From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5C9D545CE3 for ; Mon, 11 Nov 2024 07:35:17 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5384B40685; Mon, 11 Nov 2024 07:35:17 +0100 (CET) Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2069.outbound.protection.outlook.com [40.107.92.69]) by mails.dpdk.org (Postfix) with ESMTP id 9E9AE40E1E for ; Mon, 11 Nov 2024 07:35:15 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=qSvBTJJ/Ov6cqfNjzp1U+Blo1lTYnJZo3ZBTASdpEk9ekHsJ67IceC1mu5ZlKGI5z6eTT9AfKoGVH7E4gBCdBIfacGvrhb7Z5skCdAio91ukVnkchx07qlUmnek9sEdtPkTBhjZscTqFwGK17OXQQRggXMlcH//iyJwsXcxf70XR6gUMaEh43J+LEm6OVEZYXJgc+TdZYFp42xEeBKSG97GRKSFQLTsVUJilJBzK5M4YWOZKYUU924pYMpUqBdFQlyQlB8aQVOy0gr2gVDSMtyAPu9PnEb9HHqLbYncgrml5/GN4OomXfUYA5crwo5QdJmanpxDlujaKtCUHw2SKig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QBi2ve+afE7x+Rq0hHtPt1n0KqvbAI8lYORrt5r9WYQ=; b=dvYoW8CRjMGPs+x/Tp4hOSwEWtA3p0Pvj+B/NYNweiReKsmk0piBFJQXZNbj0JiadVaAUHdGnGn592X1Iwp2pIkch23JruQwbw+XvUo6wdvzCrRTAHGy6JhH4n+8Ls6k8uvgHtBKkfVGZAxbOhMyRqh82qm6uX0qzI9A2LG/odruutWMl8qEMaG+LmUsMZwJh0yH1Leaa8E4wy6dYAjdFKQQY4PAJqHYcZdReZI2R4VB6G2LrXgoIHhi3Xvxg4FoTGwiKeLmk0ZD8FjYnBWOerteFczUQxBC34G3OYzcgjDyofT9mXRiRW8SaHwsWLpS7gGEhjXfrWglVMSkKNdiYw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=intel.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QBi2ve+afE7x+Rq0hHtPt1n0KqvbAI8lYORrt5r9WYQ=; b=TfZFSvific/c1Kk/ln8JdkQtoYqiNLPl8tzp2gdDanzDGIvAzrhRFJcHY1JITGyGgx/qE25Z3F2G3PowGuJAJByabwbFtSV/5dBQq17sf3znuC3grzojYZ8V9E1+Klx8DEu2ppp1DHgBOCf51tV3jVd4ydX/g2gThbLD8KrhNosimDJkY9CW4wCtULXKW5WlaxA9ElfvH3VDyZNgVpiyH74UQg8NvXAAoJFBowYYCdP0RVXKXntJ9hjAoU7V9DZmir3DixItPy3hlwH7I/zovhdwtSFW8eYS7PMYiVl/BMuzzFD21osH4+StTX/p1U67ecBlQhjfJp+2nZ21eapyFA== Received: from BL1P223CA0004.NAMP223.PROD.OUTLOOK.COM (2603:10b6:208:2c4::9) by MN0PR12MB5858.namprd12.prod.outlook.com (2603:10b6:208:379::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.28; Mon, 11 Nov 2024 06:35:11 +0000 Received: from BN2PEPF000044A6.namprd04.prod.outlook.com (2603:10b6:208:2c4:cafe::77) by BL1P223CA0004.outlook.office365.com (2603:10b6:208:2c4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.28 via Frontend Transport; Mon, 11 Nov 2024 06:35:11 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN2PEPF000044A6.mail.protection.outlook.com (10.167.243.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8158.14 via Frontend Transport; Mon, 11 Nov 2024 06:35:11 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Sun, 10 Nov 2024 22:34:56 -0800 Received: from nvidia.com (10.126.231.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Sun, 10 Nov 2024 22:34:53 -0800 From: Xueming Li To: Fabio Pricoco CC: , Jacob Keller , "Soumyadeep Hore" , Bruce Richardson , dpdk stable Subject: patch 'net/ice/base: fix iteration of TLVs in Preserved Fields Area' has been queued to stable release 23.11.3 Date: Mon, 11 Nov 2024 14:27:44 +0800 Message-ID: <20241111062847.216344-59-xuemingl@nvidia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241111062847.216344-1-xuemingl@nvidia.com> References: <20241111062847.216344-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.231.35] X-ClientProxiedBy: rnnvmail202.nvidia.com (10.129.68.7) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN2PEPF000044A6:EE_|MN0PR12MB5858:EE_ X-MS-Office365-Filtering-Correlation-Id: 65201fa7-6c74-4ed2-2f06-08dd021afe5d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|36860700013|82310400026|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?9sPxABU5+DEyX0gcXW46CGRu1QfzOcDJpKR2aCmwR/18B9beI4R1Xoj5o5Ex?= =?us-ascii?Q?dP259ncJJ7JlVzM8RVDpD8hXfZQt/JyBvIx5K/rt2eM9f47HxF2Dj0YaSAFZ?= =?us-ascii?Q?QJ0w31OGagWMLD2PFHj+M1JGNRCtuO6mtjjXWanNo4OPj6dnO96mmJJRPdFe?= =?us-ascii?Q?v3Ege0KS5YtPrs4JC93MR6v2ktxJad9MT9Sa9i47BP7LqFDzaX8NZlR28KNG?= =?us-ascii?Q?HW/AYr20T8Ojvcfn29g9x7yWncpqCNxNYjUV2dD3YxdhfrEXxz8vxIAgQ6YX?= =?us-ascii?Q?TsnYk2T/Ref9w83cEf8o+3ZzY4G79GaQtAYKMntQIMdpTOHcbUUAcfs8UToB?= =?us-ascii?Q?TIkkN2AjZObTwh0YO8kzxu3F3IOr5ghodDTUcz2toqczzpNRlt+fKNYlRuqy?= =?us-ascii?Q?4AMyDC5s3MDjiT3Enpkf563tYJal4DxcXp0Cba2czZJKl6tS5J64FdE/juL/?= =?us-ascii?Q?I62hbsRjNISFtbznMSCaoK5GyVUiq3fpSYby6VlbHdriKir1EG+U5t0Vv/n9?= =?us-ascii?Q?s6cpcq/hiaxnyH1hp1p+uBUzN7jlRTwWJiyDPjg/lU+HxyEEriDZONKrvzh/?= =?us-ascii?Q?DqjxxtiP7m+JJC/7jtgySrSBPaIpMhdtFxJ3ZE5gxycJrYCNwmLwzg54wQ8P?= =?us-ascii?Q?fAC+GNReQGqGdWHXZW8gFBfFApRRYhPj/TQ8VkOyrzoGSFQLpYsKZyOWhNsb?= =?us-ascii?Q?wT9JsdS1pWOQhxODUPyMTQFIPiE+wtnN1wvWG05UuWq00oTZ4hUd03nYPFXO?= =?us-ascii?Q?t0LxtkAHkgSsgqOjQMhFcZgN5V+vOpkOYzL6IgUQM5ONXJC5vDmzGiMg/OlJ?= =?us-ascii?Q?QVyZ0nxWlfwMNppLGspWaOZSFMR4BxXQd02TfZzLcKul+fTiF5cXFpFTrGWI?= =?us-ascii?Q?lThNove5GWkNE8xGON1ktvMBuRQf6yKan6hCFt4WlkAbTFC4Q0WVU6QBUemX?= =?us-ascii?Q?b13qREhsdVipbJmwb3Novm+HE5B8WKI+Y9fYg/7taONzp41oH4L0LzTMzum2?= =?us-ascii?Q?MnBEtkKxJhzI/pdiUpNELKqoTR4z9Mfak6EG8/spx1V6vBG7MC+O/eOSdHXf?= =?us-ascii?Q?Of9wi36uIEvXK64KiBn3+YPwftblqZS75bbpP7Hlozay0aqGoL/BKWrbzukw?= =?us-ascii?Q?OOsmxTG4KkN5Ln2DEjj6ucEDtdagAqE8+QhW2svQeb9qthxbiPECJ+BeeCc9?= =?us-ascii?Q?jMBGoWuZ/QnP3407A7NnVl8bGDrGHuji7+XnRD1S3FJzEOMlYQ8cVgVXU2YR?= =?us-ascii?Q?qQ1VKR37ajPiwcAVYT9gm88mNvmaFyqdgO36EFykg08ykL6Tbk2KJp/PXBry?= =?us-ascii?Q?Qxq7qj5ZDHRjRI4JdS77WezPmlvbCZXi591kxrp6FqfQFIkR1gLrd3i0hYGb?= =?us-ascii?Q?PqUGGv7XG5a1TPliAlG9Nt4zq1Odf5ukGL8Af/CVzY6bxS+HRw=3D=3D?= X-Forefront-Antispam-Report: CIP:216.228.117.160; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge1.nvidia.com; CAT:NONE; SFS:(13230040)(36860700013)(82310400026)(1800799024)(376014); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Nov 2024 06:35:11.4372 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 65201fa7-6c74-4ed2-2f06-08dd021afe5d X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.160]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN2PEPF000044A6.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN0PR12MB5858 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 23.11.3 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/30/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging This queued commit can be viewed at: https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=cfaccd4bdaa1a89f4386adbe1a011012a386f56a Thanks. Xueming Li --- >From cfaccd4bdaa1a89f4386adbe1a011012a386f56a Mon Sep 17 00:00:00 2001 From: Fabio Pricoco Date: Fri, 23 Aug 2024 09:56:42 +0000 Subject: [PATCH] net/ice/base: fix iteration of TLVs in Preserved Fields Area Cc: Xueming Li [ upstream commit dcb760bf0f951b404bce33a1dd14906154b58c75 ] The ice_get_pfa_module_tlv() function iterates over the Preserved Fields Area to read data from the Shadow RAM, including the Part Board Assembly data, among others. If the specific TLV being requested is not found in the current NVM, the code will read past the end of the PFA, misinterpreting the last word of the PFA and the word just after the PFA as another TLV. This typically results in one extra iteration before the length check of the while loop is triggered. Correct the logic for determining the maximum PFA offset to include the extra last word. Additionally, make the driver robust against overflows by using check_add_overflow. This ensures that even if the NVM provides bogus data, the driver will not overflow, and will instead log a useful warning message. The check for whether the TLV length exceeds the PFA length is also removed, in favor of relying on the overflow warning instead. Fixes: 5d0b7b5fc491 ("net/ice/base: add read PBA module function") Signed-off-by: Fabio Pricoco Signed-off-by: Jacob Keller Signed-off-by: Soumyadeep Hore Acked-by: Bruce Richardson --- drivers/net/ice/base/ice_nvm.c | 36 ++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/drivers/net/ice/base/ice_nvm.c b/drivers/net/ice/base/ice_nvm.c index 6b0794f562..98c4c943ca 100644 --- a/drivers/net/ice/base/ice_nvm.c +++ b/drivers/net/ice/base/ice_nvm.c @@ -471,6 +471,8 @@ enum ice_status ice_read_sr_word(struct ice_hw *hw, u16 offset, u16 *data) return status; } +#define check_add_overflow __builtin_add_overflow + /** * ice_get_pfa_module_tlv - Reads sub module TLV from NVM PFA * @hw: pointer to hardware structure @@ -487,8 +489,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, u16 module_type) { enum ice_status status; - u16 pfa_len, pfa_ptr; - u32 next_tlv; + u16 pfa_len, pfa_ptr, next_tlv, max_tlv; status = ice_read_sr_word(hw, ICE_SR_PFA_PTR, &pfa_ptr); if (status != ICE_SUCCESS) { @@ -500,11 +501,23 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read PFA length.\n"); return status; } - /* Starting with first TLV after PFA length, iterate through the list + + if (check_add_overflow(pfa_ptr, (u16)(pfa_len - 1), &max_tlv)) { + ice_debug(hw, ICE_DBG_INIT, "PFA starts at offset %u. PFA length of %u caused 16-bit arithmetic overflow.\n", + pfa_ptr, pfa_len); + return ICE_ERR_INVAL_SIZE; + } + + /* The Preserved Fields Area contains a sequence of TLVs which define + * its contents. The PFA length includes all of the TLVs, plus its + * initial length word itself, *and* one final word at the end of all + * of the TLVs. + * + * Starting with first TLV after PFA length, iterate through the list * of TLVs to find the requested one. */ next_tlv = pfa_ptr + 1; - while (next_tlv < ((u32)pfa_ptr + pfa_len)) { + while (next_tlv < max_tlv) { u16 tlv_sub_module_type; u16 tlv_len; @@ -521,10 +534,6 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, ice_debug(hw, ICE_DBG_INIT, "Failed to read TLV length.\n"); break; } - if (tlv_len > pfa_len) { - ice_debug(hw, ICE_DBG_INIT, "Invalid TLV length.\n"); - return ICE_ERR_INVAL_SIZE; - } if (tlv_sub_module_type == module_type) { if (tlv_len) { *module_tlv = (u16)next_tlv; @@ -533,10 +542,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, } return ICE_ERR_INVAL_SIZE; } - /* Check next TLV, i.e. current TLV pointer + length + 2 words - * (for current TLV's type and length) - */ - next_tlv = next_tlv + tlv_len + 2; + + if (check_add_overflow(next_tlv, (u16)2, &next_tlv) || + check_add_overflow(next_tlv, tlv_len, &next_tlv)) { + ice_debug(hw, ICE_DBG_INIT, "TLV of type %u and length 0x%04x caused 16-bit arithmetic overflow. The PFA starts at 0x%04x and has length of 0x%04x\n", + tlv_sub_module_type, tlv_len, pfa_ptr, pfa_len); + return ICE_ERR_INVAL_SIZE; + } } /* Module does not exist */ return ICE_ERR_DOES_NOT_EXIST; -- 2.34.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-11-11 14:23:07.979390082 +0800 +++ 0058-net-ice-base-fix-iteration-of-TLVs-in-Preserved-Fiel.patch 2024-11-11 14:23:05.132192839 +0800 @@ -1 +1 @@ -From dcb760bf0f951b404bce33a1dd14906154b58c75 Mon Sep 17 00:00:00 2001 +From cfaccd4bdaa1a89f4386adbe1a011012a386f56a Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Xueming Li + +[ upstream commit dcb760bf0f951b404bce33a1dd14906154b58c75 ] @@ -25 +27,0 @@ -Cc: stable@dpdk.org @@ -36 +38 @@ -index 5e982de4b5..56c6c96a95 100644 +index 6b0794f562..98c4c943ca 100644 @@ -39 +41 @@ -@@ -469,6 +469,8 @@ int ice_read_sr_word(struct ice_hw *hw, u16 offset, u16 *data) +@@ -471,6 +471,8 @@ enum ice_status ice_read_sr_word(struct ice_hw *hw, u16 offset, u16 *data) @@ -48,2 +50 @@ -@@ -484,8 +486,7 @@ int - ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, +@@ -487,8 +489,7 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, @@ -51,0 +53 @@ + enum ice_status status; @@ -55 +56,0 @@ - int status; @@ -58 +59,2 @@ -@@ -498,11 +499,23 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, + if (status != ICE_SUCCESS) { +@@ -500,11 +501,23 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, @@ -84 +86 @@ -@@ -519,10 +532,6 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, +@@ -521,10 +534,6 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, @@ -95 +97 @@ -@@ -531,10 +540,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len, +@@ -533,10 +542,13 @@ ice_get_pfa_module_tlv(struct ice_hw *hw, u16 *module_tlv, u16 *module_tlv_len,