From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 8FC191B104 for ; Wed, 21 Nov 2018 17:06:57 +0100 (CET) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DE76C3058934; Wed, 21 Nov 2018 16:06:56 +0000 (UTC) Received: from ktraynor.remote.csb (unknown [10.36.118.7]) by smtp.corp.redhat.com (Postfix) with ESMTP id D87DD5F7D9; Wed, 21 Nov 2018 16:06:55 +0000 (UTC) From: Kevin Traynor To: Pablo de Lara Cc: Konstantin Ananyev , dpdk stable Date: Wed, 21 Nov 2018 16:04:36 +0000 Message-Id: <20181121160440.9014-46-ktraynor@redhat.com> In-Reply-To: <20181121160440.9014-1-ktraynor@redhat.com> References: <20181121160440.9014-1-ktraynor@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Wed, 21 Nov 2018 16:06:56 +0000 (UTC) Subject: [dpdk-stable] patch 'crypto/aesni_mb: fix possible array overrun' has been queued to stable release 18.08.1 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2018 16:06:58 -0000 Hi, FYI, your patch has been queued to stable release 18.08.1 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/26/18. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. If the code is different (ie: not only metadata diffs), due for example to a change in context or macro names, please double check it. Thanks. Kevin Traynor --- >>From a42cc166aa46a6d9506914eb8dc0b4ecf075f084 Mon Sep 17 00:00:00 2001 From: Pablo de Lara Date: Thu, 2 Aug 2018 05:49:40 +0100 Subject: [PATCH] crypto/aesni_mb: fix possible array overrun [ upstream commit 95978a85a410e7fa1a03d4f3b90c8770f7f29e72 ] In order to process crypto operations in the AESNI MB PMD, they need to be sent to the buffer manager of the Multi-buffer library, through the "job" structure. Currently, it is checked if there are outstanding operations to process in the ring, before getting a new job. However, if there are no available jobs in the manager, a flush operation needs to take place, freeing some of the jobs, so it can be used for the outstanding operation. In order to avoid leaving the dequeued operation without being processed, the maximum number of operations that can be flushed is the remaining operations to return, which is the maximum number of operations that can be return minus the number of operations ready to be returned (nb_ops - processed_jobs), minus 1 (for the new operation). The problem comes when (nb_ops - processed_jobs) is 1 (last operation to dequeue). In that case, flush_mb_mgr is called with maximum number of operations equal to 0, which is wrong, causing a potential overrun in the "ops" array. Besides, the operation dequeued from the ring will be leaked, as no more operations can be returned. The solution is to first check if there are jobs available in the manager. If there are not, flush operation gets called, and if enough operations are returned from the manager, then no more outstanding operations get dequeued from the ring, avoiding both the memory leak and the array overrun. If there are enough jobs, PMD tries to dequeue an operation from the ring. If there are no operations in the ring, the new job pointer is not used, and it will be used in the next get_next_job call, so no memory leak happens. Fixes: 0f548b50a160 ("crypto/aesni_mb: process crypto op on dequeue") Signed-off-by: Pablo de Lara Acked-by: Konstantin Ananyev --- drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c index 93dc7a443..e2dd834f0 100644 --- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c +++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c @@ -834,9 +834,4 @@ aesni_mb_pmd_dequeue_burst(void *queue_pair, struct rte_crypto_op **ops, uint8_t digest_idx = qp->digest_idx; do { - /* Get next operation to process from ingress queue */ - retval = rte_ring_dequeue(qp->ingress_queue, (void **)&op); - if (retval < 0) - break; - /* Get next free mb job struct from mb manager */ job = (*qp->op_fns->job.get_next)(qp->mb_mgr); @@ -845,9 +840,22 @@ aesni_mb_pmd_dequeue_burst(void *queue_pair, struct rte_crypto_op **ops, processed_jobs += flush_mb_mgr(qp, &ops[processed_jobs], - (nb_ops - processed_jobs) - 1); + nb_ops - processed_jobs); + + if (nb_ops == processed_jobs) + break; job = (*qp->op_fns->job.get_next)(qp->mb_mgr); } + /* + * Get next operation to process from ingress queue. + * There is no need to return the job to the MB_MGR + * if there are no more operations to process, since the MB_MGR + * can use that pointer again in next get_next calls. + */ + retval = rte_ring_dequeue(qp->ingress_queue, (void **)&op); + if (retval < 0) + break; + retval = set_mb_job_params(job, qp, op, &digest_idx); if (unlikely(retval != 0)) { -- 2.19.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2018-11-21 15:59:14.775425876 +0000 +++ 0046-crypto-aesni_mb-fix-possible-array-overrun.patch 2018-11-21 15:59:13.000000000 +0000 @@ -1,8 +1,10 @@ -From 95978a85a410e7fa1a03d4f3b90c8770f7f29e72 Mon Sep 17 00:00:00 2001 +From a42cc166aa46a6d9506914eb8dc0b4ecf075f084 Mon Sep 17 00:00:00 2001 From: Pablo de Lara Date: Thu, 2 Aug 2018 05:49:40 +0100 Subject: [PATCH] crypto/aesni_mb: fix possible array overrun +[ upstream commit 95978a85a410e7fa1a03d4f3b90c8770f7f29e72 ] + In order to process crypto operations in the AESNI MB PMD, they need to be sent to the buffer manager of the Multi-buffer library, through the "job" structure. @@ -36,7 +38,6 @@ happens. Fixes: 0f548b50a160 ("crypto/aesni_mb: process crypto op on dequeue") -Cc: stable@dpdk.org Signed-off-by: Pablo de Lara Acked-by: Konstantin Ananyev