patch 'net/i40e: validate raw flow items before dereferencing' has been queued to stable release 25.11.1
Kevin Traynor
ktraynor at redhat.com
Thu Mar 19 11:02:22 CET 2026
Hi,
FYI, your patch has been queued to stable release 25.11.1
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/23/26. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable
This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/3f83e33156eda13df45bf0d30837736fd9d12b79
Thanks.
Kevin
---
>From 3f83e33156eda13df45bf0d30837736fd9d12b79 Mon Sep 17 00:00:00 2001
From: Ciara Loftus <ciara.loftus at intel.com>
Date: Mon, 9 Mar 2026 15:29:19 +0000
Subject: [PATCH] net/i40e: validate raw flow items before dereferencing
[ upstream commit c138a6c3bd0aa369305fe6cf46ef376e4af69f54 ]
When a RTE_FLOW_ITEM_TYPE_RAW item is used with a non-zero length,
the spec and mask pattern pointers are dereferenced unconditionally
in a loop, causing a segfault if either is NULL. Additionally, no
check is made that the spec and mask have equal lengths before
iterating, which could result in out-of-bounds access.
Add validation before the loop: reject the item if either pattern
pointer is NULL, or if the spec and mask lengths differ.
Bugzilla ID: 1155
Fixes: 6ced3dd72f5f ("net/i40e: support flexible payload parsing for FDIR")
Signed-off-by: Ciara Loftus <ciara.loftus at intel.com>
Acked-by: Anatoly Burakov <anatoly.burakov at intel.com>
---
drivers/net/intel/i40e/i40e_flow.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/drivers/net/intel/i40e/i40e_flow.c b/drivers/net/intel/i40e/i40e_flow.c
index 2374b9bbca..4624edc758 100644
--- a/drivers/net/intel/i40e/i40e_flow.c
+++ b/drivers/net/intel/i40e/i40e_flow.c
@@ -2351,4 +2351,28 @@ i40e_flow_parse_fdir_pattern(struct rte_eth_dev *dev,
}
+ if (raw_spec->length != 0) {
+ if (raw_spec->pattern == NULL) {
+ rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ item,
+ "NULL RAW spec pattern");
+ return -rte_errno;
+ }
+ if (raw_mask->pattern == NULL) {
+ rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ item,
+ "NULL RAW mask pattern");
+ return -rte_errno;
+ }
+ if (raw_spec->length != raw_mask->length) {
+ rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ item,
+ "RAW spec and mask length mismatch");
+ return -rte_errno;
+ }
+ }
+
for (i = 0; i < raw_spec->length; i++) {
j = i + next_dst_off;
--
2.53.0
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2026-03-19 10:01:07.839267214 +0000
+++ 0024-net-i40e-validate-raw-flow-items-before-dereferencin.patch 2026-03-19 10:01:07.086331262 +0000
@@ -1 +1 @@
-From c138a6c3bd0aa369305fe6cf46ef376e4af69f54 Mon Sep 17 00:00:00 2001
+From 3f83e33156eda13df45bf0d30837736fd9d12b79 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit c138a6c3bd0aa369305fe6cf46ef376e4af69f54 ]
+
@@ -17 +18,0 @@
-Cc: stable at dpdk.org
@@ -26 +27 @@
-index 2791139e59..84cfddb92d 100644
+index 2374b9bbca..4624edc758 100644
@@ -29 +30 @@
-@@ -2346,4 +2346,28 @@ i40e_flow_parse_fdir_pattern(struct rte_eth_dev *dev,
+@@ -2351,4 +2351,28 @@ i40e_flow_parse_fdir_pattern(struct rte_eth_dev *dev,
More information about the stable
mailing list