* [PATCH] net/i40e: fix raw flow item validation
@ 2026-03-24 15:56 Ciara Loftus
2026-03-24 16:20 ` Bruce Richardson
2026-03-25 12:41 ` Bruce Richardson
0 siblings, 2 replies; 5+ messages in thread
From: Ciara Loftus @ 2026-03-24 15:56 UTC (permalink / raw)
To: dev; +Cc: Ciara Loftus, stable
Commit c138a6c3bd0a ("net/i40e: validate raw flow items before
dereferencing") rejected raw flow items when spec and mask length
fields differ, intending to prevent out-of-bounds pattern access.
This breaks flows using the default rte_flow_item_raw_mask, which
sets mask.length to 0xffff regardless of the spec pattern size. Remove
the erroneous check.
Fixes: c138a6c3bd0a ("net/i40e: validate raw flow items before dereferencing")
Cc: stable@dpdk.org
Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
---
drivers/net/intel/i40e/i40e_flow.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/net/intel/i40e/i40e_flow.c b/drivers/net/intel/i40e/i40e_flow.c
index 84cfddb92d..78191a2d22 100644
--- a/drivers/net/intel/i40e/i40e_flow.c
+++ b/drivers/net/intel/i40e/i40e_flow.c
@@ -2360,13 +2360,6 @@ i40e_flow_parse_fdir_pattern(struct rte_eth_dev *dev,
"NULL RAW mask pattern");
return -rte_errno;
}
- if (raw_spec->length != raw_mask->length) {
- rte_flow_error_set(error, EINVAL,
- RTE_FLOW_ERROR_TYPE_ITEM,
- item,
- "RAW spec and mask length mismatch");
- return -rte_errno;
- }
}
for (i = 0; i < raw_spec->length; i++) {
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] net/i40e: fix raw flow item validation
2026-03-24 15:56 [PATCH] net/i40e: fix raw flow item validation Ciara Loftus
@ 2026-03-24 16:20 ` Bruce Richardson
2026-03-25 12:12 ` Loftus, Ciara
2026-03-25 12:41 ` Bruce Richardson
1 sibling, 1 reply; 5+ messages in thread
From: Bruce Richardson @ 2026-03-24 16:20 UTC (permalink / raw)
To: Ciara Loftus; +Cc: dev, stable
On Tue, Mar 24, 2026 at 03:56:27PM +0000, Ciara Loftus wrote:
> Commit c138a6c3bd0a ("net/i40e: validate raw flow items before
> dereferencing") rejected raw flow items when spec and mask length
> fields differ, intending to prevent out-of-bounds pattern access.
>
> This breaks flows using the default rte_flow_item_raw_mask, which
> sets mask.length to 0xffff regardless of the spec pattern size. Remove
> the erroneous check.
>
> Fixes: c138a6c3bd0a ("net/i40e: validate raw flow items before dereferencing")
> Cc: stable@dpdk.org
>
> Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
> ---
> drivers/net/intel/i40e/i40e_flow.c | 7 -------
> 1 file changed, 7 deletions(-)
>
> diff --git a/drivers/net/intel/i40e/i40e_flow.c b/drivers/net/intel/i40e/i40e_flow.c
> index 84cfddb92d..78191a2d22 100644
> --- a/drivers/net/intel/i40e/i40e_flow.c
> +++ b/drivers/net/intel/i40e/i40e_flow.c
> @@ -2360,13 +2360,6 @@ i40e_flow_parse_fdir_pattern(struct rte_eth_dev *dev,
> "NULL RAW mask pattern");
> return -rte_errno;
> }
> - if (raw_spec->length != raw_mask->length) {
> - rte_flow_error_set(error, EINVAL,
> - RTE_FLOW_ERROR_TYPE_ITEM,
> - item,
> - "RAW spec and mask length mismatch");
> - return -rte_errno;
> - }
> }
This looks a correct check to have. Maybe we need to check how the default
mask is generated for this case and fix things there?
>
> for (i = 0; i < raw_spec->length; i++) {
> --
> 2.43.0
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [PATCH] net/i40e: fix raw flow item validation
2026-03-24 16:20 ` Bruce Richardson
@ 2026-03-25 12:12 ` Loftus, Ciara
2026-03-25 12:31 ` Bruce Richardson
0 siblings, 1 reply; 5+ messages in thread
From: Loftus, Ciara @ 2026-03-25 12:12 UTC (permalink / raw)
To: Richardson, Bruce; +Cc: dev@dpdk.org, stable@dpdk.org
> Subject: Re: [PATCH] net/i40e: fix raw flow item validation
>
> On Tue, Mar 24, 2026 at 03:56:27PM +0000, Ciara Loftus wrote:
> > Commit c138a6c3bd0a ("net/i40e: validate raw flow items before
> > dereferencing") rejected raw flow items when spec and mask length
> > fields differ, intending to prevent out-of-bounds pattern access.
> >
> > This breaks flows using the default rte_flow_item_raw_mask, which
> > sets mask.length to 0xffff regardless of the spec pattern size. Remove
> > the erroneous check.
> >
> > Fixes: c138a6c3bd0a ("net/i40e: validate raw flow items before
> dereferencing")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
> > ---
> > drivers/net/intel/i40e/i40e_flow.c | 7 -------
> > 1 file changed, 7 deletions(-)
> >
> > diff --git a/drivers/net/intel/i40e/i40e_flow.c
> b/drivers/net/intel/i40e/i40e_flow.c
> > index 84cfddb92d..78191a2d22 100644
> > --- a/drivers/net/intel/i40e/i40e_flow.c
> > +++ b/drivers/net/intel/i40e/i40e_flow.c
> > @@ -2360,13 +2360,6 @@ i40e_flow_parse_fdir_pattern(struct
> rte_eth_dev *dev,
> > "NULL RAW mask
> pattern");
> > return -rte_errno;
> > }
> > - if (raw_spec->length != raw_mask->length) {
> > - rte_flow_error_set(error, EINVAL,
> > -
> RTE_FLOW_ERROR_TYPE_ITEM,
> > - item,
> > - "RAW spec and
> mask length mismatch");
> > - return -rte_errno;
> > - }
> > }
>
> This looks a correct check to have. Maybe we need to check how the default
> mask is generated for this case and fix things there?
It is unclear to me, whether the length field of the mask should hold
a bytecount or a bitmask. For example in testpmd if a raw flow is
created without an explicit mask, the length appears to hold a bitmask
all set to 1s.
If a raw flow is created with an explicit mask, the length appears to
hold the bytecount of the mask.
Modifying that behaviour so that it is consistent appears to be
non-trivial, I would be reluctant to change it this late in the release.
If we wish to continue to permit the ambiguity in the driver for now,
this patch is needed. Otherwise, we are accepting that the field should
always hold a bytecount.
>
> >
> > for (i = 0; i < raw_spec->length; i++) {
> > --
> > 2.43.0
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] net/i40e: fix raw flow item validation
2026-03-25 12:12 ` Loftus, Ciara
@ 2026-03-25 12:31 ` Bruce Richardson
0 siblings, 0 replies; 5+ messages in thread
From: Bruce Richardson @ 2026-03-25 12:31 UTC (permalink / raw)
To: Loftus, Ciara; +Cc: dev@dpdk.org, stable@dpdk.org
On Wed, Mar 25, 2026 at 12:12:07PM +0000, Loftus, Ciara wrote:
> > Subject: Re: [PATCH] net/i40e: fix raw flow item validation
> >
> > On Tue, Mar 24, 2026 at 03:56:27PM +0000, Ciara Loftus wrote:
> > > Commit c138a6c3bd0a ("net/i40e: validate raw flow items before
> > > dereferencing") rejected raw flow items when spec and mask length
> > > fields differ, intending to prevent out-of-bounds pattern access.
> > >
> > > This breaks flows using the default rte_flow_item_raw_mask, which
> > > sets mask.length to 0xffff regardless of the spec pattern size. Remove
> > > the erroneous check.
> > >
> > > Fixes: c138a6c3bd0a ("net/i40e: validate raw flow items before
> > dereferencing")
> > > Cc: stable@dpdk.org
> > >
> > > Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
> > > ---
> > > drivers/net/intel/i40e/i40e_flow.c | 7 -------
> > > 1 file changed, 7 deletions(-)
> > >
> > > diff --git a/drivers/net/intel/i40e/i40e_flow.c
> > b/drivers/net/intel/i40e/i40e_flow.c
> > > index 84cfddb92d..78191a2d22 100644
> > > --- a/drivers/net/intel/i40e/i40e_flow.c
> > > +++ b/drivers/net/intel/i40e/i40e_flow.c
> > > @@ -2360,13 +2360,6 @@ i40e_flow_parse_fdir_pattern(struct
> > rte_eth_dev *dev,
> > > "NULL RAW mask
> > pattern");
> > > return -rte_errno;
> > > }
> > > - if (raw_spec->length != raw_mask->length) {
> > > - rte_flow_error_set(error, EINVAL,
> > > -
> > RTE_FLOW_ERROR_TYPE_ITEM,
> > > - item,
> > > - "RAW spec and
> > mask length mismatch");
> > > - return -rte_errno;
> > > - }
> > > }
> >
> > This looks a correct check to have. Maybe we need to check how the default
> > mask is generated for this case and fix things there?
>
> It is unclear to me, whether the length field of the mask should hold
> a bytecount or a bitmask. For example in testpmd if a raw flow is
> created without an explicit mask, the length appears to hold a bitmask
> all set to 1s.
> If a raw flow is created with an explicit mask, the length appears to
> hold the bytecount of the mask.
> Modifying that behaviour so that it is consistent appears to be
> non-trivial, I would be reluctant to change it this late in the release.
> If we wish to continue to permit the ambiguity in the driver for now,
> this patch is needed. Otherwise, we are accepting that the field should
> always hold a bytecount.
>
Ok, so safest option for this release is to revert this part of the code.
Will take the original patch.
/Bruce
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] net/i40e: fix raw flow item validation
2026-03-24 15:56 [PATCH] net/i40e: fix raw flow item validation Ciara Loftus
2026-03-24 16:20 ` Bruce Richardson
@ 2026-03-25 12:41 ` Bruce Richardson
1 sibling, 0 replies; 5+ messages in thread
From: Bruce Richardson @ 2026-03-25 12:41 UTC (permalink / raw)
To: Ciara Loftus; +Cc: dev, stable
On Tue, Mar 24, 2026 at 03:56:27PM +0000, Ciara Loftus wrote:
> Commit c138a6c3bd0a ("net/i40e: validate raw flow items before
> dereferencing") rejected raw flow items when spec and mask length
> fields differ, intending to prevent out-of-bounds pattern access.
>
> This breaks flows using the default rte_flow_item_raw_mask, which
> sets mask.length to 0xffff regardless of the spec pattern size. Remove
> the erroneous check.
>
> Fixes: c138a6c3bd0a ("net/i40e: validate raw flow items before dereferencing")
> Cc: stable@dpdk.org
>
> Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
> ---
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
Applied to dpdk-next-net-intel,
Thanks,
/Bruce
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-25 12:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-24 15:56 [PATCH] net/i40e: fix raw flow item validation Ciara Loftus
2026-03-24 16:20 ` Bruce Richardson
2026-03-25 12:12 ` Loftus, Ciara
2026-03-25 12:31 ` Bruce Richardson
2026-03-25 12:41 ` Bruce Richardson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox