From: Harish Patil <harish.pa...@qlogic.com>
This defect is a functional issue where the RX CQE pointer remains
uninitialized in the LRO code path which can cause null pointer exception
while accessing VLAN or RSS hash value from CQE.
Fixes: 29540be7efce ("net/qede: support LRO/TSO offloads")
Coverity issue: 143474
Signed-off-by: Harish Patil <harish.pa...@qlogic.com>
---
drivers/net/qede/qede_rxtx.c | 32 +++++++++++++++++++-------------
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/drivers/net/qede/qede_rxtx.c b/drivers/net/qede/qede_rxtx.c
index ec045b0..b180c0b 100644
--- a/drivers/net/qede/qede_rxtx.c
+++ b/drivers/net/qede/qede_rxtx.c
@@ -991,6 +991,7 @@ static inline uint32_t
qede_rx_cqe_to_tunn_pkt_type(uint16_t flags)
uint8_t bitfield_val;
uint8_t offset, tpa_agg_idx, flags;
struct qede_agg_info *tpa_info;
+ uint32_t rss_hash;
hw_comp_cons = rte_le_to_cpu_16(*rxq->hw_cons_ptr);
sw_comp_cons = ecore_chain_get_cons_idx(&rxq->rx_comp_ring);
@@ -1005,6 +1006,7 @@ static inline uint32_t
qede_rx_cqe_to_tunn_pkt_type(uint16_t flags)
packet_type = RTE_PTYPE_UNKNOWN;
vlan_tci = 0;
tpa_start_flg = false;
+ rss_hash = 0;
/* Get the CQE from the completion ring */
cqe =
@@ -1068,6 +1070,10 @@ static inline uint32_t
qede_rx_cqe_to_tunn_pkt_type(uint16_t flags)
offset = fp_cqe->placement_offset;
len = rte_le_to_cpu_16(fp_cqe->len_on_first_bd);
pkt_len = rte_le_to_cpu_16(fp_cqe->pkt_len);
+ vlan_tci = rte_le_to_cpu_16(fp_cqe->vlan_tag);
+ rss_hash = rte_le_to_cpu_32(fp_cqe->rss_hash);
+ htype = (uint8_t)GET_FIELD(bitfield_val,
+ ETH_FAST_PATH_RX_REG_CQE_RSS_HASH_TYPE);
} else {
parse_flag =
rte_le_to_cpu_16(cqe_start_tpa->pars_flags.flags);
@@ -1075,6 +1081,10 @@ static inline uint32_t
qede_rx_cqe_to_tunn_pkt_type(uint16_t flags)
offset = cqe_start_tpa->placement_offset;
/* seg_len = len_on_first_bd */
len = rte_le_to_cpu_16(cqe_start_tpa->len_on_first_bd);
+ vlan_tci = rte_le_to_cpu_16(cqe_start_tpa->vlan_tag);
+ htype = (uint8_t)GET_FIELD(bitfield_val,
+ ETH_FAST_PATH_RX_TPA_START_CQE_RSS_HASH_TYPE);
+ rss_hash = rte_le_to_cpu_32(cqe_start_tpa->rss_hash);
}
if (qede_tunn_exist(parse_flag)) {
PMD_RX_LOG(INFO, rxq, "Rx tunneled packet\n");
@@ -1121,24 +1131,18 @@ static inline uint32_t
qede_rx_cqe_to_tunn_pkt_type(uint16_t flags)
}
if (CQE_HAS_VLAN(parse_flag)) {
- vlan_tci = rte_le_to_cpu_16(fp_cqe->vlan_tag);
ol_flags |= PKT_RX_VLAN_PKT;
+ rx_mb->vlan_tci = vlan_tci;
}
-
if (CQE_HAS_OUTER_VLAN(parse_flag)) {
- vlan_tci = rte_le_to_cpu_16(fp_cqe->vlan_tag);
ol_flags |= PKT_RX_QINQ_PKT;
+ rx_mb->vlan_tci = vlan_tci;
rx_mb->vlan_tci_outer = 0;
}
-
/* RSS Hash */
- htype = (uint8_t)GET_FIELD(bitfield_val,
- ETH_FAST_PATH_RX_REG_CQE_RSS_HASH_TYPE);
- if (qdev->rss_enable && htype) {
+ if (qdev->rss_enable) {
ol_flags |= PKT_RX_RSS_HASH;
- rx_mb->hash.rss = rte_le_to_cpu_32(fp_cqe->rss_hash);
- PMD_RX_LOG(INFO, rxq, "Hash result 0x%x\n",
- rx_mb->hash.rss);
+ rx_mb->hash.rss = rss_hash;
}
if (unlikely(qede_alloc_rx_buffer(rxq) != 0)) {
@@ -1185,10 +1189,12 @@ static inline uint32_t
qede_rx_cqe_to_tunn_pkt_type(uint16_t flags)
rx_mb->port = rxq->port_id;
rx_mb->ol_flags = ol_flags;
rx_mb->data_len = len;
- rx_mb->vlan_tci = vlan_tci;
rx_mb->packet_type = packet_type;
- PMD_RX_LOG(INFO, rxq, "pkt_type %04x len %04x flags %04lx\n",
- packet_type, len, (unsigned long)ol_flags);
+ PMD_RX_LOG(INFO, rxq,
+ "pkt_type 0x%04x len %u hash_type %d hash_val 0x%x"
+ " ol_flags 0x%04lx\n",
+ packet_type, len, htype, rx_mb->hash.rss,
+ (unsigned long)ol_flags);
if (!tpa_start_flg) {
rx_mb->nb_segs = fp_cqe->bd_num;
rx_mb->pkt_len = pkt_len;
--
1.7.10.3
