[net 07/12] net/mlx5: DR, Fix wrong action data allocation in decap action

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
	netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
	Leon Romanovsky <leonro@nvidia.com>,
	Yevgeny Kliteynik <kliteyn@nvidia.com>,
	Alex Vesker <valex@nvidia.com>
Subject: [net 07/12] net/mlx5: DR, Fix wrong action data allocation in decap action
Date: Fri, 16 Jun 2023 13:01:14 -0700	[thread overview]
Message-ID: <20230616200119.44163-8-saeed@kernel.org> (raw)
In-Reply-To: <20230616200119.44163-1-saeed@kernel.org>

From: Yevgeny Kliteynik <kliteyn@nvidia.com>

When TUNNEL_L3_TO_L2 decap action was created, a pointer to a local
variable was passed as its HW action data, resulting in attempt to
free invalid address:

  BUG: KASAN: invalid-free in mlx5dr_action_destroy+0x318/0x410 [mlx5_core]

Fixes: 4781df92f4da ("net/mlx5: DR, Move STEv0 modify header logic")
Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
Reviewed-by: Alex Vesker <valex@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
 .../net/ethernet/mellanox/mlx5/core/steering/dr_action.c  | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
index 57e22c5170df..0f783e7906cb 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
@@ -1421,9 +1421,13 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn,
 	}
 	case DR_ACTION_TYP_TNL_L3_TO_L2:
 	{
-		u8 hw_actions[DR_ACTION_CACHE_LINE_SIZE] = {};
+		u8 *hw_actions;
 		int ret;
 
+		hw_actions = kzalloc(DR_ACTION_CACHE_LINE_SIZE, GFP_KERNEL);
+		if (!hw_actions)
+			return -ENOMEM;
+
 		ret = mlx5dr_ste_set_action_decap_l3_list(dmn->ste_ctx,
 							  data, data_sz,
 							  hw_actions,
@@ -1431,6 +1435,7 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn,
 							  &action->rewrite->num_of_actions);
 		if (ret) {
 			mlx5dr_dbg(dmn, "Failed creating decap l3 action list\n");
+			kfree(hw_actions);
 			return ret;
 		}
 
@@ -1440,6 +1445,7 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn,
 		ret = mlx5dr_ste_alloc_modify_hdr(action);
 		if (ret) {
 			mlx5dr_dbg(dmn, "Failed preparing reformat data\n");
+			kfree(hw_actions);
 			return ret;
 		}
 		return 0;
-- 
2.40.1

next prev parent reply	other threads:[~2023-06-16 20:01 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-16 20:01 [pull request][net 00/12] mlx5 fixes 2023-06-16 Saeed Mahameed
2023-06-16 20:01 ` [net 01/12] net/mlx5e: XDP, Allow growing tail for XDP multi buffer Saeed Mahameed
2023-06-19  9:40   ` patchwork-bot+netdevbpf
2023-06-16 20:01 ` [net 02/12] net/mlx5e: xsk: Set napi_id to support busy polling on XSK RQ Saeed Mahameed
2023-06-16 20:01 ` [net 03/12] net/mlx5: Fix driver load with single msix vector Saeed Mahameed
2023-06-16 20:01 ` [net 04/12] net/mlx5e: TC, Add null pointer check for hardware miss support Saeed Mahameed
2023-06-16 20:01 ` [net 05/12] net/mlx5e: TC, Cleanup ct resources for nic flow Saeed Mahameed
2023-06-16 20:01 ` [net 06/12] net/mlx5: DR, Support SW created encap actions for FW table Saeed Mahameed
2023-06-16 20:01 ` Saeed Mahameed [this message]
2023-06-16 20:01 ` [net 08/12] net/mlx5: Free IRQ rmap and notifier on kernel shutdown Saeed Mahameed
2023-06-16 20:01 ` [net 09/12] net/mlx5e: Don't delay release of hardware objects Saeed Mahameed
2023-06-16 20:01 ` [net 10/12] net/mlx5e: Fix ESN update kernel panic Saeed Mahameed
2023-06-16 20:01 ` [net 11/12] net/mlx5e: Drop XFRM state lock when modifying flow steering Saeed Mahameed
2023-06-16 20:01 ` [net 12/12] net/mlx5e: Fix scheduling of IPsec ASO query while in atomic Saeed Mahameed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:57e22c5170d dfblob:0f783e7906c )
 OR (
bs:"[net 07/12] net/mlx5: DR, Fix wrong action data allocation in decap action" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230616200119.44163-8-saeed@kernel.org \
    --to=saeed@kernel.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kliteyn@nvidia.com \
    --cc=kuba@kernel.org \
    --cc=leonro@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=saeedm@nvidia.com \
    --cc=tariqt@nvidia.com \
    --cc=valex@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.