[PATCH v3] net/mlx5: fix RSS expansion inner buffer overflow.
Maayan Kashani
mkashani at nvidia.com
Thu Jul 6 10:55:42 CEST 2023
The stack which used for RSS expansion was overflowed and trashed RSS expansion data.
(buf->entry[MLX5_RSS_EXP_ELT_N]).
Due to this overflow, packets such as ARP or LACP with overwritten RSS types due to the
overflow will be dropped.
This increases the buffer size to avoid such overflows and adds relevant ASSERT for the future.
Bugzilla ID: 1173
Signed-off-by: Maayan Kashani <mkashani at nvidia.com>
Acked-by: Ori Kam <orika at nvidia.com>
---
drivers/net/mlx5/mlx5_flow.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index cf83db7b60..41e298855b 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -374,7 +374,7 @@ mlx5_flow_expand_rss_skip_explicit(const struct mlx5_flow_expand_node graph[],
return next;
}
-#define MLX5_RSS_EXP_ELT_N 16
+#define MLX5_RSS_EXP_ELT_N 32
/**
* Expand RSS flows into several possible flows according to the RSS hash
@@ -539,6 +539,7 @@ mlx5_flow_expand_rss(struct mlx5_flow_expand_rss *buf, size_t size,
if (lsize > size)
return -EINVAL;
n = elt * sizeof(*item);
+ MLX5_ASSERT((buf->entries) < MLX5_RSS_EXP_ELT_N);
buf->entry[buf->entries].priority =
stack_pos + 1 + missed;
buf->entry[buf->entries].pattern = addr;
--
2.25.1
More information about the dev
mailing list