From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 63573A04B5 for ; Tue, 3 Dec 2019 19:29:13 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 594DC235; Tue, 3 Dec 2019 19:29:13 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 709281BFA9 for ; Tue, 3 Dec 2019 19:29:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575397752; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BlUsOYty+oz4fJtMiRci48uyW9/JweLxly2xnVW/m5k=; b=I3m7lLdw4A5mitZ9fguHostXLk84IThCzIGfvkLmELSM7UBZnYwUd5vQALlOUeV81t/QJI haf+dutjHEnWzXF3pCwwo2LF/doqJYFzkLvldnzjZZRw812IOH8BvK3mHsvnp51HJ4ZM6a YOOVVOo63/FRoiG0Zxdm9KdEsgsxF7k= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-170-_xLQjDu2PIiXfYXzi1Fnpw-1; Tue, 03 Dec 2019 13:29:08 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CF0CC800D41; Tue, 3 Dec 2019 18:29:07 +0000 (UTC) Received: from rh.redhat.com (ovpn-117-10.ams2.redhat.com [10.36.117.10]) by smtp.corp.redhat.com (Postfix) with ESMTP id CCD225C240; Tue, 3 Dec 2019 18:29:06 +0000 (UTC) From: Kevin Traynor To: Xiaoyu Min Cc: Viacheslav Ovsiienko , dpdk stable Date: Tue, 3 Dec 2019 18:27:04 +0000 Message-Id: <20191203182714.17297-55-ktraynor@redhat.com> In-Reply-To: <20191203182714.17297-1-ktraynor@redhat.com> References: <20191203182714.17297-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-MC-Unique: _xLQjDu2PIiXfYXzi1Fnpw-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Subject: [dpdk-stable] patch 'net/mlx5: validate flow rule item order' has been queued to LTS release 18.11.6 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to LTS release 18.11.6 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 12/10/19. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasi= ng (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable-queue This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable-queue/commit/16dfdb13c1e86e2643= b2181f6b7dc1a966e6e460 Thanks. Kevin. --- >From 16dfdb13c1e86e2643b2181f6b7dc1a966e6e460 Mon Sep 17 00:00:00 2001 From: Xiaoyu Min Date: Wed, 11 Sep 2019 16:46:15 +0800 Subject: [PATCH] net/mlx5: validate flow rule item order [ upstream commit 906a2efae8da8507bab2d089c544d4fa4150a5fd ] The Item order validation between L2 and L3 is missing, which leading to the following flow rule is accepted: testpmd> flow create 0 ingress pattern ipv4 / eth / end actions drop / end Only the outer L3 layer should check whether the L2 layer is present, because the L3 layer could directly follow the tunnel layer without L2 layer. Meanwhile inner L2 layer should check whether there is inner L3 layer before it. Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function= ") Signed-off-by: Xiaoyu Min Acked-by: Viacheslav Ovsiienko --- drivers/net/mlx5/mlx5_flow.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c index f19b27ede..cf9cdcfe3 100644 --- a/drivers/net/mlx5/mlx5_flow.c +++ b/drivers/net/mlx5/mlx5_flow.c @@ -1069,4 +1069,9 @@ mlx5_flow_validate_item_eth(const struct rte_flow_ite= m *item, =09=09=09=09=09 RTE_FLOW_ERROR_TYPE_ITEM, item, =09=09=09=09=09 "multiple L2 layers not supported"); +=09if (tunnel && (item_flags & MLX5_FLOW_LAYER_INNER_L3)) +=09=09return rte_flow_error_set(error, EINVAL, +=09=09=09=09=09 RTE_FLOW_ERROR_TYPE_ITEM, item, +=09=09=09=09=09 "inner L2 layer should not " +=09=09=09=09=09 "follow inner L3 layers"); =09if (!mask) =09=09mask =3D &rte_flow_item_eth_mask; @@ -1112,4 +1117,6 @@ mlx5_flow_validate_item_vlan(const struct rte_flow_it= em *item, =09=09=09=09=09MLX5_FLOW_LAYER_OUTER_VLAN; =20 +=09const uint64_t l2m =3D tunnel ? MLX5_FLOW_LAYER_INNER_L2 : +=09=09=09=09 MLX5_FLOW_LAYER_OUTER_L2; =09if (item_flags & vlanm) =09=09return rte_flow_error_set(error, EINVAL, @@ -1120,4 +1127,8 @@ mlx5_flow_validate_item_vlan(const struct rte_flow_it= em *item, =09=09=09=09=09 RTE_FLOW_ERROR_TYPE_ITEM, item, =09=09=09=09=09 "L2 layer cannot follow L3/L4 layer"); +=09else if ((item_flags & l2m) =3D=3D 0) +=09=09return rte_flow_error_set(error, EINVAL, +=09=09=09=09=09 RTE_FLOW_ERROR_TYPE_ITEM, item, +=09=09=09=09=09 "no L2 layer before VLAN"); =09if (!mask) =09=09mask =3D &rte_flow_item_vlan_mask; @@ -1186,4 +1197,8 @@ mlx5_flow_validate_item_ipv4(const struct rte_flow_it= em *item, =09=09=09=09=09 RTE_FLOW_ERROR_TYPE_ITEM, item, =09=09=09=09=09 "L3 cannot follow an L4 layer."); +=09else if (!tunnel && !(item_flags & MLX5_FLOW_LAYER_OUTER_L2)) +=09=09return rte_flow_error_set(error, EINVAL, +=09=09=09=09=09 RTE_FLOW_ERROR_TYPE_ITEM, item, +=09=09=09=09=09 "no L2 layer before IPV4"); =09if (!mask) =09=09mask =3D &rte_flow_item_ipv4_mask; @@ -1250,4 +1265,8 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_it= em *item, =09=09=09=09=09 RTE_FLOW_ERROR_TYPE_ITEM, item, =09=09=09=09=09 "L3 cannot follow an L4 layer."); +=09else if (!tunnel && !(item_flags & MLX5_FLOW_LAYER_OUTER_L2)) +=09=09return rte_flow_error_set(error, EINVAL, +=09=09=09=09=09 RTE_FLOW_ERROR_TYPE_ITEM, item, +=09=09=09=09=09 "no L2 layer before IPV6"); =09if (!mask) =09=09mask =3D &rte_flow_item_ipv6_mask; --=20 2.21.0 --- Diff of the applied patch vs upstream commit (please double-check if non-= empty: --- --- -=092019-12-03 17:29:54.913024875 +0000 +++ 0055-net-mlx5-validate-flow-rule-item-order.patch=092019-12-03 17:29:51= .778749370 +0000 @@ -1 +1 @@ -From 906a2efae8da8507bab2d089c544d4fa4150a5fd Mon Sep 17 00:00:00 2001 +From 16dfdb13c1e86e2643b2181f6b7dc1a966e6e460 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 906a2efae8da8507bab2d089c544d4fa4150a5fd ] + @@ -20 +21,0 @@ -Cc: stable@dpdk.org @@ -29 +30 @@ -index 482f65b5d..578d00338 100644 +index f19b27ede..cf9cdcfe3 100644 @@ -32 +33 @@ -@@ -1225,4 +1225,9 @@ mlx5_flow_validate_item_eth(const struct rte_flow_it= em *item, +@@ -1069,4 +1069,9 @@ mlx5_flow_validate_item_eth(const struct rte_flow_it= em *item, @@ -42 +43 @@ -@@ -1271,4 +1276,6 @@ mlx5_flow_validate_item_vlan(const struct rte_flow_i= tem *item, +@@ -1112,4 +1117,6 @@ mlx5_flow_validate_item_vlan(const struct rte_flow_i= tem *item, @@ -49 +50 @@ -@@ -1279,4 +1286,8 @@ mlx5_flow_validate_item_vlan(const struct rte_flow_i= tem *item, +@@ -1120,4 +1127,8 @@ mlx5_flow_validate_item_vlan(const struct rte_flow_i= tem *item, @@ -58 +59 @@ -@@ -1391,4 +1402,8 @@ mlx5_flow_validate_item_ipv4(const struct rte_flow_i= tem *item, +@@ -1186,4 +1197,8 @@ mlx5_flow_validate_item_ipv4(const struct rte_flow_i= tem *item, @@ -60 +61 @@ - =09=09=09=09=09 "L3 cannot follow an NVGRE layer."); + =09=09=09=09=09 "L3 cannot follow an L4 layer."); @@ -67 +68 @@ -@@ -1482,4 +1497,8 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_i= tem *item, +@@ -1250,4 +1265,8 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_i= tem *item, @@ -69 +70 @@ - =09=09=09=09=09 "L3 cannot follow an NVGRE layer."); + =09=09=09=09=09 "L3 cannot follow an L4 layer.");