patch 'net/gve: fix refill logic causing memory corruption' has been queued to stable release 23.11.3

[Xueming Li <xuemingl@nvidia.com>]

Hi,

FYI, your patch has been queued to stable release 23.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/30/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=7907e4749624ac43a40a71bc200faa46d2e219dc

Thanks.

Xueming Li <xuemingl@nvidia.com>

---
From 7907e4749624ac43a40a71bc200faa46d2e219dc Mon Sep 17 00:00:00 2001
From: Joshua Washington <joshwash@google.com>
Date: Thu, 3 Oct 2024 18:05:18 -0700
Subject: [PATCH] net/gve: fix refill logic causing memory corruption
Cc: Xueming Li <xuemingl@nvidia.com>

[ upstream commit 52c9b4069b216495d6e709bb500b6a52b8b2ca82 ]

There is a seemingly mundane error in the RX refill path which can lead
to major issues and ultimately program crashing.

This error occurs as part of an edge case where the exact number of
buffers the refill causes the ring to wrap around to 0. The current
refill logic is split into two conditions: first, when the number of
buffers to refill is greater than the number of buffers left in the ring
before wraparound occurs; second, when the opposite is true, and there
are enough buffers before wraparound to refill all buffers.

In this edge case, the first condition erroneously uses a (<) condition
to decide whether to wrap around, when it should have been (<=). In that
case, the second condition would run and the tail pointer would be set
to an invalid value (RING_SIZE). This causes a number of cascading
failures.

1. The first issue rather mundane in that rxq->bufq_tail == RING_SIZE at
   the end of the refill, this will correct itself on the next refill
   without any sort of memory leak or corruption;
2. The second failure is that the head pointer would end up overrunning
   the tail because the last buffer that is refilled is refilled at
   sw_ring[RING_SIZE] instead of sw_ring[0]. This would cause the driver
   to give the application a stale mbuf, one that has been potentially
   freed or is otherwise stale;
3. The third failure comes from the fact that the software ring is being
   overrun. Because we directly use the sw_ring pointer to refill
   buffers, when sw_ring[RING_SIZE] is filled, a buffer overflow occurs.
   The overwritten data has the potential to be important data, and this
   can potentially cause the program to crash outright.

This patch fixes the refill bug while greatly simplifying the logic so
that it is much less error-prone.

Fixes: 45da16b5b181 ("net/gve: support basic Rx data path for DQO")

Signed-off-by: Joshua Washington <joshwash@google.com>
Reviewed-by: Rushil Gupta <rushilg@google.com>
Reviewed-by: Praveen Kaligineedi <pkaligineedi@google.com>
---
 drivers/net/gve/gve_rx_dqo.c | 62 ++++++++++--------------------------
 1 file changed, 16 insertions(+), 46 deletions(-)

diff --git a/drivers/net/gve/gve_rx_dqo.c b/drivers/net/gve/gve_rx_dqo.c
index 0203d23b9a..f55a03f8c4 100644
--- a/drivers/net/gve/gve_rx_dqo.c
+++ b/drivers/net/gve/gve_rx_dqo.c
@@ -10,66 +10,36 @@
 static inline void
 gve_rx_refill_dqo(struct gve_rx_queue *rxq)
 {
-	volatile struct gve_rx_desc_dqo *rx_buf_ring;
 	volatile struct gve_rx_desc_dqo *rx_buf_desc;
 	struct rte_mbuf *nmb[rxq->nb_rx_hold];
 	uint16_t nb_refill = rxq->nb_rx_hold;
-	uint16_t nb_desc = rxq->nb_rx_desc;
 	uint16_t next_avail = rxq->bufq_tail;
 	struct rte_eth_dev *dev;
 	uint64_t dma_addr;
-	uint16_t delta;
 	int i;

 	if (rxq->nb_rx_hold < rxq->free_thresh)
 		return;

-	rx_buf_ring = rxq->rx_ring;
-	delta = nb_desc - next_avail;
-	if (unlikely(delta < nb_refill)) {
-		if (likely(rte_pktmbuf_alloc_bulk(rxq->mpool, nmb, delta) == 0)) {
-			for (i = 0; i < delta; i++) {
-				rx_buf_desc = &rx_buf_ring[next_avail + i];
-				rxq->sw_ring[next_avail + i] = nmb[i];
-				dma_addr = rte_cpu_to_le_64(rte_mbuf_data_iova_default(nmb[i]));
-				rx_buf_desc->header_buf_addr = 0;
-				rx_buf_desc->buf_addr = dma_addr;
-			}
-			nb_refill -= delta;
-			next_avail = 0;
-			rxq->nb_rx_hold -= delta;
-		} else {
-			rxq->stats.no_mbufs_bulk++;
-			rxq->stats.no_mbufs += nb_desc - next_avail;
-			dev = &rte_eth_devices[rxq->port_id];
-			dev->data->rx_mbuf_alloc_failed += nb_desc - next_avail;
-			PMD_DRV_LOG(DEBUG, "RX mbuf alloc failed port_id=%u queue_id=%u",
-				    rxq->port_id, rxq->queue_id);
-			return;
-		}
+	if (unlikely(rte_pktmbuf_alloc_bulk(rxq->mpool, nmb, nb_refill))) {
+		rxq->stats.no_mbufs_bulk++;
+		rxq->stats.no_mbufs += nb_refill;
+		dev = &rte_eth_devices[rxq->port_id];
+		dev->data->rx_mbuf_alloc_failed += nb_refill;
+		PMD_DRV_LOG(DEBUG, "RX mbuf alloc failed port_id=%u queue_id=%u",
+			    rxq->port_id, rxq->queue_id);
+		return;
 	}

-	if (nb_desc - next_avail >= nb_refill) {
-		if (likely(rte_pktmbuf_alloc_bulk(rxq->mpool, nmb, nb_refill) == 0)) {
-			for (i = 0; i < nb_refill; i++) {
-				rx_buf_desc = &rx_buf_ring[next_avail + i];
-				rxq->sw_ring[next_avail + i] = nmb[i];
-				dma_addr = rte_cpu_to_le_64(rte_mbuf_data_iova_default(nmb[i]));
-				rx_buf_desc->header_buf_addr = 0;
-				rx_buf_desc->buf_addr = dma_addr;
-			}
-			next_avail += nb_refill;
-			rxq->nb_rx_hold -= nb_refill;
-		} else {
-			rxq->stats.no_mbufs_bulk++;
-			rxq->stats.no_mbufs += nb_desc - next_avail;
-			dev = &rte_eth_devices[rxq->port_id];
-			dev->data->rx_mbuf_alloc_failed += nb_desc - next_avail;
-			PMD_DRV_LOG(DEBUG, "RX mbuf alloc failed port_id=%u queue_id=%u",
-				    rxq->port_id, rxq->queue_id);
-		}
+	for (i = 0; i < nb_refill; i++) {
+		rx_buf_desc = &rxq->rx_ring[next_avail];
+		rxq->sw_ring[next_avail] = nmb[i];
+		dma_addr = rte_cpu_to_le_64(rte_mbuf_data_iova_default(nmb[i]));
+		rx_buf_desc->header_buf_addr = 0;
+		rx_buf_desc->buf_addr = dma_addr;
+		next_avail = (next_avail + 1) & (rxq->nb_rx_desc - 1);
 	}
-
+	rxq->nb_rx_hold -= nb_refill;
 	rte_write32(next_avail, rxq->qrx_tail);

 	rxq->bufq_tail = next_avail;
--
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-11-11 14:23:09.294538355 +0800
+++ 0092-net-gve-fix-refill-logic-causing-memory-corruption.patch	2024-11-11 14:23:05.232192837 +0800
@@ -1 +1 @@
-From 52c9b4069b216495d6e709bb500b6a52b8b2ca82 Mon Sep 17 00:00:00 2001
+From 7907e4749624ac43a40a71bc200faa46d2e219dc Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl@nvidia.com>
+
+[ upstream commit 52c9b4069b216495d6e709bb500b6a52b8b2ca82 ]
@@ -40 +42,0 @@
-Cc: stable@dpdk.org
@@ -50 +52 @@
-index e4084bc0dd..5371bab77d 100644
+index 0203d23b9a..f55a03f8c4 100644
@@ -53 +55 @@
-@@ -11,66 +11,36 @@
+@@ -10,66 +10,36 @@