From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Subject: Re: [PATCH] net/mlx5: fix RSS flow configuration crash
Date: Wed, 1 Aug 2018 13:01:05 +0200
Message-ID: <20180801110104.GE5211@6wind.com>
References: <1533120218-32538-1-git-send-email-motih@mellanox.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: shahafs@mellanox.com, dev@dpdk.org, nelio.laranjeiro@6wind.com
To: Moti Haimovsky <motih@mellanox.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com
 [209.85.221.68]) by dpdk.org (Postfix) with ESMTP id E7FFE5A44
 for <dev@dpdk.org>; Wed,  1 Aug 2018 13:01:22 +0200 (CEST)
Received: by mail-wr1-f68.google.com with SMTP id c13-v6so19667901wrt.1
 for <dev@dpdk.org>; Wed, 01 Aug 2018 04:01:22 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <1533120218-32538-1-git-send-email-motih@mellanox.com>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Wed, Aug 01, 2018 at 01:43:38PM +0300, Moti Haimovsky wrote:
> This commit fixes a segmentation fault observed when configuring
> mlx5 with RSS flow rule containing invalid queues indices such as
> negative numbers or numbers bigger than the number Rx queues the PMD
> is configured with.
> 
> Fixes: 592f05b29a25 ("net/mlx5: add RSS flow action")
> Cc: nelio.laranjeiro@6wind.com
> 
> Signed-off-by: Moti Haimovsky <motih@mellanox.com>
> ---
>  drivers/net/mlx5/mlx5_flow.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index 6c3021a..0b55366 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -2077,6 +2077,12 @@ struct mlx5_flow_tunnel_info {
>  					  "some RSS protocols are not"
>  					  " supported");
>  	for (i = 0; i != rss->queue_num; ++i) {
> +		if (rss->queue[i] >= priv->rxqs_n)
> +			return rte_flow_error_set
> +				(error, EINVAL,
> +				 RTE_FLOW_ERROR_TYPE_ACTION_CONF,
> +				 &rss->queue[i],

When specified, the object associated with RTE_FLOW_TYPE_ACTION_CONF is the
configuration structure itself, not the data of an inner field. This type is
that of the the pointed object; the caller may attempt to dereference it
accordingly.

In short, use either "action->conf" or "rss" instead of "&rss->queue[i]"
here.

-- 
Adrien Mazarguil
6WIND