From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3511045BB6 for ; Wed, 23 Oct 2024 23:20:58 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2F89E40261; Wed, 23 Oct 2024 23:20:58 +0200 (CEST) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mails.dpdk.org (Postfix) with ESMTP id 91A1840261 for ; Wed, 23 Oct 2024 23:20:56 +0200 (CEST) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4314c4cb752so1978665e9.2 for ; Wed, 23 Oct 2024 14:20:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729718456; x=1730323256; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WHKWBbiIiQGmVbiWrOUWgJ197UTMT55uujbVsyAyuhQ=; b=DlT7BEmlfx0p1PKa72/ESpF2dPApmHr0LGW8PTba9DkX+gTIGbMzmexLvwch4e1wMZ AwV2nePI0IuDbv6VmT8fbYAhZ6hJvKz6L4SX42P7eP3d0L5m/aUrMrVTAnUSRcxA8fTZ OFuMMyBa90jVkdZB4XREEjkU6wpiOY51iP9IvYsEyn9wBK97ctWuuBhU7b9LXeitBj30 UM+ZSAi2eiPbb5lAX0twfw2AUnIBgFphJqA2aRiAxp+S/fj8o8VLMfSZYa5qM3YOEBmo 9bQvPP65P1TAPyvSw/zfJMMRmEAp1En6V8m8R4zqAVWlI3w0uZzPYLA+06GOaBn+00W2 4aFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729718456; x=1730323256; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WHKWBbiIiQGmVbiWrOUWgJ197UTMT55uujbVsyAyuhQ=; b=holfbrU5irfiIPsiUeCuFqQAR8KztYXHh2LB86uUzVtMSpUwFQSiDgLYAH4S4c0yZY u4Scpd8hbJX15StWBoCpuctgw2+Leapq1zX7XPTKeBb7UaSWof6zcX+m93u2dPca0Zen bZLigtECOxCzg6pnrZv31vNf88TAefsm075Je7K2e9LWY6H3H/oMePNH/Ddd5sYtaZgG DT9EKHippNz5aDINNXhxV4JEWndAq9BB42a3hmlmtdmwU0243Wd0MWcwsbiND1CVOsLE 8pBjm9YLQXFmgI7XoWwUbwB1x5V/z0tEysTNxzxhGKMvR1QRX9PvaI7rPDf3zXRH2C2Z m9yA== X-Forwarded-Encrypted: i=1; AJvYcCXHOBXR+frgSFK5zM2U2dTVpqlp9mzbqWHOlk37S0ASUBiQaVAMdcgZGWmbMZ9bujxMn98de0s=@dpdk.org X-Gm-Message-State: AOJu0Yz5sNR064/NOM3CSq5o0UH02JfEswkHznVLAmCLjYVl8f02bGNX 8zXxYwY3CNzHthDJWQpPmVNTB6SaFFhPzpICW8IcRGGGmpXGEwVNNSj6LJGm X-Google-Smtp-Source: AGHT+IG8+LxNHeDoFo3FyLHKXyaMV+1VIbOwIRhdXdShbnXlp0x8XmrTJu9SXY0q7ogdJKhmyYq4PQ== X-Received: by 2002:a05:600c:314d:b0:431:58bc:ad5e with SMTP id 5b1f17b1804b1-4318419a826mr34133315e9.28.1729718456116; Wed, 23 Oct 2024 14:20:56 -0700 (PDT) Received: from localhost ([2a01:4b00:d036:ae00:21cd:def0:a01d:d2aa]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43186bdb784sm27207225e9.13.2024.10.23.14.20.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Oct 2024 14:20:55 -0700 (PDT) From: luca.boccassi@gmail.com To: Mihai Brodschi Cc: Ferruh Yigit , dpdk stable Subject: patch 'net/memif: fix buffer overflow in zero copy Rx' has been queued to stable release 22.11.7 Date: Wed, 23 Oct 2024 22:16:41 +0100 Message-ID: <20241023211704.1216956-61-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241023211704.1216956-1-luca.boccassi@gmail.com> References: <20241023211704.1216956-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 22.11.7 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 10/25/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/bluca/dpdk-stable This queued commit can be viewed at: https://github.com/bluca/dpdk-stable/commit/270f15f3fdc970e6c1443be6eac23dc544890c80 Thanks. Luca Boccassi --- >From 270f15f3fdc970e6c1443be6eac23dc544890c80 Mon Sep 17 00:00:00 2001 From: Mihai Brodschi Date: Sat, 29 Jun 2024 00:01:29 +0300 Subject: [PATCH] net/memif: fix buffer overflow in zero copy Rx [ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ] rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate new mbufs to be provided to the sender. The allocated mbuf pointers are stored in a ring, but the alloc function doesn't implement index wrap-around, so it writes past the end of the array. This results in memory corruption and duplicate mbufs being received. Allocate 2x the space for the mbuf ring, so that the alloc function has a contiguous array to write to, then copy the excess entries to the start of the array. Fixes: 43b815d88188 ("net/memif: support zero-copy slave") Signed-off-by: Mihai Brodschi Reviewed-by: Ferruh Yigit --- .mailmap | 1 + drivers/net/memif/rte_eth_memif.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.mailmap b/.mailmap index dd1c6a6a87..629383cb25 100644 --- a/.mailmap +++ b/.mailmap @@ -932,6 +932,7 @@ Michal Swiatkowski Michal Wilczynski Michel Machado Miguel Bernal Marin +Mihai Brodschi Mihai Pogonaru Mike Baucom Mike Pattrick diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c index 86b821ac5c..9379c201e9 100644 --- a/drivers/net/memif/rte_eth_memif.c +++ b/drivers/net/memif/rte_eth_memif.c @@ -531,6 +531,10 @@ refill: ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask], n_slots); if (unlikely(ret < 0)) goto no_free_mbufs; + if (unlikely(n_slots > ring_size - (head & mask))) { + rte_memcpy(mq->buffers, &mq->buffers[ring_size], + (n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *)); + } while (n_slots--) { s0 = head++ & mask; @@ -1127,8 +1131,12 @@ memif_init_queues(struct rte_eth_dev *dev) } mq->buffers = NULL; if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) { + /* + * Allocate 2x ring_size to reserve a contiguous array for + * rte_pktmbuf_alloc_bulk (to store allocated mbufs). + */ mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) * - (1 << mq->log2_ring_size), 0); + (1 << (mq->log2_ring_size + 1)), 0); if (mq->buffers == NULL) return -ENOMEM; } -- 2.45.2 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-10-23 22:16:42.824756841 +0100 +++ 0061-net-memif-fix-buffer-overflow-in-zero-copy-Rx.patch 2024-10-23 22:16:40.519943519 +0100 @@ -1 +1 @@ -From b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 Mon Sep 17 00:00:00 2001 +From 270f15f3fdc970e6c1443be6eac23dc544890c80 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ] + @@ -17 +18,0 @@ -Cc: stable@dpdk.org @@ -27 +28 @@ -index 7b3a20af68..2e909c48a8 100644 +index dd1c6a6a87..629383cb25 100644 @@ -30 +31,2 @@ -@@ -1011,6 +1011,7 @@ Michal Wilczynski +@@ -932,6 +932,7 @@ Michal Swiatkowski + Michal Wilczynski @@ -32 +33,0 @@ - Midde Ajijur Rehaman @@ -39 +40 @@ -index e220ffaf92..cd722f254f 100644 +index 86b821ac5c..9379c201e9 100644 @@ -42 +43 @@ -@@ -600,6 +600,10 @@ refill: +@@ -531,6 +531,10 @@ refill: @@ -53 +54 @@ -@@ -1245,8 +1249,12 @@ memif_init_queues(struct rte_eth_dev *dev) +@@ -1127,8 +1131,12 @@ memif_init_queues(struct rte_eth_dev *dev)