From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 308D043829 for ; Tue, 5 Mar 2024 16:36:15 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2AC0B42E59; Tue, 5 Mar 2024 16:36:15 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id EA54A42E55 for ; Tue, 5 Mar 2024 16:36:13 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1709652973; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=p8q/YLptewiy8V/rBBIBboZTFrTiJ8gdmumLM1neggI=; b=D5VPOcuXi5GDDnuzh13sxgnrC3QMxL8XB+OtWUjDbHVbejIBrcQ4EwY+BWgco+VMrpRRle kTN50pOSu6VxRV+YXdKeoIUOAjbwqm5fRcvOH3ZhCA0G+dlANN79ELpacECn+WgN7WsAEA Vd68OxmDFLIGBvSQT2FIt8FxbZB7uDo= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-591-a2dap1h9MyCLsGUCMNYc9g-1; Tue, 05 Mar 2024 10:36:11 -0500 X-MC-Unique: a2dap1h9MyCLsGUCMNYc9g-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0D6853801FE1; Tue, 5 Mar 2024 15:36:11 +0000 (UTC) Received: from rh.redhat.com (unknown [10.39.194.197]) by smtp.corp.redhat.com (Postfix) with ESMTP id 65E9E200AFA2; Tue, 5 Mar 2024 15:36:10 +0000 (UTC) From: Kevin Traynor To: Ajit Khaparde Cc: Damodharam Ammepalli , dpdk stable Subject: patch 'net/bnxt: fix array overflow' has been queued to stable release 21.11.7 Date: Tue, 5 Mar 2024 15:34:31 +0000 Message-ID: <20240305153449.263666-58-ktraynor@redhat.com> In-Reply-To: <20240305153449.263666-1-ktraynor@redhat.com> References: <20240305153449.263666-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 21.11.7 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 03/11/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/f6e82481277302959b2e0b05a73a61d5607ec240 Thanks. Kevin --- >From f6e82481277302959b2e0b05a73a61d5607ec240 Mon Sep 17 00:00:00 2001 From: Ajit Khaparde Date: Mon, 11 Dec 2023 09:11:03 -0800 Subject: [PATCH] net/bnxt: fix array overflow [ upstream commit 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 ] In some cases the number of elements in the context memory array can exceed the MAX_CTX_PAGES and that can cause the static members ctx_pg_arr and ctx_dma_arr to overflow. Allocate them dynamically to prevent this overflow. Fixes: f8168ca0e690 ("net/bnxt: support thor controller") Signed-off-by: Ajit Khaparde Reviewed-by: Damodharam Ammepalli --- drivers/net/bnxt/bnxt.h | 4 ++-- drivers/net/bnxt/bnxt_ethdev.c | 42 +++++++++++++++++++++++++++------- 2 files changed, 36 insertions(+), 10 deletions(-) diff --git a/drivers/net/bnxt/bnxt.h b/drivers/net/bnxt/bnxt.h index 76783eb3a1..31761f4804 100644 --- a/drivers/net/bnxt/bnxt.h +++ b/drivers/net/bnxt/bnxt.h @@ -442,6 +442,6 @@ struct bnxt_ring_mem_info { struct bnxt_ctx_pg_info { uint32_t entries; - void *ctx_pg_arr[MAX_CTX_PAGES]; - rte_iova_t ctx_dma_arr[MAX_CTX_PAGES]; + void **ctx_pg_arr; + rte_iova_t *ctx_dma_arr; struct bnxt_ring_mem_info ring_mem; }; diff --git a/drivers/net/bnxt/bnxt_ethdev.c b/drivers/net/bnxt/bnxt_ethdev.c index 44fd45a4e9..55f96f0699 100644 --- a/drivers/net/bnxt/bnxt_ethdev.c +++ b/drivers/net/bnxt/bnxt_ethdev.c @@ -4691,5 +4691,5 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, struct bnxt_ring_mem_info *rmem = &ctx_pg->ring_mem; const struct rte_memzone *mz = NULL; - char mz_name[RTE_MEMZONE_NAMESIZE]; + char name[RTE_MEMZONE_NAMESIZE]; rte_iova_t mz_phys_addr; uint64_t valid_bits = 0; @@ -4703,4 +4703,17 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, BNXT_PAGE_SIZE; rmem->page_size = BNXT_PAGE_SIZE; + + snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_pg_arr%s_%x_%d", + suffix, idx, bp->eth_dev->data->port_id); + ctx_pg->ctx_pg_arr = rte_zmalloc(name, sizeof(void *) * rmem->nr_pages, 0); + if (ctx_pg->ctx_pg_arr == NULL) + return -ENOMEM; + + snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_dma_arr%s_%x_%d", + suffix, idx, bp->eth_dev->data->port_id); + ctx_pg->ctx_dma_arr = rte_zmalloc(name, sizeof(rte_iova_t *) * rmem->nr_pages, 0); + if (ctx_pg->ctx_dma_arr == NULL) + return -ENOMEM; + rmem->pg_arr = ctx_pg->ctx_pg_arr; rmem->dma_arr = ctx_pg->ctx_dma_arr; @@ -4710,11 +4723,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, if (rmem->nr_pages > 1) { - snprintf(mz_name, RTE_MEMZONE_NAMESIZE, + snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_pg_tbl%s_%x_%d", suffix, idx, bp->eth_dev->data->port_id); - mz_name[RTE_MEMZONE_NAMESIZE - 1] = 0; - mz = rte_memzone_lookup(mz_name); + name[RTE_MEMZONE_NAMESIZE - 1] = 0; + mz = rte_memzone_lookup(name); if (!mz) { - mz = rte_memzone_reserve_aligned(mz_name, + mz = rte_memzone_reserve_aligned(name, rmem->nr_pages * 8, bp->eth_dev->device->numa_node, @@ -4735,9 +4748,9 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, } - snprintf(mz_name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_%s_%x_%d", + snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_%s_%x_%d", suffix, idx, bp->eth_dev->data->port_id); - mz = rte_memzone_lookup(mz_name); + mz = rte_memzone_lookup(name); if (!mz) { - mz = rte_memzone_reserve_aligned(mz_name, + mz = rte_memzone_reserve_aligned(name, mem_size, bp->eth_dev->device->numa_node, @@ -4785,4 +4798,15 @@ static void bnxt_free_ctx_mem(struct bnxt *bp) bp->ctx->flags &= ~BNXT_CTX_FLAG_INITED; + rte_free(bp->ctx->qp_mem.ctx_pg_arr); + rte_free(bp->ctx->srq_mem.ctx_pg_arr); + rte_free(bp->ctx->cq_mem.ctx_pg_arr); + rte_free(bp->ctx->vnic_mem.ctx_pg_arr); + rte_free(bp->ctx->stat_mem.ctx_pg_arr); + rte_free(bp->ctx->qp_mem.ctx_dma_arr); + rte_free(bp->ctx->srq_mem.ctx_dma_arr); + rte_free(bp->ctx->cq_mem.ctx_dma_arr); + rte_free(bp->ctx->vnic_mem.ctx_dma_arr); + rte_free(bp->ctx->stat_mem.ctx_dma_arr); + rte_memzone_free(bp->ctx->qp_mem.ring_mem.mz); rte_memzone_free(bp->ctx->srq_mem.ring_mem.mz); @@ -4797,4 +4821,6 @@ static void bnxt_free_ctx_mem(struct bnxt *bp) for (i = 0; i < bp->ctx->tqm_fp_rings_count + 1; i++) { + rte_free(bp->ctx->tqm_mem[i]->ctx_pg_arr); + rte_free(bp->ctx->tqm_mem[i]->ctx_dma_arr); if (bp->ctx->tqm_mem[i]) rte_memzone_free(bp->ctx->tqm_mem[i]->ring_mem.mz); -- 2.43.2 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-03-05 14:08:56.021503363 +0000 +++ 0058-net-bnxt-fix-array-overflow.patch 2024-03-05 14:08:54.706520913 +0000 @@ -1 +1 @@ -From 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 Mon Sep 17 00:00:00 2001 +From f6e82481277302959b2e0b05a73a61d5607ec240 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 ] + @@ -12 +13,0 @@ -Cc: stable@dpdk.org @@ -22 +23 @@ -index 50f59552fa..dd08393b82 100644 +index 76783eb3a1..31761f4804 100644 @@ -25 +26 @@ -@@ -456,6 +456,6 @@ struct bnxt_ring_mem_info { +@@ -442,6 +442,6 @@ struct bnxt_ring_mem_info { @@ -35 +36 @@ -index b0589e2e49..762d863f14 100644 +index 44fd45a4e9..55f96f0699 100644 @@ -38 +39 @@ -@@ -4770,5 +4770,5 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, +@@ -4691,5 +4691,5 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, @@ -45 +46 @@ -@@ -4782,4 +4782,17 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, +@@ -4703,4 +4703,17 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, @@ -63 +64 @@ -@@ -4789,11 +4802,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, +@@ -4710,11 +4723,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, @@ -79 +80 @@ -@@ -4814,9 +4827,9 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, +@@ -4735,9 +4748,9 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp, @@ -92 +93 @@ -@@ -4864,4 +4877,15 @@ static void bnxt_free_ctx_mem(struct bnxt *bp) +@@ -4785,4 +4798,15 @@ static void bnxt_free_ctx_mem(struct bnxt *bp) @@ -108 +109 @@ -@@ -4876,4 +4900,6 @@ static void bnxt_free_ctx_mem(struct bnxt *bp) +@@ -4797,4 +4821,6 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)