From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 19CB1A0093
	for <public@inbox.dpdk.org>; Tue, 19 May 2020 15:15:45 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 0D21B1D94A;
	Tue, 19 May 2020 15:15:45 +0200 (CEST)
Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com
 [209.85.221.67]) by dpdk.org (Postfix) with ESMTP id 1801B1D702
 for <stable@dpdk.org>; Tue, 19 May 2020 15:15:43 +0200 (CEST)
Received: by mail-wr1-f67.google.com with SMTP id e16so15857003wra.7
 for <stable@dpdk.org>; Tue, 19 May 2020 06:15:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=WOS+U689X/91GjtpH2nHi7NbnGGUVt99XJPizwvTlKs=;
 b=bqwEXepYNuhi2kg5joTr/eydDKOnRb0xzuLimiagDGtsJGC/AmbPeiBAZZeUwuoj6h
 avu0wpdiHsInm9/Ef+5UJy3zonerwJLtaetXb0drIK76444WJ6ZNNeSI7KQny+jbRJM/
 NXZEv0GUeBHkI1H+jXeUdO3d4B1PVWEA7Cdrk5iyhBU5Rga1nVt51PLLv/8fkVgvqAMI
 mXM+nldG5q76ccBSLfroSJ+Ob12+3qsDf1Yaq+D6XQynoWeFWsR5zNW11Qa4eA9cBUSO
 S77v1iFjfVncMZKmT5ReeesJwJjLWfH/BQhc8hT6Gu3hNzaVpzlYrsBRWNxJajjjQFTo
 1sbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=WOS+U689X/91GjtpH2nHi7NbnGGUVt99XJPizwvTlKs=;
 b=Yo+MlrxvXNBXUbH1QPkAkq98yaBl324Kz2zRgmOm543cwXBF094+Zcy1nrZCCG5bYj
 zrLALR4WkTd4bCf3r3XYYrSlz7anU5CtVoFp/DsKu00aLdeaca3gqFx2lN5DPiCExL2R
 FxHvOoCdmk5FhoWFg/Rr0zZCtjoyLlgvpFx1uiyPMlIsk5dwLri04tuvi0COjQCED3Gz
 bFr8wyxby98WK4O/Ej3Tc8J4grkTC276aT52V487aDY9NsXSFArzSTG/+NMLNjn23VEr
 i9z5jO9vbfanx0yybxQEPuBOVjTxnDowWTcvkVYLwcgvUP2spbSg4kcqxDcFdObw2qh5
 hbbg==
X-Gm-Message-State: AOAM533bozrA/w73VKERLH+oA1k9SC/fTGIvaSsZv0678pG2HP71L22/
 4/ESP4H4wFnn9wqHPBc9fol9Q5G7W1cDHdhR
X-Google-Smtp-Source: ABdhPJxPZQWheYg5BdUcE+wx6e2FxwsPPfYjOQXVJ3WD2d1SGQPUSRJ06tpeoApQS0du6YdBn3s2AA==
X-Received: by 2002:adf:e5c8:: with SMTP id a8mr24913289wrn.335.1589894142851; 
 Tue, 19 May 2020 06:15:42 -0700 (PDT)
Received: from localhost ([88.98.246.218])
 by smtp.gmail.com with ESMTPSA id p10sm20646268wrn.10.2020.05.19.06.15.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 19 May 2020 06:15:42 -0700 (PDT)
From: luca.boccassi@gmail.com
To: Linsi Yuan <yuanlinsi01@baidu.com>
Cc: Dongsheng Rong <rongdongsheng@baidu.com>,
 Lance Richardson <lance.richardson@broadcom.com>,
 Ajit Khaparde <ajit.khaparde@broadcom.com>, dpdk stable <stable@dpdk.org>
Date: Tue, 19 May 2020 14:05:22 +0100
Message-Id: <20200519130549.112823-187-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200519130549.112823-1-luca.boccassi@gmail.com>
References: <20200519125804.104349-1-luca.boccassi@gmail.com>
 <20200519130549.112823-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] patch 'net/bnxt: fix possible stack smashing' has
	been queued to stable release 19.11.3
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to stable release 19.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/21/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From 6c8f2aef2f40eeda2cc2c870395d7e89b997a200 Mon Sep 17 00:00:00 2001
From: Linsi Yuan <yuanlinsi01@baidu.com>
Date: Thu, 30 Apr 2020 21:37:52 +0800
Subject: [PATCH] net/bnxt: fix possible stack smashing

[ upstream commit 6ebabb76a57c02681a01e07bf8016e4308c14c7c ]

We see a stack smashing as a result of defensive code missing. Once the
nb_pkts is less than RTE_BNXT_DESCS_PER_LOOP, it will be modified to
zero after doing a floor align, and we can not exit the following
receiving packets loop. And the buffers will be overwrite, then the
stack frame was ruined.

Fix the problem by adding defensive code, once the nb_pkts is zero, just
directly return with no packets.

Fixes: bc4a000f2f53 ("net/bnxt: implement SSE vector mode")

Signed-off-by: Linsi Yuan <yuanlinsi01@baidu.com>
Signed-off-by: Dongsheng Rong <rongdongsheng@baidu.com>
Acked-by: Lance Richardson <lance.richardson@broadcom.com>
Reviewed-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
 drivers/net/bnxt/bnxt_rxtx_vec_sse.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
index 31457300a7..8b4c396821 100644
--- a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
+++ b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
@@ -233,8 +233,13 @@ bnxt_recv_pkts_vec(void *rx_queue, struct rte_mbuf **rx_pkts,
 	/* Return no more than RTE_BNXT_MAX_RX_BURST per call. */
 	nb_pkts = RTE_MIN(nb_pkts, RTE_BNXT_MAX_RX_BURST);
 
-	/* Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP */
+	/*
+	 * Make nb_pkts an integer multiple of RTE_BNXT_DESCS_PER_LOOP.
+	 * nb_pkts < RTE_BNXT_DESCS_PER_LOOP, just return no packet
+	 */
 	nb_pkts = RTE_ALIGN_FLOOR(nb_pkts, RTE_BNXT_DESCS_PER_LOOP);
+	if (!nb_pkts)
+		return 0;
 
 	/* Handle RX burst request */
 	while (1) {
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-05-19 14:04:52.186426245 +0100
+++ 0187-net-bnxt-fix-possible-stack-smashing.patch	2020-05-19 14:04:44.536654173 +0100
@@ -1,8 +1,10 @@
-From 6ebabb76a57c02681a01e07bf8016e4308c14c7c Mon Sep 17 00:00:00 2001
+From 6c8f2aef2f40eeda2cc2c870395d7e89b997a200 Mon Sep 17 00:00:00 2001
 From: Linsi Yuan <yuanlinsi01@baidu.com>
 Date: Thu, 30 Apr 2020 21:37:52 +0800
 Subject: [PATCH] net/bnxt: fix possible stack smashing
 
+[ upstream commit 6ebabb76a57c02681a01e07bf8016e4308c14c7c ]
+
 We see a stack smashing as a result of defensive code missing. Once the
 nb_pkts is less than RTE_BNXT_DESCS_PER_LOOP, it will be modified to
 zero after doing a floor align, and we can not exit the following
@@ -13,7 +15,6 @@
 directly return with no packets.
 
 Fixes: bc4a000f2f53 ("net/bnxt: implement SSE vector mode")
-Cc: stable@dpdk.org
 
 Signed-off-by: Linsi Yuan <yuanlinsi01@baidu.com>
 Signed-off-by: Dongsheng Rong <rongdongsheng@baidu.com>
@@ -24,7 +25,7 @@
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
-index d0e7910e77..8f73add9be 100644
+index 31457300a7..8b4c396821 100644
 --- a/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
 +++ b/drivers/net/bnxt/bnxt_rxtx_vec_sse.c
 @@ -233,8 +233,13 @@ bnxt_recv_pkts_vec(void *rx_queue, struct rte_mbuf **rx_pkts,