DPDK patches and discussions
 help / color / Atom feed
* [dpdk-dev] [PATCH] net/mlx5: fix GRE key handle before GRE header issue
@ 2019-11-26 14:08 Suanming Mou
  2019-11-26 15:30 ` Raslan Darawsheh
  0 siblings, 1 reply; 2+ messages in thread
From: Suanming Mou @ 2019-11-26 14:08 UTC (permalink / raw)
  To: viacheslavo, matan; +Cc: orika, rasland, dev, jackmin

When set the GRE item, GRE key should follow after GRE header, or the
header gre_item pointer used by the key will be invalid.

Currently in the mlx5_flow_validate_item_gre_key() function, the header
gre_item pointer is access before checking if the key is after the header
or not. Once the key item is before the header, invalid gre_item pointer
access happens.

Move the gre_item pointer access after the GRE header check to avoid the
crash issue.

Fixes: a7a0365565a4 ("net/mlx5: match GRE key and present bits")
Cc: jackmin@mellanox.com

Signed-off-by: Suanming Mou <suanmingm@mellanox.com>
Acked-by: Ori Kam <orika@mellanox.com>
---
 drivers/net/mlx5/mlx5_flow.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 65a0e65..5c78ea7 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -1998,8 +1998,8 @@ uint32_t mlx5_flow_adjust_priority(struct rte_eth_dev *dev, int32_t priority,
 	const rte_be32_t *mask = item->mask;
 	int ret = 0;
 	rte_be32_t gre_key_default_mask = RTE_BE32(UINT32_MAX);
-	const struct rte_flow_item_gre *gre_spec = gre_item->spec;
-	const struct rte_flow_item_gre *gre_mask = gre_item->mask;
+	const struct rte_flow_item_gre *gre_spec;
+	const struct rte_flow_item_gre *gre_mask;
 
 	if (item_flags & MLX5_FLOW_LAYER_GRE_KEY)
 		return rte_flow_error_set(error, ENOTSUP,
@@ -2013,8 +2013,10 @@ uint32_t mlx5_flow_adjust_priority(struct rte_eth_dev *dev, int32_t priority,
 		return rte_flow_error_set(error, ENOTSUP,
 					  RTE_FLOW_ERROR_TYPE_ITEM, item,
 					  "GRE key following a wrong item");
+	gre_mask = gre_item->mask;
 	if (!gre_mask)
 		gre_mask = &rte_flow_item_gre_mask;
+	gre_spec = gre_item->spec;
 	if (gre_spec && (gre_mask->c_rsvd0_ver & RTE_BE16(0x2000)) &&
 			 !(gre_spec->c_rsvd0_ver & RTE_BE16(0x2000)))
 		return rte_flow_error_set(error, EINVAL,
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [dpdk-dev] [PATCH] net/mlx5: fix GRE key handle before GRE header issue
  2019-11-26 14:08 [dpdk-dev] [PATCH] net/mlx5: fix GRE key handle before GRE header issue Suanming Mou
@ 2019-11-26 15:30 ` Raslan Darawsheh
  0 siblings, 0 replies; 2+ messages in thread
From: Raslan Darawsheh @ 2019-11-26 15:30 UTC (permalink / raw)
  To: Suanming Mou, Slava Ovsiienko, Matan Azrad; +Cc: Ori Kam, dev, Jack Min

Hi,

> -----Original Message-----
> From: Suanming Mou <suanmingm@mellanox.com>
> Sent: Tuesday, November 26, 2019 4:09 PM
> To: Slava Ovsiienko <viacheslavo@mellanox.com>; Matan Azrad
> <matan@mellanox.com>
> Cc: Ori Kam <orika@mellanox.com>; Raslan Darawsheh
> <rasland@mellanox.com>; dev@dpdk.org; Jack Min
> <jackmin@mellanox.com>
> Subject: [PATCH] net/mlx5: fix GRE key handle before GRE header issue
> 
> When set the GRE item, GRE key should follow after GRE header, or the
> header gre_item pointer used by the key will be invalid.
> 
> Currently in the mlx5_flow_validate_item_gre_key() function, the header
> gre_item pointer is access before checking if the key is after the header or
> not. Once the key item is before the header, invalid gre_item pointer access
> happens.
> 
> Move the gre_item pointer access after the GRE header check to avoid the
> crash issue.
> 
> Fixes: a7a0365565a4 ("net/mlx5: match GRE key and present bits")
> Cc: jackmin@mellanox.com
> 
> Signed-off-by: Suanming Mou <suanmingm@mellanox.com>
> Acked-by: Ori Kam <orika@mellanox.com>
> ---
>  drivers/net/mlx5/mlx5_flow.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index 65a0e65..5c78ea7 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -1998,8 +1998,8 @@ uint32_t mlx5_flow_adjust_priority(struct
> rte_eth_dev *dev, int32_t priority,
>  	const rte_be32_t *mask = item->mask;
>  	int ret = 0;
>  	rte_be32_t gre_key_default_mask = RTE_BE32(UINT32_MAX);
> -	const struct rte_flow_item_gre *gre_spec = gre_item->spec;
> -	const struct rte_flow_item_gre *gre_mask = gre_item->mask;
> +	const struct rte_flow_item_gre *gre_spec;
> +	const struct rte_flow_item_gre *gre_mask;
> 
>  	if (item_flags & MLX5_FLOW_LAYER_GRE_KEY)
>  		return rte_flow_error_set(error, ENOTSUP, @@ -2013,8
> +2013,10 @@ uint32_t mlx5_flow_adjust_priority(struct rte_eth_dev *dev,
> int32_t priority,
>  		return rte_flow_error_set(error, ENOTSUP,
>  					  RTE_FLOW_ERROR_TYPE_ITEM,
> item,
>  					  "GRE key following a wrong item");
> +	gre_mask = gre_item->mask;
>  	if (!gre_mask)
>  		gre_mask = &rte_flow_item_gre_mask;
> +	gre_spec = gre_item->spec;
>  	if (gre_spec && (gre_mask->c_rsvd0_ver & RTE_BE16(0x2000)) &&
>  			 !(gre_spec->c_rsvd0_ver & RTE_BE16(0x2000)))
>  		return rte_flow_error_set(error, EINVAL,
> --
> 1.8.3.1


Patch applied to net-net-mlx,

Kindest regards,
Raslan Darawsheh

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-26 14:08 [dpdk-dev] [PATCH] net/mlx5: fix GRE key handle before GRE header issue Suanming Mou
2019-11-26 15:30 ` Raslan Darawsheh

DPDK patches and discussions

Archives are clonable:
	git clone --mirror http://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ http://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev


Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox