From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 50D1345CE3 for ; Mon, 11 Nov 2024 07:38:43 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 478644067A; Mon, 11 Nov 2024 07:38:43 +0100 (CET) Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2058.outbound.protection.outlook.com [40.107.237.58]) by mails.dpdk.org (Postfix) with ESMTP id 550174067A for ; Mon, 11 Nov 2024 07:38:42 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=a65z1vrq7s9TYY3E8NZxwmGsldvdx8VqOfUQcykpStlb+DgaN6nIL/0o2k8AkI9ZlsINk0rblsjouR+TEzzy2rSq/sRL5KrIq5DbCI32gmeaAGBob58ocldwPTrTCBFUNm5dgpQQLUtUGXgNJZTFyibT0Bp5B7PB08PtwtmYCGubmOegatCLfIOSzL38Rrz8uWh0ftcAuR/A+Gue6EPrZFPR44gkUv8NFWmTGCCROJldY0gMN4k6tjNmc8jzKve/xtOEs1tE5cignwPvcpMvuPz87sWz+5PKTUEBxgbmBhjZnyzMTrsTV8z6zMgC01pwoJxJFRmzZU4XArEoWelvWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lrIKG+Ij2dzW/iL35ORtrJ3hFE/noQBakFSeXZ3kmDU=; b=F/T5HCc7RS+0GSKDDElImCZLNoZvAPa1HbWM5W58+dAowTex3mjpOPCulUGZXusvX5+LCi8ICGYfXnjv7dRhCtviNAX8Pr4zStjdGbcB8/dSq0wAk8byBKlhQOlguJYZOoNM/X8nlvfRbEl2G6DZEo/1C+nxU1jSq+fc7waryyl0dwonke7T6Hmb3IP+PdOuVpRUR15q+4yMMd9BPfrzwKbQGh5DzPVIM51WUITfMdG4JlySohoYhFoDPBcoBaguQ0+Nu+j5gFoQ3uYUBcF4igwBwUebfE9uVsyqtVMYUe5ry53qcICKhcLuoXfMDSypjaugA5ebPhk6gnfrorVPDA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=google.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lrIKG+Ij2dzW/iL35ORtrJ3hFE/noQBakFSeXZ3kmDU=; b=YjR9Zu5DtoohG1FGgzn1CN9O7uHtZkK+Uwfos/JiYcLogSUZ7N+DpiItIKhY1biOTObWqAz4CBMyzeNLHam75quhNbUl2NI4xdM3zSN1K3PM3Nm0vU1YykV8W9asRHi/ah3Bc14XhTT3cDZ3CbvtT/8Cly2hGNUxGOJcfgWybF9+9Nes++u3vvHxwGWn5p7lttTVLI2qyeo8sDbwfPHTHBFBuhgsVRYGC9zEwqrIEB20tuqi+Fsm1KyCUgUfXV2wArJ9NTMJWTPNSEKxhfUrFBGke3ZeW75cLBNV3889c0fYHyTfjDnk/h/U81hO/MLOH8GlgnRHJtTdr59MNGVJuQ== Received: from SN4PR0501CA0099.namprd05.prod.outlook.com (2603:10b6:803:42::16) by DS0PR12MB7772.namprd12.prod.outlook.com (2603:10b6:8:138::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.26; Mon, 11 Nov 2024 06:38:39 +0000 Received: from SN1PEPF0002636C.namprd02.prod.outlook.com (2603:10b6:803:42:cafe::d8) by SN4PR0501CA0099.outlook.office365.com (2603:10b6:803:42::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.16 via Frontend Transport; Mon, 11 Nov 2024 06:38:39 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by SN1PEPF0002636C.mail.protection.outlook.com (10.167.241.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8158.14 via Frontend Transport; Mon, 11 Nov 2024 06:38:39 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Sun, 10 Nov 2024 22:38:26 -0800 Received: from nvidia.com (10.126.231.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Sun, 10 Nov 2024 22:38:24 -0800 From: Xueming Li To: Joshua Washington CC: , Rushil Gupta , "Praveen Kaligineedi" , dpdk stable Subject: patch 'net/gve: fix refill logic causing memory corruption' has been queued to stable release 23.11.3 Date: Mon, 11 Nov 2024 14:28:18 +0800 Message-ID: <20241111062847.216344-93-xuemingl@nvidia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241111062847.216344-1-xuemingl@nvidia.com> References: <20241111062847.216344-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.231.35] X-ClientProxiedBy: rnnvmail202.nvidia.com (10.129.68.7) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF0002636C:EE_|DS0PR12MB7772:EE_ X-MS-Office365-Filtering-Correlation-Id: 713d0de7-9118-4fe4-1e0b-08dd021b7a1e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|36860700013|82310400026|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?zy1A6HDK9JN8MUmyAXEQe7E3ohJovXKVmF5bHPV5r7hC46AGBrz4iHs3+LGr?= =?us-ascii?Q?BotkboO2pwc2iEH8V2gebQC+w2dAM3SrtOLIObBjcAnfMV1U5pVRpVed1MIr?= =?us-ascii?Q?wBsvw+8XtQYSW/srKOSXFbY5F0NQftW9XT8RPN/18tJPNqNJSQjS47wyGXjq?= =?us-ascii?Q?xR3gMwv7DIJZaAgQGAv9Ub8TjkC+2CmqC8GBhOnnQg5wvBQ+y7ZqTf8qxlMS?= =?us-ascii?Q?LLgMK/BtWS2LJXoml110MI+yUcFeez83fodzf/XR7VDq1PZ9uoYJ7Lo9WYhT?= =?us-ascii?Q?lnlAYvXX0yVuU3H/3q4lwDs84GINyDPpfRgU0ckTEfXSOZp26oFBbKP4cpoV?= =?us-ascii?Q?44LuhW6H5YGWVhZ0c/CZsFSgLMTMLt5nsLsItyAP0d8TCXBFikEb8oSu+vUI?= =?us-ascii?Q?tfz0DETPIz1laJPPXyHn5Oz/X36Z9AyArw4SUdvKd9jHEqb2obEdmPAkSfaJ?= =?us-ascii?Q?BuRyJsjoGUovXa4P3AShR2yzQce+KHUcz6YkktSDLbZdywY1eIiXM62IkAsB?= =?us-ascii?Q?3b79zxuFjtEHRQoQW0YIc7OePwvmfX2k4hR/xxVsv0nv/l67QxEL30aXXN3A?= =?us-ascii?Q?HWbOR7ocjZRljdee9Q24HfFrEcCmtFzzuXab6kjqbVO2vfrQ4mBNeYkGU7k4?= =?us-ascii?Q?LB+0GknL8jFvHPQYZGoum2AAyo1ff7aa7bTgUP2szI35qzxC54W/r0xDC5Sk?= =?us-ascii?Q?vacohJk7FSM2sgJkF3lx1NknqnPMztybR2eBeFUYSTXyt/LJrBofL0abXrT6?= =?us-ascii?Q?c0UXBjUXWoTQ49N8J3O/IB9DGop8iWIjtCZA/NI4xYT9rgDKjGdNNyW/IIoX?= =?us-ascii?Q?nEOCDPs311YAo6wqHWRjpXgUueuj8Qm4cRgsIFZNDWFwUOpqnaGTy9sxIgea?= =?us-ascii?Q?Uy76cFC6LenbPPtyh5SpN9XZwUsCNHLrMknJsWU+u/tjMoHApj2ysOqtRewA?= =?us-ascii?Q?h+tHURfTePz7t1lboGRB8D5esYUZlzDBh8bFXEpH1BgK4BVs/zYdoLXWpv3Z?= =?us-ascii?Q?v93YYHf9i58oRePczPZuUJkqhgp20qcusZGU2zEBEy6O/Wtahw0U7jrGDWIf?= =?us-ascii?Q?aLltvz47fGY66dmjfYMBIyYt3m5Ni+xkBmEbsQSRpmtbfdCfWAxSUuRX5e/F?= =?us-ascii?Q?NyRn9QI42CmqPURpTtsK3KErIc48ATO6xr/2oQ3zhP0fRHlHBgStZBd5aQOy?= =?us-ascii?Q?VYjBwNAlJjCsF3/BMBdWct6nCijcnErjcCwkx/7gxyJIDQ/BsV/RmTn6C9Ap?= =?us-ascii?Q?zbdfhYhbpwOQf8kRixAwkuWn5rEcrE3MipTufrHLxNwwNY86r+2DXLTkNKvV?= =?us-ascii?Q?JTLTQQBlDpkm+SMX2pWtGA1f59YCJ00DG/k61uG9cEeMudg0PzSAzvxqIwfC?= =?us-ascii?Q?/s+HMP9Q7nH0zDtAWgSvK92aigUZ22tDupdg+gChkC/Z4zubhQ=3D=3D?= X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE; SFS:(13230040)(36860700013)(82310400026)(376014)(1800799024); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Nov 2024 06:38:39.1238 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 713d0de7-9118-4fe4-1e0b-08dd021b7a1e X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF0002636C.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB7772 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 23.11.3 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/30/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging This queued commit can be viewed at: https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=7907e4749624ac43a40a71bc200faa46d2e219dc Thanks. Xueming Li --- >From 7907e4749624ac43a40a71bc200faa46d2e219dc Mon Sep 17 00:00:00 2001 From: Joshua Washington Date: Thu, 3 Oct 2024 18:05:18 -0700 Subject: [PATCH] net/gve: fix refill logic causing memory corruption Cc: Xueming Li [ upstream commit 52c9b4069b216495d6e709bb500b6a52b8b2ca82 ] There is a seemingly mundane error in the RX refill path which can lead to major issues and ultimately program crashing. This error occurs as part of an edge case where the exact number of buffers the refill causes the ring to wrap around to 0. The current refill logic is split into two conditions: first, when the number of buffers to refill is greater than the number of buffers left in the ring before wraparound occurs; second, when the opposite is true, and there are enough buffers before wraparound to refill all buffers. In this edge case, the first condition erroneously uses a (<) condition to decide whether to wrap around, when it should have been (<=). In that case, the second condition would run and the tail pointer would be set to an invalid value (RING_SIZE). This causes a number of cascading failures. 1. The first issue rather mundane in that rxq->bufq_tail == RING_SIZE at the end of the refill, this will correct itself on the next refill without any sort of memory leak or corruption; 2. The second failure is that the head pointer would end up overrunning the tail because the last buffer that is refilled is refilled at sw_ring[RING_SIZE] instead of sw_ring[0]. This would cause the driver to give the application a stale mbuf, one that has been potentially freed or is otherwise stale; 3. The third failure comes from the fact that the software ring is being overrun. Because we directly use the sw_ring pointer to refill buffers, when sw_ring[RING_SIZE] is filled, a buffer overflow occurs. The overwritten data has the potential to be important data, and this can potentially cause the program to crash outright. This patch fixes the refill bug while greatly simplifying the logic so that it is much less error-prone. Fixes: 45da16b5b181 ("net/gve: support basic Rx data path for DQO") Signed-off-by: Joshua Washington Reviewed-by: Rushil Gupta Reviewed-by: Praveen Kaligineedi --- drivers/net/gve/gve_rx_dqo.c | 62 ++++++++++-------------------------- 1 file changed, 16 insertions(+), 46 deletions(-) diff --git a/drivers/net/gve/gve_rx_dqo.c b/drivers/net/gve/gve_rx_dqo.c index 0203d23b9a..f55a03f8c4 100644 --- a/drivers/net/gve/gve_rx_dqo.c +++ b/drivers/net/gve/gve_rx_dqo.c @@ -10,66 +10,36 @@ static inline void gve_rx_refill_dqo(struct gve_rx_queue *rxq) { - volatile struct gve_rx_desc_dqo *rx_buf_ring; volatile struct gve_rx_desc_dqo *rx_buf_desc; struct rte_mbuf *nmb[rxq->nb_rx_hold]; uint16_t nb_refill = rxq->nb_rx_hold; - uint16_t nb_desc = rxq->nb_rx_desc; uint16_t next_avail = rxq->bufq_tail; struct rte_eth_dev *dev; uint64_t dma_addr; - uint16_t delta; int i; if (rxq->nb_rx_hold < rxq->free_thresh) return; - rx_buf_ring = rxq->rx_ring; - delta = nb_desc - next_avail; - if (unlikely(delta < nb_refill)) { - if (likely(rte_pktmbuf_alloc_bulk(rxq->mpool, nmb, delta) == 0)) { - for (i = 0; i < delta; i++) { - rx_buf_desc = &rx_buf_ring[next_avail + i]; - rxq->sw_ring[next_avail + i] = nmb[i]; - dma_addr = rte_cpu_to_le_64(rte_mbuf_data_iova_default(nmb[i])); - rx_buf_desc->header_buf_addr = 0; - rx_buf_desc->buf_addr = dma_addr; - } - nb_refill -= delta; - next_avail = 0; - rxq->nb_rx_hold -= delta; - } else { - rxq->stats.no_mbufs_bulk++; - rxq->stats.no_mbufs += nb_desc - next_avail; - dev = &rte_eth_devices[rxq->port_id]; - dev->data->rx_mbuf_alloc_failed += nb_desc - next_avail; - PMD_DRV_LOG(DEBUG, "RX mbuf alloc failed port_id=%u queue_id=%u", - rxq->port_id, rxq->queue_id); - return; - } + if (unlikely(rte_pktmbuf_alloc_bulk(rxq->mpool, nmb, nb_refill))) { + rxq->stats.no_mbufs_bulk++; + rxq->stats.no_mbufs += nb_refill; + dev = &rte_eth_devices[rxq->port_id]; + dev->data->rx_mbuf_alloc_failed += nb_refill; + PMD_DRV_LOG(DEBUG, "RX mbuf alloc failed port_id=%u queue_id=%u", + rxq->port_id, rxq->queue_id); + return; } - if (nb_desc - next_avail >= nb_refill) { - if (likely(rte_pktmbuf_alloc_bulk(rxq->mpool, nmb, nb_refill) == 0)) { - for (i = 0; i < nb_refill; i++) { - rx_buf_desc = &rx_buf_ring[next_avail + i]; - rxq->sw_ring[next_avail + i] = nmb[i]; - dma_addr = rte_cpu_to_le_64(rte_mbuf_data_iova_default(nmb[i])); - rx_buf_desc->header_buf_addr = 0; - rx_buf_desc->buf_addr = dma_addr; - } - next_avail += nb_refill; - rxq->nb_rx_hold -= nb_refill; - } else { - rxq->stats.no_mbufs_bulk++; - rxq->stats.no_mbufs += nb_desc - next_avail; - dev = &rte_eth_devices[rxq->port_id]; - dev->data->rx_mbuf_alloc_failed += nb_desc - next_avail; - PMD_DRV_LOG(DEBUG, "RX mbuf alloc failed port_id=%u queue_id=%u", - rxq->port_id, rxq->queue_id); - } + for (i = 0; i < nb_refill; i++) { + rx_buf_desc = &rxq->rx_ring[next_avail]; + rxq->sw_ring[next_avail] = nmb[i]; + dma_addr = rte_cpu_to_le_64(rte_mbuf_data_iova_default(nmb[i])); + rx_buf_desc->header_buf_addr = 0; + rx_buf_desc->buf_addr = dma_addr; + next_avail = (next_avail + 1) & (rxq->nb_rx_desc - 1); } - + rxq->nb_rx_hold -= nb_refill; rte_write32(next_avail, rxq->qrx_tail); rxq->bufq_tail = next_avail; -- 2.34.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-11-11 14:23:09.294538355 +0800 +++ 0092-net-gve-fix-refill-logic-causing-memory-corruption.patch 2024-11-11 14:23:05.232192837 +0800 @@ -1 +1 @@ -From 52c9b4069b216495d6e709bb500b6a52b8b2ca82 Mon Sep 17 00:00:00 2001 +From 7907e4749624ac43a40a71bc200faa46d2e219dc Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Xueming Li + +[ upstream commit 52c9b4069b216495d6e709bb500b6a52b8b2ca82 ] @@ -40 +42,0 @@ -Cc: stable@dpdk.org @@ -50 +52 @@ -index e4084bc0dd..5371bab77d 100644 +index 0203d23b9a..f55a03f8c4 100644 @@ -53 +55 @@ -@@ -11,66 +11,36 @@ +@@ -10,66 +10,36 @@