[dpdk-dev,v1] net/mlx4: fix RSS actions with no parameters

Message ID 1519220318-19328-1-git-send-email-ophirmu@mellanox.com
State Superseded, archived
Headers show

Checks

Context Check Description
ci/Intel-compilation success Compilation OK
ci/checkpatch success coding style OK

Commit Message

Ophir Munk Feb. 21, 2018, 1:38 p.m.
When creating an RSS flow with missing actions parameters, for example:
flow create 0 ingress pattern <list of patterns>  / end actions rss / end

testpmd aborts with segmentation fault.
In the corrupted code mlx4_flow_prepare() accesses RSS action->conf pointer
without verifying its validity.
In case of missing RSS actions parameters this pointer is NULL and must not
 be accessed.
The fix is to return an error in such cases "missing rss actions".

Fixes: 078b8b452e6b ("net/mlx4: add RSS flow rule action support")
Cc: stable@dpdk.org

Signed-off-by: Ophir Munk <ophirmu@mellanox.com>
---
 drivers/net/mlx4/mlx4_flow.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Adrien Mazarguil Feb. 23, 2018, 4:52 p.m. | #1
On Wed, Feb 21, 2018 at 01:38:38PM +0000, Ophir Munk wrote:
> When creating an RSS flow with missing actions parameters, for example:
> flow create 0 ingress pattern <list of patterns>  / end actions rss / end
> 
> testpmd aborts with segmentation fault.
> In the corrupted code mlx4_flow_prepare() accesses RSS action->conf pointer
> without verifying its validity.
> In case of missing RSS actions parameters this pointer is NULL and must not
>  be accessed.

Problem is that testpmd is far from perfect and shouldn't feed PMDs with
invalid pointers in the first place. The configuration structure is not
documented as optional with actions that take one.

> The fix is to return an error in such cases "missing rss actions".
> 
> Fixes: 078b8b452e6b ("net/mlx4: add RSS flow rule action support")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Ophir Munk <ophirmu@mellanox.com>

I suggest to fix this at once for all present and future PMDs in testpmd
directly. It may be added as a workaround in mlx4 but not as a fix since the
cause is not in that PMD.

> ---
>  drivers/net/mlx4/mlx4_flow.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/mlx4/mlx4_flow.c b/drivers/net/mlx4/mlx4_flow.c
> index 2d55bfe..7a127a8 100644
> --- a/drivers/net/mlx4/mlx4_flow.c
> +++ b/drivers/net/mlx4/mlx4_flow.c
> @@ -735,6 +735,10 @@ mlx4_flow_prepare(struct priv *priv,
>  			if (flow->rss)
>  				break;
>  			rss = action->conf;
> +			if (!rss) {
> +				msg = "missing rss actions";
> +				goto exit_action_not_supported;
> +			}

This message may be understood as a lack of RSS action, while it is in fact
present. This error can be more accurately described as:

 "RSS action configuration wasn't provided"

Note the same issue exists with the QUEUE action handled just prior to this
one and probably affects other PMDs as well. You really should consider
fixing testpmd instead.
Ophir Munk Feb. 24, 2018, 11:18 p.m. | #2
Hi,
Please see below

> -----Original Message-----
> From: Adrien Mazarguil [mailto:adrien.mazarguil@6wind.com]
> Sent: Friday, February 23, 2018 6:53 PM
> To: Ophir Munk <ophirmu@mellanox.com>
> Cc: dev@dpdk.org; Thomas Monjalon <thomas@monjalon.net>; Olga Shern
> <olgas@mellanox.com>; stable@dpdk.org
> Subject: Re: [PATCH v1] net/mlx4: fix RSS actions with no parameters
> 
> On Wed, Feb 21, 2018 at 01:38:38PM +0000, Ophir Munk wrote:
> > When creating an RSS flow with missing actions parameters, for example:
> > flow create 0 ingress pattern <list of patterns>  / end actions rss /
> > end
> >
> > testpmd aborts with segmentation fault.
> > In the corrupted code mlx4_flow_prepare() accesses RSS action->conf
> > pointer without verifying its validity.
> > In case of missing RSS actions parameters this pointer is NULL and
> > must not  be accessed.
> 
> Problem is that testpmd is far from perfect and shouldn't feed PMDs with
> invalid pointers in the first place. The configuration structure is not
> documented as optional with actions that take one.
> 
> > The fix is to return an error in such cases "missing rss actions".
> >
> > Fixes: 078b8b452e6b ("net/mlx4: add RSS flow rule action support")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Ophir Munk <ophirmu@mellanox.com>
> 
> I suggest to fix this at once for all present and future PMDs in testpmd
> directly. It may be added as a workaround in mlx4 but not as a fix since the
> cause is not in that PMD.
> 

I am not sure if missing rss queues in testpmd is not by design. For example a PMD can theoretically
interpreted it as an rss default action to split traffic over all existing device queues, or giving it any other meaning.
The lack of rss queues should be left to the interpretation of the PMD. 

For example:
* ixgbe PMD seems to handle an NULL rss configuration pointer in its own way
* mlx5 PMD checks for this and return an error in such a case

Changes to testpmd will have to be coordinated and accepted by all dpdk PMDs.

> > ---
> >  drivers/net/mlx4/mlx4_flow.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/net/mlx4/mlx4_flow.c
> > b/drivers/net/mlx4/mlx4_flow.c index 2d55bfe..7a127a8 100644
> > --- a/drivers/net/mlx4/mlx4_flow.c
> > +++ b/drivers/net/mlx4/mlx4_flow.c
> > @@ -735,6 +735,10 @@ mlx4_flow_prepare(struct priv *priv,
> >  			if (flow->rss)
> >  				break;
> >  			rss = action->conf;
> > +			if (!rss) {
> > +				msg = "missing rss actions";
> > +				goto exit_action_not_supported;
> > +			}
> 
> This message may be understood as a lack of RSS action, while it is in fact
> present. This error can be more accurately described as:
> 
>  "RSS action configuration wasn't provided"
> 

mlx5 PMD printout for missing rss queues is: "no valid queues"

I suggest that both mlx4 and mlx5 print the same error for the same rss flow w/o queues.
Do you confirm using mlx5 message printed above?

> Note the same issue exists with the QUEUE action handled just prior to this
> one and probably affects other PMDs as well. You really should consider
> fixing testpmd instead.
> 
> --
> Adrien Mazarguil
> 6WIND
Adrien Mazarguil Feb. 26, 2018, 9:31 a.m. | #3
On Sat, Feb 24, 2018 at 11:18:54PM +0000, Ophir Munk wrote:
> Hi,
> Please see below
> 
> > -----Original Message-----
> > From: Adrien Mazarguil [mailto:adrien.mazarguil@6wind.com]
> > Sent: Friday, February 23, 2018 6:53 PM
> > To: Ophir Munk <ophirmu@mellanox.com>
> > Cc: dev@dpdk.org; Thomas Monjalon <thomas@monjalon.net>; Olga Shern
> > <olgas@mellanox.com>; stable@dpdk.org
> > Subject: Re: [PATCH v1] net/mlx4: fix RSS actions with no parameters
> > 
> > On Wed, Feb 21, 2018 at 01:38:38PM +0000, Ophir Munk wrote:
> > > When creating an RSS flow with missing actions parameters, for example:
> > > flow create 0 ingress pattern <list of patterns>  / end actions rss /
> > > end
> > >
> > > testpmd aborts with segmentation fault.
> > > In the corrupted code mlx4_flow_prepare() accesses RSS action->conf
> > > pointer without verifying its validity.
> > > In case of missing RSS actions parameters this pointer is NULL and
> > > must not  be accessed.
> > 
> > Problem is that testpmd is far from perfect and shouldn't feed PMDs with
> > invalid pointers in the first place. The configuration structure is not
> > documented as optional with actions that take one.
> > 
> > > The fix is to return an error in such cases "missing rss actions".
> > >
> > > Fixes: 078b8b452e6b ("net/mlx4: add RSS flow rule action support")
> > > Cc: stable@dpdk.org
> > >
> > > Signed-off-by: Ophir Munk <ophirmu@mellanox.com>
> > 
> > I suggest to fix this at once for all present and future PMDs in testpmd
> > directly. It may be added as a workaround in mlx4 but not as a fix since the
> > cause is not in that PMD.
> > 
> 
> I am not sure if missing rss queues in testpmd is not by design. For example a PMD can theoretically
> interpreted it as an rss default action to split traffic over all existing device queues, or giving it any other meaning.
> The lack of rss queues should be left to the interpretation of the PMD. 

No, the API must leave nothing open for interpretation, otherwise it's
mis-defined or not properly documented and needs to be fixed.

The accepted behavior to avoid a million unnecessary NULL checks is that
pointers are valid unless stated otherwise (e.g. providing NULL parameters
to memcpy() is undefined and will most likely cause a crash).

Unlike item->{spec,last,mask} [1], action->conf [2] is not documented as
optional for actions that require one.

[1] http://dpdk.org/doc/guides/prog_guide/rte_flow.html#pattern-item
[2] http://dpdk.org/doc/guides/prog_guide/rte_flow.html#actions

> For example:
> * ixgbe PMD seems to handle an NULL rss configuration pointer in its own way
> * mlx5 PMD checks for this and return an error in such a case

Because it's undefined behavior territory, however PMDs do not have to be
nice when not required to. Keep in mind NULL checks are a waste of CPU
cycles if not described by a given API; the role of catching programming
mistakes should be left to assert() (for complex checks to avoid clutter
ideally, since NULL-related crashes are easily debugged).

> Changes to testpmd will have to be coordinated and accepted by all dpdk PMDs.

Why? Testpmd implements APIs as described in order to validate PMDs and
that's it. The fact it may feed them invalid pointers is its fault.

> > > ---
> > >  drivers/net/mlx4/mlx4_flow.c | 4 ++++
> > >  1 file changed, 4 insertions(+)
> > >
> > > diff --git a/drivers/net/mlx4/mlx4_flow.c
> > > b/drivers/net/mlx4/mlx4_flow.c index 2d55bfe..7a127a8 100644
> > > --- a/drivers/net/mlx4/mlx4_flow.c
> > > +++ b/drivers/net/mlx4/mlx4_flow.c
> > > @@ -735,6 +735,10 @@ mlx4_flow_prepare(struct priv *priv,
> > >  			if (flow->rss)
> > >  				break;
> > >  			rss = action->conf;
> > > +			if (!rss) {
> > > +				msg = "missing rss actions";
> > > +				goto exit_action_not_supported;
> > > +			}
> > 
> > This message may be understood as a lack of RSS action, while it is in fact
> > present. This error can be more accurately described as:
> > 
> >  "RSS action configuration wasn't provided"
> > 
> 
> mlx5 PMD printout for missing rss queues is: "no valid queues"
> 
> I suggest that both mlx4 and mlx5 print the same error for the same rss flow w/o queues.
> Do you confirm using mlx5 message printed above?

It's inexact, in this case the entire configuration structure (struct
rte_flow_action_rss) is missing. Also, as described below, the same occurs
with the QUEUE action, e.g.:

 testpmd> flow create 1 ingress pattern eth / end actions queue / end 
 Segmentation fault

Because testpmd can feed a NULL pointer for struct rte_flow_action_queue as
well. In short, not providing a configuration on the testpmd command line
makes it feed NULL pointers to PMDs. Since doing so is invalid, testpmd
should not do it.

Also I don't think it makes sense for a queue action to not provide a
destination queue, same as a RSS action without configuration.

> > Note the same issue exists with the QUEUE action handled just prior to this
> > one and probably affects other PMDs as well. You really should consider
> > fixing testpmd instead.

Patch

diff --git a/drivers/net/mlx4/mlx4_flow.c b/drivers/net/mlx4/mlx4_flow.c
index 2d55bfe..7a127a8 100644
--- a/drivers/net/mlx4/mlx4_flow.c
+++ b/drivers/net/mlx4/mlx4_flow.c
@@ -735,6 +735,10 @@  mlx4_flow_prepare(struct priv *priv,
 			if (flow->rss)
 				break;
 			rss = action->conf;
+			if (!rss) {
+				msg = "missing rss actions";
+				goto exit_action_not_supported;
+			}
 			/* Default RSS configuration if none is provided. */
 			rss_conf =
 				rss->rss_conf ?