patch 'net/mlx5: fix RSS expansion inner buffer overflow' has been queued to stable release 22.11.3

[Xueming Li]

Hi,

FYI, your patch has been queued to stable release 22.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/11/23. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=22.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=22.11-staging&id=055858c3bcb4cb5f6e7e02e55139cd623f6312cc

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From 055858c3bcb4cb5f6e7e02e55139cd623f6312cc Mon Sep 17 00:00:00 2001
From: Maayan Kashani <mkashani at nvidia.com>
Date: Thu, 6 Jul 2023 11:55:42 +0300
Subject: [PATCH] net/mlx5: fix RSS expansion inner buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit af72dd098cb1edb4de0e8ad2a2bac7d8d2447f98 ]

The stack which used for RSS expansion was overflowed and
trashed RSS expansion data.
	(buf->entry[MLX5_RSS_EXP_ELT_N])

Due to this overflow, packets such as ARP or LACP with overwritten
RSS types due to the overflow will be dropped.

This increases the buffer size to avoid such overflows and adds relevant
ASSERT for the future.

Bugzilla ID: 1173
Fixes: 18ca4a4ec73a ("net/mlx5: support ESP SPI match and RSS hash")

Reported-by: Mário Kuka <kuka at cesnet.cz>
Signed-off-by: Maayan Kashani <mkashani at nvidia.com>
Acked-by: Ori Kam <orika at nvidia.com>
Reviewed-by: Raslan Darawsheh <rasland at nvidia.com>
---
 drivers/net/mlx5/mlx5_flow.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index a359f1e97c..b98dc9ffb2 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -364,7 +364,7 @@ mlx5_flow_expand_rss_skip_explicit(const struct mlx5_flow_expand_node graph[],
 	return next;
 }
 
-#define MLX5_RSS_EXP_ELT_N 16
+#define MLX5_RSS_EXP_ELT_N 32
 
 /**
  * Expand RSS flows into several possible flows according to the RSS hash
@@ -529,6 +529,7 @@ mlx5_flow_expand_rss(struct mlx5_flow_expand_rss *buf, size_t size,
 			if (lsize > size)
 				return -EINVAL;
 			n = elt * sizeof(*item);
+			MLX5_ASSERT((buf->entries) < MLX5_RSS_EXP_ELT_N);
 			buf->entry[buf->entries].priority =
 				stack_pos + 1 + missed;
 			buf->entry[buf->entries].pattern = addr;
-- 
2.25.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2023-08-09 21:51:20.367652000 +0800
+++ 0084-net-mlx5-fix-RSS-expansion-inner-buffer-overflow.patch	2023-08-09 21:51:18.254352000 +0800
@@ -1 +1 @@
-From af72dd098cb1edb4de0e8ad2a2bac7d8d2447f98 Mon Sep 17 00:00:00 2001
+From 055858c3bcb4cb5f6e7e02e55139cd623f6312cc Mon Sep 17 00:00:00 2001
@@ -7,0 +8,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit af72dd098cb1edb4de0e8ad2a2bac7d8d2447f98 ]
@@ -21 +23,0 @@
-Cc: stable at dpdk.org
@@ -32 +34 @@
-index 1071ef0c3e..df0f1dfe52 100644
+index a359f1e97c..b98dc9ffb2 100644
@@ -35 +37 @@
-@@ -374,7 +374,7 @@ mlx5_flow_expand_rss_skip_explicit(const struct mlx5_flow_expand_node graph[],
+@@ -364,7 +364,7 @@ mlx5_flow_expand_rss_skip_explicit(const struct mlx5_flow_expand_node graph[],
@@ -44 +46 @@
-@@ -539,6 +539,7 @@ mlx5_flow_expand_rss(struct mlx5_flow_expand_rss *buf, size_t size,
+@@ -529,6 +529,7 @@ mlx5_flow_expand_rss(struct mlx5_flow_expand_rss *buf, size_t size,