[V2 net 11/11] net/mlx5e: TC, Fix slab-out-of-bounds in parse_tc_actions

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
	netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
	Roi Dayan <roid@nvidia.com>, Maor Dickman <maord@nvidia.com>
Subject: [V2 net 11/11] net/mlx5e: TC, Fix slab-out-of-bounds in parse_tc_actions
Date: Sat,  5 Nov 2022 00:10:28 -0700	[thread overview]
Message-ID: <20221105071028.578594-12-saeed@kernel.org> (raw)
In-Reply-To: <20221105071028.578594-1-saeed@kernel.org>

From: Roi Dayan <roid@nvidia.com>

esw_attr is only allocated if namespace is fdb.

BUG: KASAN: slab-out-of-bounds in parse_tc_actions+0xdc6/0x10e0 [mlx5_core]
Write of size 4 at addr ffff88815f185b04 by task tc/2135

CPU: 5 PID: 2135 Comm: tc Not tainted 6.1.0-rc2+ #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x57/0x7d
 print_report+0x170/0x471
 ? parse_tc_actions+0xdc6/0x10e0 [mlx5_core]
 kasan_report+0xbc/0xf0
 ? parse_tc_actions+0xdc6/0x10e0 [mlx5_core]
 parse_tc_actions+0xdc6/0x10e0 [mlx5_core]

Fixes: 94d651739e17 ("net/mlx5e: TC, Fix cloned flow attr instance dests are not zeroed")
Signed-off-by: Roi Dayan <roid@nvidia.com>
Reviewed-by: Maor Dickman <maord@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index 372dfb89e396..5a6aa61ec82a 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -3633,10 +3633,14 @@ mlx5e_clone_flow_attr_for_post_act(struct mlx5_flow_attr *attr,
 	attr2->action = 0;
 	attr2->flags = 0;
 	attr2->parse_attr = parse_attr;
-	attr2->esw_attr->out_count = 0;
-	attr2->esw_attr->split_count = 0;
 	attr2->dest_chain = 0;
 	attr2->dest_ft = NULL;
+
+	if (ns_type == MLX5_FLOW_NAMESPACE_FDB) {
+		attr2->esw_attr->out_count = 0;
+		attr2->esw_attr->split_count = 0;
+	}
+
 	return attr2;
 }
 
-- 
2.38.1

     prev parent reply	other threads:[~2022-11-05  7:11 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-05  7:10 [pull request][V2 net 00/11] mlx5 fixes 2022-11-02 Saeed Mahameed
2022-11-05  7:10 ` [V2 net 01/11] net/mlx5: Bridge, verify LAG state when adding bond to bridge Saeed Mahameed
2022-11-05  7:10 ` [V2 net 02/11] net/mlx5: Allow async trigger completion execution on single CPU systems Saeed Mahameed
2022-11-05  7:10 ` [V2 net 03/11] net/mlx5: E-switch, Set to legacy mode if failed to change switchdev mode Saeed Mahameed
2022-11-05  7:10 ` [V2 net 04/11] net/mlx5: fw_reset: Don't try to load device in case PCI isn't working Saeed Mahameed
2022-11-05  7:10 ` [V2 net 05/11] net/mlx5: Fix possible deadlock on mlx5e_tx_timeout_work Saeed Mahameed
2022-11-08  4:24   ` Jakub Kicinski
2022-11-08 10:19     ` Paolo Abeni
2022-11-08 18:02       ` Saeed Mahameed
2022-11-05  7:10 ` [V2 net 06/11] net/mlx5e: Add missing sanity checks for max TX WQE size Saeed Mahameed
2022-11-05  7:10 ` [V2 net 07/11] net/mlx5e: Fix usage of DMA sync API Saeed Mahameed
2022-11-05  7:10 ` [V2 net 08/11] net/mlx5e: Fix tc acts array not to be dependent on enum order Saeed Mahameed
2022-11-05  7:10 ` [V2 net 09/11] net/mlx5e: TC, Fix wrong rejection of packet-per-second policing Saeed Mahameed
2022-11-05  7:10 ` [V2 net 10/11] net/mlx5e: E-Switch, Fix comparing termination table instance Saeed Mahameed
2022-11-05  7:10 ` Saeed Mahameed [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:372dfb89e39 dfblob:5a6aa61ec82 )
 OR (
bs:"[V2 net 11/11] net/mlx5e: TC, Fix slab-out-of-bounds in parse_tc_actions" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221105071028.578594-12-saeed@kernel.org \
    --to=saeed@kernel.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=maord@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=roid@nvidia.com \
    --cc=saeedm@nvidia.com \
    --cc=tariqt@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).