From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 445BCA0351
	for <public@inbox.dpdk.org>; Thu,  6 Aug 2020 11:58:19 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 3CACA1C0AE;
	Thu,  6 Aug 2020 11:58:19 +0200 (CEST)
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com
 [209.85.128.53]) by dpdk.org (Postfix) with ESMTP id 653B51C0D7
 for <stable@dpdk.org>; Thu,  6 Aug 2020 11:58:17 +0200 (CEST)
Received: by mail-wm1-f53.google.com with SMTP id x5so8299424wmi.2
 for <stable@dpdk.org>; Thu, 06 Aug 2020 02:58:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=FbFKz353V6cOEzt44CM7GYfeJvfDd82C3wda759OYEc=;
 b=vXiEwXDvMvXZklwsPmRGwhW9UKZdJx6JLASH/PwpHYk1SZl4m4OH4LN+l04jAgcnE5
 ZUjS3qmK0AYSQpNbQrjLlRjn9+pGWY61iT3/UTvNysWKLDmyg3UEKBtaMjPLCuSJBRbv
 4eqcehF3jkQoHkgUkUoOrjvgN21Z7JWSB/MvC5QRz89ix7W7gLOBe1vmtI8ImwNjMqIl
 efhDvRuWX96VzKvdhjp4YC+025TduOnA27TgwroJSZtFMGWgq5LeJ2TN0RwEjePEbXnM
 43Cp8NG7eekvxD85AeWyOO/SwuzQnvdszkhwoMtveMVX41Supv7PP2qsf486oD6AWqZ4
 zdyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=FbFKz353V6cOEzt44CM7GYfeJvfDd82C3wda759OYEc=;
 b=YXFLZ+aUr6FFaD9RDm75fbwWGthMRiv3J4ZJ5VKypoV417XZKd+MG35vprs/a1pZoH
 VJePbKjvW3CW9A9BZwz09/xAV8CaIR1VrUES25mNVDeF/FGoSj74wRBFucsNSjklPiL+
 /1ICa88n0uKhXr51L3kRgmyHYMmQEq7K77BKb1avgW8tPWFV5I2LvDJe2otVyev+59rl
 1AQCLf9SlkYRqWxfHDhgp6vHXR+pttfhA3JBJADgh/XEwvF5ZiidCIrMD+hluqJFxiGI
 Av3EZ2CceWSfMYILAiQ3ZrpmOwu6q+73abw3xWKR8OhWF0VICqC1vtUgC1SW1fIi11Z9
 ITQA==
X-Gm-Message-State: AOAM5315qUf85CRDJ+Lvh98N2S2mtLrO7cQCXWDd9vanNDz0VenL0o2J
 tva3q/7PYatHoySb/VSBBQc=
X-Google-Smtp-Source: ABdhPJzKg6h0CimyCHNZuCunWM7KP5sg91SXohFywTMgAqUfxjTRZeZSJIUjjfIknvYixqN524xwfg==
X-Received: by 2002:a1c:9e06:: with SMTP id h6mr6815425wme.45.1596707897130;
 Thu, 06 Aug 2020 02:58:17 -0700 (PDT)
Received: from localhost ([88.98.246.218])
 by smtp.gmail.com with ESMTPSA id h10sm5754867wro.57.2020.08.06.02.58.16
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 06 Aug 2020 02:58:16 -0700 (PDT)
From: luca.boccassi@gmail.com
To: Michael Baum <michaelba@mellanox.com>
Cc: Matan Azrad <matan@mellanox.com>,
	dpdk stable <stable@dpdk.org>
Date: Thu,  6 Aug 2020 10:53:42 +0100
Message-Id: <20200806095411.774624-14-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200806095411.774624-1-luca.boccassi@gmail.com>
References: <20200724120030.1863487-1-luca.boccassi@gmail.com>
 <20200806095411.774624-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] patch 'net/mlx5: fix crash in NVGRE item translation'
	has been queued to stable release 19.11.4
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to stable release 19.11.4

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/08/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From 82d236c020b0e875a39d06cc79c16dcafbb4774e Mon Sep 17 00:00:00 2001
From: Michael Baum <michaelba@mellanox.com>
Date: Tue, 21 Jul 2020 11:59:04 +0000
Subject: [PATCH] net/mlx5: fix crash in NVGRE item translation

[ upstream commit e71e90938bef6012dea460d3d94fbd0ee643e132 ]

The flow_dv_translate_item_nvgre function add NVGRE item to matcher and
to the value.
It defines a pointer named nvrge_m that receives the item's mask into
it, and then copies some of it to the matcher.

Before copying, it checks for mask validation, and in case the mask is
NULL the function gives it a pointer to rte_flow_item_nvgre_mask.
However, the function calls from the vni mask's field before the check,
and if there is no mask, it actually does dereference to the NULL
pointer and indeed the program crashes with segfault.

Move the call from the vni field to post-validation.

Fixes: cd18e1b72f73 ("net/mlx5: fix build on Arm")

Signed-off-by: Michael Baum <michaelba@mellanox.com>
Acked-by: Matan Azrad <matan@mellanox.com>
---
 drivers/net/mlx5/mlx5_flow_dv.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
index e40cf3c2a..9cf38be7e 100644
--- a/drivers/net/mlx5/mlx5_flow_dv.c
+++ b/drivers/net/mlx5/mlx5_flow_dv.c
@@ -5836,8 +5836,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
 	const struct rte_flow_item_nvgre *nvgre_v = item->spec;
 	void *misc_m = MLX5_ADDR_OF(fte_match_param, matcher, misc_parameters);
 	void *misc_v = MLX5_ADDR_OF(fte_match_param, key, misc_parameters);
-	const char *tni_flow_id_m = (const char *)nvgre_m->tni;
-	const char *tni_flow_id_v = (const char *)nvgre_v->tni;
+	const char *tni_flow_id_m;
+	const char *tni_flow_id_v;
 	char *gre_key_m;
 	char *gre_key_v;
 	int size;
@@ -5862,6 +5862,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
 		return;
 	if (!nvgre_m)
 		nvgre_m = &rte_flow_item_nvgre_mask;
+	tni_flow_id_m = (const char *)nvgre_m->tni;
+	tni_flow_id_v = (const char *)nvgre_v->tni;
 	size = sizeof(nvgre_m->tni) + sizeof(nvgre_m->flow_id);
 	gre_key_m = MLX5_ADDR_OF(fte_match_set_misc, misc_m, gre_key_h);
 	gre_key_v = MLX5_ADDR_OF(fte_match_set_misc, misc_v, gre_key_h);
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-08-06 10:53:16.336080321 +0100
+++ 0014-net-mlx5-fix-crash-in-NVGRE-item-translation.patch	2020-08-06 10:53:15.748596372 +0100
@@ -1,8 +1,10 @@
-From e71e90938bef6012dea460d3d94fbd0ee643e132 Mon Sep 17 00:00:00 2001
+From 82d236c020b0e875a39d06cc79c16dcafbb4774e Mon Sep 17 00:00:00 2001
 From: Michael Baum <michaelba@mellanox.com>
 Date: Tue, 21 Jul 2020 11:59:04 +0000
 Subject: [PATCH] net/mlx5: fix crash in NVGRE item translation
 
+[ upstream commit e71e90938bef6012dea460d3d94fbd0ee643e132 ]
+
 The flow_dv_translate_item_nvgre function add NVGRE item to matcher and
 to the value.
 It defines a pointer named nvrge_m that receives the item's mask into
@@ -17,7 +19,6 @@
 Move the call from the vni field to post-validation.
 
 Fixes: cd18e1b72f73 ("net/mlx5: fix build on Arm")
-Cc: stable@dpdk.org
 
 Signed-off-by: Michael Baum <michaelba@mellanox.com>
 Acked-by: Matan Azrad <matan@mellanox.com>
@@ -26,10 +27,10 @@
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
-index 0909cb661..2ba320d2d 100644
+index e40cf3c2a..9cf38be7e 100644
 --- a/drivers/net/mlx5/mlx5_flow_dv.c
 +++ b/drivers/net/mlx5/mlx5_flow_dv.c
-@@ -6544,8 +6544,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
+@@ -5836,8 +5836,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
  	const struct rte_flow_item_nvgre *nvgre_v = item->spec;
  	void *misc_m = MLX5_ADDR_OF(fte_match_param, matcher, misc_parameters);
  	void *misc_v = MLX5_ADDR_OF(fte_match_param, key, misc_parameters);
@@ -40,7 +41,7 @@
  	char *gre_key_m;
  	char *gre_key_v;
  	int size;
-@@ -6570,6 +6570,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
+@@ -5862,6 +5862,8 @@ flow_dv_translate_item_nvgre(void *matcher, void *key,
  		return;
  	if (!nvgre_m)
  		nvgre_m = &rte_flow_item_nvgre_mask;