From: Michael Baum <michaelba@mellanox.com>
To: dev@dpdk.org
Cc: Matan Azrad <matan@mellanox.com>,
Viacheslav Ovsiienko <viacheslavo@mellanox.com>,
stable@dpdk.org
Subject: [dpdk-stable] [PATCH] net/mlx5: fix meter color register consideration
Date: Wed, 6 May 2020 16:24:06 +0000 [thread overview]
Message-ID: <1588782246-16271-1-git-send-email-michaelba@mellanox.com> (raw)
The mlx5_flow_get_reg_id() function translates tag ID to register
from the registers that are supported and available for use. The
user does not know which register is available at a time and therefore
there is an array that represents mapping to the available registers.
Usually the free registers are continuous in the flow_mreg_c array but
sometimes the mtr_color_reg register is between them and it must be
skipped and the next register returned, in which case the function
returns the mapping of the next entity in the array.
When the function reads from the next entity in the array, it does not
check whether such an entity exists and in some situation invalid access
to memory occurs beyond the array boundaries.
So, when all the registers are valid from HW perspective and the meter
color register is not the default, the tag id 5 causes an out of bound
access.
Validate registers availability when meter color register is not the
default.
Coverity issue: 146355
Fixes: 792e749e92d5 ("net/mlx5: fix register usage in meter")
Cc: stable@dpdk.org
Signed-off-by: Michael Baum <michaelba@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
---
drivers/net/mlx5/mlx5_flow.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 01376f3..08c7cdf 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -442,6 +442,10 @@ struct mlx5_flow_tunnel_info {
*/
if (skip_mtr_reg && config->flow_mreg_c
[id + start_reg - REG_C_0] >= priv->mtr_color_reg) {
+ if (id >= (REG_C_7 - start_reg))
+ return rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ NULL, "invalid tag id");
if (config->flow_mreg_c
[id + 1 + start_reg - REG_C_0] != REG_NONE)
return config->flow_mreg_c
--
1.8.3.1
next reply other threads:[~2020-05-06 16:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-06 16:24 Michael Baum [this message]
2020-05-11 12:33 ` [dpdk-stable] [dpdk-dev] " Raslan Darawsheh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1588782246-16271-1-git-send-email-michaelba@mellanox.com \
--to=michaelba@mellanox.com \
--cc=dev@dpdk.org \
--cc=matan@mellanox.com \
--cc=stable@dpdk.org \
--cc=viacheslavo@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).