Re: [PATCH net-next 01/12] net/mlx5: HWS, Fix matcher action template attach

From: Vlad Dogaru
Date: Wed Apr 09 2025 - 12:09:55 EST

Next message: Robin Murphy: "Re: [PATCH hyperv-next 5/6] arch, drivers: Add device struct bitfield to not bounce-buffer"
Previous message: Nikolay Borisov: "Re: [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests"
In reply to: Michal Kubiak: "Re: [PATCH net-next 01/12] net/mlx5: HWS, Fix matcher action template attach"
Next in thread: Michal Kubiak: "Re: [PATCH net-next 01/12] net/mlx5: HWS, Fix matcher action template attach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/9/25 17:21, Michal Kubiak wrote:

On Tue, Apr 08, 2025 at 05:00:45PM +0300, Tariq Toukan wrote:

From: Vlad Dogaru <vdogaru@xxxxxxxxxx>

The procedure of attaching an action template to an existing matcher had
a few issues:

1. Attaching accidentally overran the `at` array in bwc_matcher, which
would result in memory corruption. This bug wasn't triggered, but it
is possible to trigger it by attaching action templates beyond the
initial buffer size of 8. Fix this by converting to a dynamically
sized buffer and reallocating if needed.

2. Similarly, the `at` array inside the native matcher was never
reallocated. Fix this the same as above.

3. The bwc layer treated any error in action template attach as a signal
that the matcher should be rehashed to account for a larger number of
action STEs. In reality, there are other unrelated errors that can
arise and they should be propagated upstack. Fix this by adding a
`need_rehash` output parameter that's orthogonal to error codes.

Fixes: 2111bb970c78 ("net/mlx5: HWS, added backward-compatible API handling")
Signed-off-by: Vlad Dogaru <vdogaru@xxxxxxxxxx>
Reviewed-by: Yevgeny Kliteynik <kliteyn@xxxxxxxxxx>
Reviewed-by: Mark Bloch <mbloch@xxxxxxxxxx>
Signed-off-by: Tariq Toukan <tariqt@xxxxxxxxxx>

In general the patch looks OK to me.
Just one request for clarification inline.

Thank you for reviewing.

---
.../mellanox/mlx5/core/steering/hws/bwc.c | 55 ++++++++++++++++---
.../mellanox/mlx5/core/steering/hws/bwc.h | 9 ++-
.../mellanox/mlx5/core/steering/hws/matcher.c | 48 +++++++++++++---
.../mellanox/mlx5/core/steering/hws/matcher.h | 4 ++
.../mellanox/mlx5/core/steering/hws/mlx5hws.h | 5 +-
5 files changed, 97 insertions(+), 24 deletions(-)

[...]

@@ -520,6 +529,23 @@ hws_bwc_matcher_extend_at(struct mlx5hws_bwc_matcher *bwc_matcher,
struct mlx5hws_rule_action rule_actions[])
{
enum mlx5hws_action_type action_types[MLX5HWS_BWC_MAX_ACTS];
+ void *p;
+
+ if (unlikely(bwc_matcher->num_of_at >= bwc_matcher->size_of_at_array)) {
+ if (bwc_matcher->size_of_at_array >= MLX5HWS_MATCHER_MAX_AT)
+ return -ENOMEM;
+ bwc_matcher->size_of_at_array *= 2;

Is it possible that `num_of_at` is even greater than twice `size_of_array`?
If so, shouldn't you calculate how many multiplications by 2 you need to
do?

We only extend the array by one template at a time, immediately after this check, so this can't happen.

Cheers,
Vlad

Next message: Robin Murphy: "Re: [PATCH hyperv-next 5/6] arch, drivers: Add device struct bitfield to not bounce-buffer"
Previous message: Nikolay Borisov: "Re: [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests"
In reply to: Michal Kubiak: "Re: [PATCH net-next 01/12] net/mlx5: HWS, Fix matcher action template attach"
Next in thread: Michal Kubiak: "Re: [PATCH net-next 01/12] net/mlx5: HWS, Fix matcher action template attach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]