When slave link down, deactivate_slave will internals->active_slaves and internals->active_slave_count.Active_slave in bond_ethdev_rx_burst may out of range in internals->active_slaves.It will get bond's port_id cause stack overflow Cc: stable@dpdk.org Signed-off-by: jilei <jilei8@huawei.com> --- drivers/net/bonding/rte_eth_bond_pmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c index a6755661c4..46f2c42d60 100644 --- a/drivers/net/bonding/rte_eth_bond_pmd.c +++ b/drivers/net/bonding/rte_eth_bond_pmd.c @@ -82,7 +82,7 @@ bond_ethdev_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) bufs + num_rx_total, nb_pkts); num_rx_total += num_rx_slave; nb_pkts -= num_rx_slave; - if (++active_slave == slave_count) + if (++active_slave >= slave_count) active_slave = 0; } -- 2.23.0
Hi,
Your patch is OK, but the description is misleading and has
syntax errors. Please fix it ,thanks.
在 2021/8/10 14:43, jilei 写道:
> When slave link down, deactivate_slave will internals->active_slaves
> and internals->active_slave_count.Active_slave in bond_ethdev_rx_burst
> may out of range in internals->active_slaves.It will get bond's port_id
> cause stack overflow
>
> Cc: stable@dpdk.org
> Signed-off-by: jilei <jilei8@huawei.com>
> ---
> drivers/net/bonding/rte_eth_bond_pmd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c
> index a6755661c4..46f2c42d60 100644
> --- a/drivers/net/bonding/rte_eth_bond_pmd.c
> +++ b/drivers/net/bonding/rte_eth_bond_pmd.c
> @@ -82,7 +82,7 @@ bond_ethdev_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
> bufs + num_rx_total, nb_pkts);
> num_rx_total += num_rx_slave;
> nb_pkts -= num_rx_slave;
> - if (++active_slave == slave_count)
> + if (++active_slave >= slave_count)
> active_slave = 0;
> }
>
>
On 8/10/2021 8:50 AM, Min Hu (Connor) wrote:
> 在 2021/8/10 14:43, jilei 写道:
>> When slave link down, deactivate_slave will internals->active_slaves
>> and internals->active_slave_count.Active_slave in bond_ethdev_rx_burst
>> may out of range in internals->active_slaves.It will get bond's port_id
>> cause stack overflow
>>
>> Cc: stable@dpdk.org
>> Signed-off-by: jilei <jilei8@huawei.com>
>> ---
>> drivers/net/bonding/rte_eth_bond_pmd.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c
>> b/drivers/net/bonding/rte_eth_bond_pmd.c
>> index a6755661c4..46f2c42d60 100644
>> --- a/drivers/net/bonding/rte_eth_bond_pmd.c
>> +++ b/drivers/net/bonding/rte_eth_bond_pmd.c
>> @@ -82,7 +82,7 @@ bond_ethdev_rx_burst(void *queue, struct rte_mbuf
>> **bufs, uint16_t nb_pkts)
>> bufs + num_rx_total, nb_pkts);
>> num_rx_total += num_rx_slave;
>> nb_pkts -= num_rx_slave;
>> - if (++active_slave == slave_count)
>> + if (++active_slave >= slave_count)
>> active_slave = 0;
>> }
>>
>
> Hi,
> Your patch is OK, but the description is misleading and has
> syntax errors. Please fix it ,thanks.
>
Hi jilei,
The patch is waiting for a minor update from you, can you please send a
new version with the requested change?
Btw, please add your sign off in following format:
Signed-off-by: Name Surname <email@address>
Thanks,
ferruh
In bond_ethdev_rx_burst() function, we check the validity of the 'active_slave' as this code: if (++active_slave == slave_count) active_slave = 0; However, the value of 'active_slave' maybe equal to 'slave_count', when a slave is down. This is wrong and it can cause buffer overflow. This patch fixes the issue by using '>=' instead of '=='. Fixes: e1110e977648 ("net/bonding: fix Rx slave fairness") Cc: stable@dpdk.org Signed-off-by: Lei Ji <jilei8@huawei.com> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> --- drivers/net/bonding/rte_eth_bond_pmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c index 73e6972035..6f8a6da108 100644 --- a/drivers/net/bonding/rte_eth_bond_pmd.c +++ b/drivers/net/bonding/rte_eth_bond_pmd.c @@ -82,7 +82,7 @@ bond_ethdev_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) bufs + num_rx_total, nb_pkts); num_rx_total += num_rx_slave; nb_pkts -= num_rx_slave; - if (++active_slave == slave_count) + if (++active_slave >= slave_count) active_slave = 0; } -- 2.27.0
Acked-by: Min Hu (Connor) <humin29@huawei.com> -----邮件原件----- 发件人: wangyunjian <wangyunjian@huawei.com> 发送时间: 2022年7月18日 21:09 收件人: dev@dpdk.org 抄送: chas3@att.com; humin (Q) <humin29@huawei.com>; Huangshaozhang <huangshaozhang@huawei.com>; jilei (F) <jilei8@huawei.com>; wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org 主题: [dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst In bond_ethdev_rx_burst() function, we check the validity of the 'active_slave' as this code: if (++active_slave == slave_count) active_slave = 0; However, the value of 'active_slave' maybe equal to 'slave_count', when a slave is down. This is wrong and it can cause buffer overflow. This patch fixes the issue by using '>=' instead of '=='. Fixes: e1110e977648 ("net/bonding: fix Rx slave fairness") Cc: stable@dpdk.org Signed-off-by: Lei Ji <jilei8@huawei.com> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> --- drivers/net/bonding/rte_eth_bond_pmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/bonding/rte_eth_bond_pmd.c b/drivers/net/bonding/rte_eth_bond_pmd.c index 73e6972035..6f8a6da108 100644 --- a/drivers/net/bonding/rte_eth_bond_pmd.c +++ b/drivers/net/bonding/rte_eth_bond_pmd.c @@ -82,7 +82,7 @@ bond_ethdev_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) bufs + num_rx_total, nb_pkts); num_rx_total += num_rx_slave; nb_pkts -= num_rx_slave; - if (++active_slave == slave_count) + if (++active_slave >= slave_count) active_slave = 0; } -- 2.27.0
On 7/20/2022 2:28 AM, humin (Q) wrote:
> -----邮件原件-----
> 发件人: wangyunjian <wangyunjian@huawei.com>
> 发送时间: 2022年7月18日 21:09
> 收件人: dev@dpdk.org
> 抄送: chas3@att.com; humin (Q) <humin29@huawei.com>; Huangshaozhang <huangshaozhang@huawei.com>; jilei (F) <jilei8@huawei.com>; wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org
> 主题: [dpdk-dev] [PATCH] net/bonding: fix array overflow in Rx burst
>
> In bond_ethdev_rx_burst() function, we check the validity of the 'active_slave' as this code:
> if (++active_slave == slave_count)
> active_slave = 0;
> However, the value of 'active_slave' maybe equal to 'slave_count', when a slave is down. This is wrong and it can cause buffer overflow.
> This patch fixes the issue by using '>=' instead of '=='.
>
> Fixes: e1110e977648 ("net/bonding: fix Rx slave fairness")
> Cc: stable@dpdk.org
>
> Signed-off-by: Lei Ji <jilei8@huawei.com>
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
>
> Acked-by: Min Hu (Connor) <humin29@huawei.com>
>
Applied to dpdk-next-net/main, thanks.