From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 735D843C60
	for <public@inbox.dpdk.org>; Thu,  7 Mar 2024 02:37:01 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 6EC7F42F13;
	Thu,  7 Mar 2024 02:37:01 +0100 (CET)
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com
 [209.85.128.51]) by mails.dpdk.org (Postfix) with ESMTP id 193DB42F11
 for <stable@dpdk.org>; Thu,  7 Mar 2024 02:37:00 +0100 (CET)
Received: by mail-wm1-f51.google.com with SMTP id
 5b1f17b1804b1-4130ff11782so1009735e9.2
 for <stable@dpdk.org>; Wed, 06 Mar 2024 17:37:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1709775420; x=1710380220; darn=dpdk.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=j1SmjBmHfxF0GU9BPWZLwWCw4rY6jrtAd86cPc16UoQ=;
 b=B66jWjjzvNdbpefiOTWEGPnkvNZqJPB8IyFHNHTJUYTFeO7IM/Ushc8UI0jedeA61R
 5hcYtnn0uR18t8Y2fWDotLHbMFXUiFy6GttqUi4ZGGH5y27acDiGFHk3+LxDl70rIB5R
 bwGIxzBqVvO5K4B7X0+Oyytu6bYeze1075hPbninXFfGT29VCTLNh3Zbl7o4Bd8dkpY9
 Ms4Hg5CEx4U4ec1XbBRCrjy2b8+5tIM+5B67UxRVZmc88NxWZ4NRAAvjpcGTzM0Sq9IK
 LMPHN4OQLwcEMZdOvTQkA3wx9Ta3id4Q/Thx+o0ffcv0cVhYa/xafnesocNDiJayIrfk
 Mepg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1709775420; x=1710380220;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=j1SmjBmHfxF0GU9BPWZLwWCw4rY6jrtAd86cPc16UoQ=;
 b=PbUVW3yjUdV802bfRuipj5krF1GmtQnOjuuZnn3jRbCbTEul32wdKGEJ/7BVOxL7pO
 565VQ3uLFoRqpaV3SX8ul1uFMHwy/FWyC4LztVJG1dNVQSYPSPWcVdxzytysftZ1VMiN
 q3oCPjD/ho1rgQFCd4I1qCwcIaZ2B2mcB2KjsPDW6lr0ZpU7cs5+SQr7TRvfzW9BuFIc
 eikJRUSZ5WMEWZHkuy/S1u7HZI0TwCyeGPcJBUt+z2MMnOO+CfqarDC2UYmH9anyQMCd
 w7AXWrIPHDrRLovM7xEOlqKmpR7SvoXB+FZXDqn5K03UgFbJA+BkQ+yQDR2YCHKHzIGf
 94YQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCVToJ32+KF5gk9BfXiPZgP2MVWVCc0TH1YlqLU/VD/D2w0ZZ+sKLB60msPq9W5jGVyvjLQMSLJ4f0NWDUgQbwQ=
X-Gm-Message-State: AOJu0YxB7eEW7Dqiv9DUo8NuR6zVVAnn4ENBtpPQQXVvjdv0JhqWV6sp
 RVLWNH9zanlNkYGevPZOn0T2tBH7RYRu2rEvlnGz6XqxWDIkV2f1X+xK5EQzo74=
X-Google-Smtp-Source: AGHT+IFXmpMyys8B/B7BDsMGU8UXw54jTLIqCQtRq6WM9g2RrvGqSGEzU0Eh6xbXJt3HgUh+73EEMA==
X-Received: by 2002:a05:600c:4705:b0:412:8fef:7f with SMTP id
 v5-20020a05600c470500b004128fef007fmr12402733wmo.1.1709775419691; 
 Wed, 06 Mar 2024 17:36:59 -0800 (PST)
Received: from localhost ([137.220.120.171]) by smtp.gmail.com with ESMTPSA id
 s3-20020a05600c384300b00412ecc8ac70sm876459wmr.20.2024.03.06.17.36.59
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 06 Mar 2024 17:36:59 -0800 (PST)
From: luca.boccassi@gmail.com
To: Ajit Khaparde <ajit.khaparde@broadcom.com>
Cc: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>,
 dpdk stable <stable@dpdk.org>
Subject: patch 'net/bnxt: fix array overflow' has been queued to stable
 release 22.11.5
Date: Thu,  7 Mar 2024 01:31:42 +0000
Message-Id: <20240307013159.1735343-85-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240307013159.1735343-1-luca.boccassi@gmail.com>
References: <20240307013159.1735343-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

Hi,

FYI, your patch has been queued to stable release 22.11.5

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/09/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/f94b1dffa15c635729503ca1803fbbd89d6887c5

Thanks.

Luca Boccassi

---
>From f94b1dffa15c635729503ca1803fbbd89d6887c5 Mon Sep 17 00:00:00 2001
From: Ajit Khaparde <ajit.khaparde@broadcom.com>
Date: Mon, 11 Dec 2023 09:11:03 -0800
Subject: [PATCH] net/bnxt: fix array overflow

[ upstream commit 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 ]

In some cases the number of elements in the context memory array
can exceed the MAX_CTX_PAGES and that can cause the static members
ctx_pg_arr and ctx_dma_arr to overflow.
Allocate them dynamically to prevent this overflow.

Fixes: f8168ca0e690 ("net/bnxt: support thor controller")

Signed-off-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Reviewed-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
---
 drivers/net/bnxt/bnxt.h        |  4 ++--
 drivers/net/bnxt/bnxt_ethdev.c | 42 +++++++++++++++++++++++++++-------
 2 files changed, 36 insertions(+), 10 deletions(-)

diff --git a/drivers/net/bnxt/bnxt.h b/drivers/net/bnxt/bnxt.h
index c9aa45ed3b..df6442abc4 100644
--- a/drivers/net/bnxt/bnxt.h
+++ b/drivers/net/bnxt/bnxt.h
@@ -441,8 +441,8 @@ struct bnxt_ring_mem_info {
 
 struct bnxt_ctx_pg_info {
 	uint32_t	entries;
-	void		*ctx_pg_arr[MAX_CTX_PAGES];
-	rte_iova_t	ctx_dma_arr[MAX_CTX_PAGES];
+	void		**ctx_pg_arr;
+	rte_iova_t	*ctx_dma_arr;
 	struct bnxt_ring_mem_info ring_mem;
 };
 
diff --git a/drivers/net/bnxt/bnxt_ethdev.c b/drivers/net/bnxt/bnxt_ethdev.c
index e3ba48ac0b..c89a31592a 100644
--- a/drivers/net/bnxt/bnxt_ethdev.c
+++ b/drivers/net/bnxt/bnxt_ethdev.c
@@ -4702,7 +4702,7 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
 {
 	struct bnxt_ring_mem_info *rmem = &ctx_pg->ring_mem;
 	const struct rte_memzone *mz = NULL;
-	char mz_name[RTE_MEMZONE_NAMESIZE];
+	char name[RTE_MEMZONE_NAMESIZE];
 	rte_iova_t mz_phys_addr;
 	uint64_t valid_bits = 0;
 	uint32_t sz;
@@ -4714,6 +4714,19 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
 	rmem->nr_pages = RTE_ALIGN_MUL_CEIL(mem_size, BNXT_PAGE_SIZE) /
 			 BNXT_PAGE_SIZE;
 	rmem->page_size = BNXT_PAGE_SIZE;
+
+	snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_pg_arr%s_%x_%d",
+		 suffix, idx, bp->eth_dev->data->port_id);
+	ctx_pg->ctx_pg_arr = rte_zmalloc(name, sizeof(void *) * rmem->nr_pages, 0);
+	if (ctx_pg->ctx_pg_arr == NULL)
+		return -ENOMEM;
+
+	snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_dma_arr%s_%x_%d",
+		 suffix, idx, bp->eth_dev->data->port_id);
+	ctx_pg->ctx_dma_arr = rte_zmalloc(name, sizeof(rte_iova_t *) * rmem->nr_pages, 0);
+	if (ctx_pg->ctx_dma_arr == NULL)
+		return -ENOMEM;
+
 	rmem->pg_arr = ctx_pg->ctx_pg_arr;
 	rmem->dma_arr = ctx_pg->ctx_dma_arr;
 	rmem->flags = BNXT_RMEM_VALID_PTE_FLAG;
@@ -4721,13 +4734,13 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
 	valid_bits = PTU_PTE_VALID;
 
 	if (rmem->nr_pages > 1) {
-		snprintf(mz_name, RTE_MEMZONE_NAMESIZE,
+		snprintf(name, RTE_MEMZONE_NAMESIZE,
 			 "bnxt_ctx_pg_tbl%s_%x_%d",
 			 suffix, idx, bp->eth_dev->data->port_id);
-		mz_name[RTE_MEMZONE_NAMESIZE - 1] = 0;
-		mz = rte_memzone_lookup(mz_name);
+		name[RTE_MEMZONE_NAMESIZE - 1] = 0;
+		mz = rte_memzone_lookup(name);
 		if (!mz) {
-			mz = rte_memzone_reserve_aligned(mz_name,
+			mz = rte_memzone_reserve_aligned(name,
 						rmem->nr_pages * 8,
 						bp->eth_dev->device->numa_node,
 						RTE_MEMZONE_2MB |
@@ -4746,11 +4759,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
 		rmem->pg_tbl_mz = mz;
 	}
 
-	snprintf(mz_name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_%s_%x_%d",
+	snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_%s_%x_%d",
 		 suffix, idx, bp->eth_dev->data->port_id);
-	mz = rte_memzone_lookup(mz_name);
+	mz = rte_memzone_lookup(name);
 	if (!mz) {
-		mz = rte_memzone_reserve_aligned(mz_name,
+		mz = rte_memzone_reserve_aligned(name,
 						 mem_size,
 						 bp->eth_dev->device->numa_node,
 						 RTE_MEMZONE_1GB |
@@ -4796,6 +4809,17 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
 		return;
 
 	bp->ctx->flags &= ~BNXT_CTX_FLAG_INITED;
+	rte_free(bp->ctx->qp_mem.ctx_pg_arr);
+	rte_free(bp->ctx->srq_mem.ctx_pg_arr);
+	rte_free(bp->ctx->cq_mem.ctx_pg_arr);
+	rte_free(bp->ctx->vnic_mem.ctx_pg_arr);
+	rte_free(bp->ctx->stat_mem.ctx_pg_arr);
+	rte_free(bp->ctx->qp_mem.ctx_dma_arr);
+	rte_free(bp->ctx->srq_mem.ctx_dma_arr);
+	rte_free(bp->ctx->cq_mem.ctx_dma_arr);
+	rte_free(bp->ctx->vnic_mem.ctx_dma_arr);
+	rte_free(bp->ctx->stat_mem.ctx_dma_arr);
+
 	rte_memzone_free(bp->ctx->qp_mem.ring_mem.mz);
 	rte_memzone_free(bp->ctx->srq_mem.ring_mem.mz);
 	rte_memzone_free(bp->ctx->cq_mem.ring_mem.mz);
@@ -4808,6 +4832,8 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
 	rte_memzone_free(bp->ctx->stat_mem.ring_mem.pg_tbl_mz);
 
 	for (i = 0; i < bp->ctx->tqm_fp_rings_count + 1; i++) {
+		rte_free(bp->ctx->tqm_mem[i]->ctx_pg_arr);
+		rte_free(bp->ctx->tqm_mem[i]->ctx_dma_arr);
 		if (bp->ctx->tqm_mem[i])
 			rte_memzone_free(bp->ctx->tqm_mem[i]->ring_mem.mz);
 	}
-- 
2.39.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-03-07 01:05:41.948228166 +0000
+++ 0085-net-bnxt-fix-array-overflow.patch	2024-03-07 01:05:34.958943412 +0000
@@ -1 +1 @@
-From 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 Mon Sep 17 00:00:00 2001
+From f94b1dffa15c635729503ca1803fbbd89d6887c5 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 ]
+
@@ -12 +13,0 @@
-Cc: stable@dpdk.org
@@ -22 +23 @@
-index 50f59552fa..dd08393b82 100644
+index c9aa45ed3b..df6442abc4 100644
@@ -25 +26 @@
-@@ -455,8 +455,8 @@ struct bnxt_ring_mem_info {
+@@ -441,8 +441,8 @@ struct bnxt_ring_mem_info {
@@ -37 +38 @@
-index b0589e2e49..762d863f14 100644
+index e3ba48ac0b..c89a31592a 100644
@@ -40 +41 @@
-@@ -4769,7 +4769,7 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4702,7 +4702,7 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -49 +50 @@
-@@ -4781,6 +4781,19 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4714,6 +4714,19 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -69 +70 @@
-@@ -4788,13 +4801,13 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4721,13 +4734,13 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -87 +88 @@
-@@ -4813,11 +4826,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4746,11 +4759,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -102 +103 @@
-@@ -4863,6 +4876,17 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
+@@ -4796,6 +4809,17 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
@@ -120 +121 @@
-@@ -4875,6 +4899,8 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
+@@ -4808,6 +4832,8 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)