proto_hdr *hdr;
--	int phdrs_count = proto_hdrs->count;
- 	int i;
- 
--	for (i = 0; i < phdrs_count; i++) {
-+	for (i = 0; i < proto_hdrs->count; i++) {
- 		hdr = &proto_hdrs->proto_hdr[i];
- 		switch (hdr->type) {
- 		case VIRTCHNL_PROTO_HDR_ETH:
-@@ -1184,13 +1183,12 @@ iavf_refine_proto_hdrs_gtpu(struct virtchnl_proto_hdrs *proto_hdrs,
- 			    uint64_t rss_type)
- {
- 	struct virtchnl_proto_hdr *hdr;
--	int phdrs_count = proto_hdrs->count;
- 	int i;
- 
- 	if (!(rss_type & RTE_ETH_RSS_GTPU))
- 		return;
- 
--	for (i = 0; i < phdrs_count; i++) {
-+	for (i = 0; i < proto_hdrs->count; i++) {
- 		hdr = &proto_hdrs->proto_hdr[i];
- 		switch (hdr->type) {
- 		case VIRTCHNL_PROTO_HDR_GTPU_IP:
-@@ -1210,7 +1208,6 @@ iavf_refine_proto_hdrs_by_pattern(struct virtchnl_proto_hdrs *proto_hdrs,
- 	struct virtchnl_proto_hdr *hdr2;
- 	int i, shift_count = 1;
- 	int tun_lvl = proto_hdrs->tunnel_level;
--	int phdrs_count = 0;
- 
- 	if (!(phint & IAVF_PHINT_GTPU_MSK) && !(phint & IAVF_PHINT_GRE))
- 		return;
-@@ -1219,9 +1216,8 @@ iavf_refine_proto_hdrs_by_pattern(struct virtchnl_proto_hdrs *proto_hdrs,
- 		if (phint & IAVF_PHINT_LAYERS_MSK)
- 			shift_count = 2;
- 
--		phdrs_count = proto_hdrs->count;
- 		/* shift headers layer */
--		for (i = phdrs_count - 1 + shift_count;
-+		for (i = proto_hdrs->count - 1 + shift_count;
- 		     i > shift_count - 1; i--) {
- 			hdr1 = &proto_hdrs->proto_hdr[i];
- 			hdr2 = &proto_hdrs->proto_hdr[i - shift_count];
-@@ -1282,7 +1278,6 @@ iavf_refine_proto_hdrs_l2tpv2(struct virtchnl_proto_hdrs *proto_hdrs,
- 			      uint64_t phint)
- {
- 	struct virtchnl_proto_hdr *hdr, *hdr1;
--	int phdrs_count = proto_hdrs->count;
- 	int i;
- 
- 	if (!(phint & IAVF_PHINT_L2TPV2) && !(phint & IAVF_PHINT_L2TPV2_LEN))
-@@ -1290,7 +1285,7 @@ iavf_refine_proto_hdrs_l2tpv2(struct virtchnl_proto_hdrs *proto_hdrs,
- 
- 	if (proto_hdrs->tunnel_level == TUNNEL_LEVEL_INNER) {
- 		/* shift headers layer */
--		for (i = phdrs_count; i > 0; i--)
-+		for (i = proto_hdrs->count; i > 0; i--)
- 			proto_hdrs->proto_hdr[i] = proto_hdrs->proto_hdr[i - 1];
- 
- 		/* adding outer ip header at layer 0 */
-@@ -1303,7 +1298,7 @@ iavf_refine_proto_hdrs_l2tpv2(struct virtchnl_proto_hdrs *proto_hdrs,
- 		else if (phint & IAVF_PHINT_OUTER_IPV6)
- 			VIRTCHNL_SET_PROTO_HDR_TYPE(hdr1, IPV6);
- 	} else {
--		for (i = 0; i < phdrs_count; i++) {
-+		for (i = 0; i < proto_hdrs->count; i++) {
- 			hdr = &proto_hdrs->proto_hdr[i];
- 			if (hdr->type == VIRTCHNL_PROTO_HDR_L2TPV2) {
- 				if (phint & IAVF_PHINT_L2TPV2) {
-@@ -1427,7 +1422,6 @@ iavf_hash_parse_action(struct iavf_pattern_match_item *match_item,
+@@ -904,7 +904,6 @@ iavf_hash_parse_action(struct iavf_pattern_match_item *match_item,
@@ -116 +45 @@
-@@ -1488,8 +1482,10 @@ iavf_hash_parse_action(struct iavf_pattern_match_item *match_item,
+@@ -961,8 +960,10 @@ iavf_hash_parse_action(struct iavf_pattern_match_item *match_item,

Previous message (by thread): patch 'net/i40e: fix jumbo frame Rx with X722' has been queued to stable release 20.11.7
Next message (by thread): patch 'net/ice: fix scalar Rx path segment' has been queued to stable release 20.11.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list