[dpdk-dev] [PATCH] net/mlx5: fix RSS flow configuration crash

[Adrien Mazarguil]

On Wed, Aug 01, 2018 at 01:43:38PM +0300, Moti Haimovsky wrote:
> This commit fixes a segmentation fault observed when configuring
> mlx5 with RSS flow rule containing invalid queues indices such as
> negative numbers or numbers bigger than the number Rx queues the PMD
> is configured with.
> 
> Fixes: 592f05b29a25 ("net/mlx5: add RSS flow action")
> Cc: nelio.laranjeiro at 6wind.com
> 
> Signed-off-by: Moti Haimovsky <motih at mellanox.com>
> ---
>  drivers/net/mlx5/mlx5_flow.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index 6c3021a..0b55366 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -2077,6 +2077,12 @@ struct mlx5_flow_tunnel_info {
>  					  "some RSS protocols are not"
>  					  " supported");
>  	for (i = 0; i != rss->queue_num; ++i) {
> +		if (rss->queue[i] >= priv->rxqs_n)
> +			return rte_flow_error_set
> +				(error, EINVAL,
> +				 RTE_FLOW_ERROR_TYPE_ACTION_CONF,
> +				 &rss->queue[i],

When specified, the object associated with RTE_FLOW_TYPE_ACTION_CONF is the
configuration structure itself, not the data of an inner field. This type is
that of the the pointed object; the caller may attempt to dereference it
accordingly.

In short, use either "action->conf" or "rss" instead of "&rss->queue[i]"
here.

-- 
Adrien Mazarguil
6WIND