From: Kevin Traynor <ktraynor@redhat.com>
To: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Cc: Konstantin Ananyev <konstantin.ananyev@intel.com>,
dpdk stable <stable@dpdk.org>
Subject: [dpdk-stable] patch 'crypto/aesni_mb: fix possible array overrun' has been queued to stable release 18.08.1
Date: Wed, 21 Nov 2018 16:04:36 +0000 [thread overview]
Message-ID: <20181121160440.9014-46-ktraynor@redhat.com> (raw)
In-Reply-To: <20181121160440.9014-1-ktraynor@redhat.com>
Hi,
FYI, your patch has been queued to stable release 18.08.1
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/26/18. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the patch applied
to the branch. If the code is different (ie: not only metadata diffs), due for example to
a change in context or macro names, please double check it.
Thanks.
Kevin Traynor
---
>From a42cc166aa46a6d9506914eb8dc0b4ecf075f084 Mon Sep 17 00:00:00 2001
From: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Date: Thu, 2 Aug 2018 05:49:40 +0100
Subject: [PATCH] crypto/aesni_mb: fix possible array overrun
[ upstream commit 95978a85a410e7fa1a03d4f3b90c8770f7f29e72 ]
In order to process crypto operations in the AESNI MB PMD,
they need to be sent to the buffer manager of the Multi-buffer library,
through the "job" structure.
Currently, it is checked if there are outstanding operations to process
in the ring, before getting a new job. However, if there are no available
jobs in the manager, a flush operation needs to take place, freeing some
of the jobs, so it can be used for the outstanding operation.
In order to avoid leaving the dequeued operation without being processed,
the maximum number of operations that can be flushed is the remaining
operations to return, which is the maximum number of operations that can
be return minus the number of operations ready to be returned
(nb_ops - processed_jobs), minus 1 (for the new operation).
The problem comes when (nb_ops - processed_jobs) is 1 (last operation to
dequeue). In that case, flush_mb_mgr is called with maximum number of
operations equal to 0, which is wrong, causing a potential overrun in the
"ops" array.
Besides, the operation dequeued from the ring will be leaked, as no more
operations can be returned.
The solution is to first check if there are jobs available in the manager.
If there are not, flush operation gets called, and if enough operations
are returned from the manager, then no more outstanding operations get
dequeued from the ring, avoiding both the memory leak and the array
overrun.
If there are enough jobs, PMD tries to dequeue an operation from the ring.
If there are no operations in the ring, the new job pointer is not used,
and it will be used in the next get_next_job call, so no memory leak
happens.
Fixes: 0f548b50a160 ("crypto/aesni_mb: process crypto op on dequeue")
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index 93dc7a443..e2dd834f0 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -834,9 +834,4 @@ aesni_mb_pmd_dequeue_burst(void *queue_pair, struct rte_crypto_op **ops,
uint8_t digest_idx = qp->digest_idx;
do {
- /* Get next operation to process from ingress queue */
- retval = rte_ring_dequeue(qp->ingress_queue, (void **)&op);
- if (retval < 0)
- break;
-
/* Get next free mb job struct from mb manager */
job = (*qp->op_fns->job.get_next)(qp->mb_mgr);
@@ -845,9 +840,22 @@ aesni_mb_pmd_dequeue_burst(void *queue_pair, struct rte_crypto_op **ops,
processed_jobs += flush_mb_mgr(qp,
&ops[processed_jobs],
- (nb_ops - processed_jobs) - 1);
+ nb_ops - processed_jobs);
+
+ if (nb_ops == processed_jobs)
+ break;
job = (*qp->op_fns->job.get_next)(qp->mb_mgr);
}
+ /*
+ * Get next operation to process from ingress queue.
+ * There is no need to return the job to the MB_MGR
+ * if there are no more operations to process, since the MB_MGR
+ * can use that pointer again in next get_next calls.
+ */
+ retval = rte_ring_dequeue(qp->ingress_queue, (void **)&op);
+ if (retval < 0)
+ break;
+
retval = set_mb_job_params(job, qp, op, &digest_idx);
if (unlikely(retval != 0)) {
--
2.19.0
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2018-11-21 15:59:14.775425876 +0000
+++ 0046-crypto-aesni_mb-fix-possible-array-overrun.patch 2018-11-21 15:59:13.000000000 +0000
@@ -1,8 +1,10 @@
-From 95978a85a410e7fa1a03d4f3b90c8770f7f29e72 Mon Sep 17 00:00:00 2001
+From a42cc166aa46a6d9506914eb8dc0b4ecf075f084 Mon Sep 17 00:00:00 2001
From: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Date: Thu, 2 Aug 2018 05:49:40 +0100
Subject: [PATCH] crypto/aesni_mb: fix possible array overrun
+[ upstream commit 95978a85a410e7fa1a03d4f3b90c8770f7f29e72 ]
+
In order to process crypto operations in the AESNI MB PMD,
they need to be sent to the buffer manager of the Multi-buffer library,
through the "job" structure.
@@ -36,7 +38,6 @@
happens.
Fixes: 0f548b50a160 ("crypto/aesni_mb: process crypto op on dequeue")
-Cc: stable@dpdk.org
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
next prev parent reply other threads:[~2018-11-21 16:06 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-21 16:03 [dpdk-stable] patch 'net/sfc/base: fix PreFAST warnings because of unused return' " Kevin Traynor
2018-11-21 16:03 ` [dpdk-stable] patch 'net/sfc/base: fix invalid order of memset arguments' " Kevin Traynor
2018-11-21 16:03 ` [dpdk-stable] patch 'net/sfc/base: fix output buffer SAL annotation' " Kevin Traynor
2018-11-21 16:03 ` [dpdk-stable] patch 'net/sfc/base: fix SAL annotation for input buffers' " Kevin Traynor
2018-11-21 16:03 ` [dpdk-stable] patch 'net/sfc/base: properly align on line continuation' " Kevin Traynor
2018-11-21 16:03 ` [dpdk-stable] patch 'net/sfc/base: add space after sizeof' " Kevin Traynor
2018-11-21 16:03 ` [dpdk-stable] patch 'net/sfc/base: fix build because of no declaration' " Kevin Traynor
2018-11-21 16:03 ` [dpdk-stable] patch 'net/sfc/base: fix outer IPID field in TSO option descriptors' " Kevin Traynor
2018-11-21 16:03 ` [dpdk-stable] patch 'net/sfc/base: add check for TUNNEL module in NIC reset API' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: check size of memory to read sensors data to' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: avoid usage of too big arrays on stack' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: fix out of bounds read when dereferencing sdup' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: fix ID retrieval in v3 licensing' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: prevent access to the NIC config before probe' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: fix name of the argument to store RSS flags' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: fix a typo in unicast filter insertion comment' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: fix MAC Tx stats for less or equal to 64 bytes' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc: fix an Rx queue double release possibility' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc: fix a Tx " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/e1000: fix missing Tx multi-segs capability' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/fm10k: " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/i40e: " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/ixgbe: " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/avf: fix unused variables and label' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/avf: fix missing compiler error flags' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/bonding: fix Rx slave fairness' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/dpaa: fix jumbo buffer config' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/dpaa: fix link speed based on MAC type' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/failsafe: remove not supported multicast MAC filter' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'ethdev: fix error handling in create function' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/sfc/base: make last byte of module information available' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/cxgbe: announce Rx scatter offload' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'ethdev: fix doxygen comment to be with structure' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/avf: remove keeping CRC configuration' " Kevin Traynor
2018-11-22 17:29 ` Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/virtio-user: fix multiple queue for vhost-kernel' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/virtio: add missing supported features' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'vhost: fix corner case for enqueue operation' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/i40e: fix 25G AOC and ACC cable detection on XXV710' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'net/bonding: stop and deactivate slaves on stop' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'doc: fix typo for cryptodev' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'doc: fix missing CCM to QAT feature list' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'examples/ipsec-secgw: fix wrong session size' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'app/test-crypto-perf: fix check for auth key' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'app/test-crypto-perf: fix check for cipher IV' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'app/test-crypto-perf: fix double allocation of memory' " Kevin Traynor
2018-11-21 16:04 ` Kevin Traynor [this message]
2018-11-21 16:04 ` [dpdk-stable] patch 'crypto/aesni_mb: fix truncated digest size for CMAC' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'compress/qat: fix checksum on decompression' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'compress/qat: remove unnecessary assignment' " Kevin Traynor
2018-11-21 16:04 ` [dpdk-stable] patch 'test/crypto: fix number of queue pairs' " Kevin Traynor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181121160440.9014-46-ktraynor@redhat.com \
--to=ktraynor@redhat.com \
--cc=konstantin.ananyev@intel.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).