From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id AB77EA0542 for ; Fri, 7 Feb 2020 16:14:29 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 949BA1BF8E; Fri, 7 Feb 2020 16:14:29 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 6140F1C0DB for ; Fri, 7 Feb 2020 16:14:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581088467; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tFE48Rp/W8FB/l0coUDxv0aINc/i9cKwreUW594X3Lg=; b=PuYj439ZhtGqMNHSEIhbuMVZ8gxh7A8x1p3Nai2dFtqFNz2a5EKmW99LZKBXl8HntEO/9y FrFkpP7Zdc10EFxVjXRkh0MihLrBk8gyiWMpzWaZ8qdOKY1kv6espQPffLRh9jmW/XmqLw 1iZ6zu3iZw40XRxSvy0xzzJ8D/HGn/A= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-70-5xl3L0UKMKaF_qcC9yv8xA-1; Fri, 07 Feb 2020 10:14:11 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id F0B9D805722 for ; Fri, 7 Feb 2020 15:14:10 +0000 (UTC) Received: from rh.redhat.com (unknown [10.33.36.76]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3654410016DA; Fri, 7 Feb 2020 15:14:07 +0000 (UTC) From: Kevin Traynor To: Aaron Conole Cc: David Marchand , dpdk stable Date: Fri, 7 Feb 2020 15:12:48 +0000 Message-Id: <20200207151248.29804-36-ktraynor@redhat.com> In-Reply-To: <20200207151248.29804-1-ktraynor@redhat.com> References: <20200207151248.29804-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-MC-Unique: 5xl3L0UKMKaF_qcC9yv8xA-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Subject: [dpdk-stable] patch 'service: don't walk out of bounds when checking services' has been queued to LTS release 18.11.7 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to LTS release 18.11.7 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 02/13/20. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasi= ng (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable-queue This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable-queue/commit/dd4c770c5e356915e9= ee134f0baba286ce3784cc Thanks. Kevin. --- >From dd4c770c5e356915e9ee134f0baba286ce3784cc Mon Sep 17 00:00:00 2001 From: Aaron Conole Date: Tue, 3 Dec 2019 16:15:44 -0500 Subject: [PATCH] service: don't walk out of bounds when checking services [ upstream commit 2e088e6f94b773233c06440763c1be43d0d705b3 ] The service_valid call is used without properly bounds checking the input parameter. Almost all instances of the service_valid call are inside a for() loop that prevents excessive walks, but some of the public APIs don't bounds check and will pass invalid arguments. Prevent this by using SERVICE_GET_OR_ERR_RET where it makes sense, and adding a bounds check to one service_valid() use. Fixes: 8d39d3e237c2 ("service: fix race in service on app lcore function") Fixes: e9139a32f6e8 ("service: add function to run on app lcore") Fixes: e30dd31847d2 ("service: add mechanism for quiescing") Signed-off-by: Aaron Conole Reviewed-by: David Marchand --- lib/librte_eal/common/rte_service.c | 32 ++++++++++++++++++----------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/lib/librte_eal/common/rte_service.c b/lib/librte_eal/common/rt= e_service.c index 97449460dc..53dd6a7bbf 100644 --- a/lib/librte_eal/common/rte_service.c +++ b/lib/librte_eal/common/rte_service.c @@ -137,4 +137,10 @@ service_valid(uint32_t id) } =20 +static struct rte_service_spec_impl * +service_get(uint32_t id) +{ +=09return &rte_services[id]; +} + /* validate ID and retrieve service pointer, or return error value */ #define SERVICE_VALID_GET_OR_ERR_RET(id, service, retval) do { \ @@ -344,10 +350,12 @@ rte_service_runner_do_callback(struct rte_service_spe= c_impl *s, =20 =20 -static inline int32_t -service_run(uint32_t i, struct core_state *cs, uint64_t service_mask) +/* Expects the service 's' is valid. */ +static int32_t +service_run(uint32_t i, struct core_state *cs, uint64_t service_mask, +=09 struct rte_service_spec_impl *s) { -=09if (!service_valid(i)) +=09if (!s) =09=09return -EINVAL; -=09struct rte_service_spec_impl *s =3D &rte_services[i]; + =09if (s->comp_runstate !=3D RUNSTATE_RUNNING || =09=09=09s->app_runstate !=3D RUNSTATE_RUNNING || @@ -383,5 +391,5 @@ rte_service_may_be_active(uint32_t id) =09int i; =20 -=09if (!service_valid(id)) +=09if (id >=3D RTE_SERVICE_NUM_MAX || !service_valid(id)) =09=09return -EINVAL; =20 @@ -397,10 +405,8 @@ int32_t rte_service_run_iter_on_app_lcore(uint32_t id, uint32_t serialize_mt_unsaf= e) { -=09/* run service on calling core, using all-ones as the service mask */ -=09if (!service_valid(id)) -=09=09return -EINVAL; - =09struct core_state *cs =3D &lcore_states[rte_lcore_id()]; -=09struct rte_service_spec_impl *s =3D &rte_services[id]; +=09struct rte_service_spec_impl *s; + +=09SERVICE_VALID_GET_OR_ERR_RET(id, s, -EINVAL); =20 =09/* Atomically add this core to the mapped cores first, then examine if @@ -418,5 +424,5 @@ rte_service_run_iter_on_app_lcore(uint32_t id, uint32_t= serialize_mt_unsafe) =09} =20 -=09int ret =3D service_run(id, cs, UINT64_MAX); +=09int ret =3D service_run(id, cs, UINT64_MAX, s); =20 =09if (serialize_mt_unsafe) @@ -438,6 +444,8 @@ rte_service_runner_func(void *arg) =20 =09=09for (i =3D 0; i < RTE_SERVICE_NUM_MAX; i++) { +=09=09=09if (!service_valid(i)) +=09=09=09=09continue; =09=09=09/* return value ignored as no change to code flow */ -=09=09=09service_run(i, cs, service_mask); +=09=09=09service_run(i, cs, service_mask, service_get(i)); =09=09} =20 --=20 2.21.1 --- Diff of the applied patch vs upstream commit (please double-check if non-= empty: --- --- -=092020-02-07 15:08:19.393876737 +0000 +++ 0036-service-don-t-walk-out-of-bounds-when-checking-servi.patch=092020-= 02-07 15:08:17.572062179 +0000 @@ -1 +1 @@ -From 2e088e6f94b773233c06440763c1be43d0d705b3 Mon Sep 17 00:00:00 2001 +From dd4c770c5e356915e9ee134f0baba286ce3784cc Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 2e088e6f94b773233c06440763c1be43d0d705b3 ] + @@ -17 +18,0 @@ -Cc: stable@dpdk.org @@ -26 +27 @@ -index 79235c03f8..7e537b8cd2 100644 +index 97449460dc..53dd6a7bbf 100644 @@ -29 +30 @@ -@@ -138,4 +138,10 @@ service_valid(uint32_t id) +@@ -137,4 +137,10 @@ service_valid(uint32_t id) @@ -40 +41 @@ -@@ -345,10 +351,12 @@ rte_service_runner_do_callback(struct rte_service_sp= ec_impl *s, +@@ -344,10 +350,12 @@ rte_service_runner_do_callback(struct rte_service_sp= ec_impl *s, @@ -57 +58 @@ -@@ -384,5 +392,5 @@ rte_service_may_be_active(uint32_t id) +@@ -383,5 +391,5 @@ rte_service_may_be_active(uint32_t id) @@ -64 +65 @@ -@@ -398,10 +406,8 @@ int32_t +@@ -397,10 +405,8 @@ int32_t @@ -78 +79 @@ -@@ -419,5 +425,5 @@ rte_service_run_iter_on_app_lcore(uint32_t id, uint32_= t serialize_mt_unsafe) +@@ -418,5 +424,5 @@ rte_service_run_iter_on_app_lcore(uint32_t id, uint32_= t serialize_mt_unsafe) @@ -85 +86 @@ -@@ -439,6 +445,8 @@ rte_service_runner_func(void *arg) +@@ -438,6 +444,8 @@ rte_service_runner_func(void *arg)