From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 8F95CA0032
	for <public@inbox.dpdk.org>; Fri, 24 Jun 2022 18:10:44 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 891934281B;
	Fri, 24 Jun 2022 18:10:44 +0200 (CEST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mails.dpdk.org (Postfix) with ESMTP id CDB00400EF
 for <stable@dpdk.org>; Fri, 24 Jun 2022 18:10:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1656087042;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=/Ito6tOP8QKkOwo1B9ArmERyr0IMbet88KCKyk+COiM=;
 b=ZRyFlK3pZ/lQHvjwwCrk+3GWJj0DJBbmeO4T3j5ByuZ8bS9U1bn+KPKC/ioFO+ReBbEPg3
 J0YmepWxOEz7bvpr6rO36HBwJftIrOgkvyhU7WjgCaGcPx1kTu6tMTyWDh1YnnrEcyJ0cF
 PvNHpi9kDyuaw5QaPzeBKCP66DWrEGg=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-454-oaHX1MSZM56Hi8OCnOrk7w-1; Fri, 24 Jun 2022 12:10:40 -0400
X-MC-Unique: oaHX1MSZM56Hi8OCnOrk7w-1
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F0FF8811E76;
 Fri, 24 Jun 2022 16:10:39 +0000 (UTC)
Received: from rh.redhat.com (unknown [10.39.194.217])
 by smtp.corp.redhat.com (Postfix) with ESMTP id EE72F40334F;
 Fri, 24 Jun 2022 16:10:38 +0000 (UTC)
From: Kevin Traynor <ktraynor@redhat.com>
To: Yunjian Wang <wangyunjian@huawei.com>
Cc: Viacheslav Ovsiienko <viacheslavo@nvidia.com>,
 dpdk stable <stable@dpdk.org>
Subject: patch 'net/mlx5: fix stack buffer overflow in drop action' has been
 queued to stable release 21.11.2
Date: Fri, 24 Jun 2022 17:10:15 +0100
Message-Id: <20220624161016.1881349-13-ktraynor@redhat.com>
In-Reply-To: <20220624161016.1881349-1-ktraynor@redhat.com>
References: <20220624161016.1881349-1-ktraynor@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ktraynor@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"; x-default=true
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

Hi,

FYI, your patch has been queued to stable release 21.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/27/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/02017fcad3748e8f32e7e022572d524ae0a9fd71

Thanks.

Kevin

---
>From 02017fcad3748e8f32e7e022572d524ae0a9fd71 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian@huawei.com>
Date: Fri, 24 Dec 2021 11:06:19 +0800
Subject: [PATCH] net/mlx5: fix stack buffer overflow in drop action

[ upstream commit a73b78554aee830605c8d8714239dc53fa443d5e ]

The mlx5_drop_action_create function use mlx5_malloc for allocating
'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
cause buffer overflow.

Detected with address sanitizer:
0 (/usr/lib64/libasan.so.4+0x7b8e2)
1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
11 in mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
14 in pci_probe ../drivers/bus/pci/pci_common.c:380
15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
16 in rte_eal_init ../lib/eal/linux/eal.c:1286
17 in main ../app/test-pmd/testpmd.c:4112

Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@nvidia.com>
---
 drivers/net/mlx5/mlx5_rxq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
index 4f32ae3b8d..807aaf2fc9 100644
--- a/drivers/net/mlx5/mlx5_rxq.c
+++ b/drivers/net/mlx5/mlx5_rxq.c
@@ -2918,5 +2918,5 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
 	if (priv->drop_queue.hrxq)
 		return priv->drop_queue.hrxq;
-	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
+	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
 	if (!hrxq) {
 		DRV_LOG(WARNING,
-- 
2.34.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-06-24 16:54:05.948741925 +0100
+++ 0013-net-mlx5-fix-stack-buffer-overflow-in-drop-action.patch	2022-06-24 16:54:05.596165198 +0100
@@ -1 +1 @@
-From a73b78554aee830605c8d8714239dc53fa443d5e Mon Sep 17 00:00:00 2001
+From 02017fcad3748e8f32e7e022572d524ae0a9fd71 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit a73b78554aee830605c8d8714239dc53fa443d5e ]
+
@@ -31 +32,0 @@
-Cc: stable@dpdk.org
@@ -40 +41 @@
-index a2d03f9f67..eaf23d0df4 100644
+index 4f32ae3b8d..807aaf2fc9 100644
@@ -43 +44 @@
-@@ -3079,5 +3079,5 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
+@@ -2918,5 +2918,5 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)