From: Xueming Li <xuemingl@nvidia.com>
To: Mihai Brodschi <mihai.brodschi@broadcom.com>
Cc: <xuemingl@nvidia.com>, Ferruh Yigit <ferruh.yigit@amd.com>,
dpdk stable <stable@dpdk.org>
Subject: patch 'net/memif: fix buffer overflow in zero copy Rx' has been queued to stable release 23.11.3
Date: Mon, 11 Nov 2024 14:28:20 +0800 [thread overview]
Message-ID: <20241111062847.216344-95-xuemingl@nvidia.com> (raw)
In-Reply-To: <20241111062847.216344-1-xuemingl@nvidia.com>
Hi,
FYI, your patch has been queued to stable release 23.11.3
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/30/24. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging
This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=3061d87b232c715422e2fe93017afc85f528fc40
Thanks.
Xueming Li <xuemingl@nvidia.com>
---
From 3061d87b232c715422e2fe93017afc85f528fc40 Mon Sep 17 00:00:00 2001
From: Mihai Brodschi <mihai.brodschi@broadcom.com>
Date: Sat, 29 Jun 2024 00:01:29 +0300
Subject: [PATCH] net/memif: fix buffer overflow in zero copy Rx
Cc: Xueming Li <xuemingl@nvidia.com>
[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ]
rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate
new mbufs to be provided to the sender. The allocated mbuf pointers
are stored in a ring, but the alloc function doesn't implement index
wrap-around, so it writes past the end of the array. This results in
memory corruption and duplicate mbufs being received.
Allocate 2x the space for the mbuf ring, so that the alloc function
has a contiguous array to write to, then copy the excess entries
to the start of the array.
Fixes: 43b815d88188 ("net/memif: support zero-copy slave")
Signed-off-by: Mihai Brodschi <mihai.brodschi@broadcom.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@amd.com>
---
.mailmap | 1 +
drivers/net/memif/rte_eth_memif.c | 10 +++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/.mailmap b/.mailmap
index c26a1acf7a..8d7fa55d9e 100644
--- a/.mailmap
+++ b/.mailmap
@@ -971,6 +971,7 @@ Michal Swiatkowski <michal.swiatkowski@intel.com>
Michal Wilczynski <michal.wilczynski@intel.com>
Michel Machado <michel@digirati.com.br>
Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>
+Mihai Brodschi <mihai.brodschi@broadcom.com>
Mihai Pogonaru <pogonarumihai@gmail.com>
Mike Baucom <michael.baucom@broadcom.com>
Mike Pattrick <mkp@redhat.com>
diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c
index f05f4c24df..1eb41bb471 100644
--- a/drivers/net/memif/rte_eth_memif.c
+++ b/drivers/net/memif/rte_eth_memif.c
@@ -600,6 +600,10 @@ refill:
ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask], n_slots);
if (unlikely(ret < 0))
goto no_free_mbufs;
+ if (unlikely(n_slots > ring_size - (head & mask))) {
+ rte_memcpy(mq->buffers, &mq->buffers[ring_size],
+ (n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *));
+ }
while (n_slots--) {
s0 = head++ & mask;
@@ -1245,8 +1249,12 @@ memif_init_queues(struct rte_eth_dev *dev)
}
mq->buffers = NULL;
if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) {
+ /*
+ * Allocate 2x ring_size to reserve a contiguous array for
+ * rte_pktmbuf_alloc_bulk (to store allocated mbufs).
+ */
mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) *
- (1 << mq->log2_ring_size), 0);
+ (1 << (mq->log2_ring_size + 1)), 0);
if (mq->buffers == NULL)
return -ENOMEM;
}
--
2.34.1
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2024-11-11 14:23:09.360403854 +0800
+++ 0094-net-memif-fix-buffer-overflow-in-zero-copy-Rx.patch 2024-11-11 14:23:05.242192837 +0800
@@ -1 +1 @@
-From b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 Mon Sep 17 00:00:00 2001
+From 3061d87b232c715422e2fe93017afc85f528fc40 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl@nvidia.com>
+
+[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ]
@@ -17 +19,0 @@
-Cc: stable@dpdk.org
@@ -27 +29 @@
-index 7b3a20af68..2e909c48a8 100644
+index c26a1acf7a..8d7fa55d9e 100644
@@ -30 +32,2 @@
-@@ -1011,6 +1011,7 @@ Michal Wilczynski <michal.wilczynski@intel.com>
+@@ -971,6 +971,7 @@ Michal Swiatkowski <michal.swiatkowski@intel.com>
+ Michal Wilczynski <michal.wilczynski@intel.com>
@@ -32 +34,0 @@
- Midde Ajijur Rehaman <ajijurx.rehaman.midde@intel.com>
@@ -39 +41 @@
-index e220ffaf92..cd722f254f 100644
+index f05f4c24df..1eb41bb471 100644
next prev parent reply other threads:[~2024-11-11 6:38 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-11 6:26 patch " Xueming Li
2024-11-11 6:26 ` patch 'bus/vdev: revert fix devargs in secondary process' " Xueming Li
2024-11-11 6:26 ` patch 'log: add a per line log helper' " Xueming Li
2024-11-12 9:02 ` David Marchand
2024-11-12 11:35 ` Xueming Li
2024-11-12 12:47 ` David Marchand
2024-11-12 13:56 ` Xueming Li
2024-11-12 14:09 ` David Marchand
2024-11-12 14:11 ` Xueming Li
2024-11-11 6:26 ` patch 'drivers: remove redundant newline from logs' " Xueming Li
2024-11-11 6:26 ` patch 'eal/x86: fix 32-bit write combining store' " Xueming Li
2024-11-11 6:26 ` patch 'test/event: fix schedule type' " Xueming Li
2024-11-11 6:26 ` patch 'test/event: fix target event queue' " Xueming Li
2024-11-11 6:26 ` patch 'examples/eventdev: fix queue crash with generic pipeline' " Xueming Li
2024-11-11 6:26 ` patch 'crypto/dpaa2_sec: fix memory leak' " Xueming Li
2024-11-11 6:26 ` patch 'common/dpaax/caamflib: fix PDCP SNOW-ZUC watchdog' " Xueming Li
2024-11-11 6:26 ` patch 'dev: fix callback lookup when unregistering device' " Xueming Li
2024-11-11 6:26 ` patch 'crypto/scheduler: fix session size computation' " Xueming Li
2024-11-11 6:26 ` patch 'examples/ipsec-secgw: fix dequeue count from cryptodev' " Xueming Li
2024-11-11 6:26 ` patch 'bpf: fix free function mismatch if convert fails' " Xueming Li
2024-11-11 6:27 ` patch 'baseband/la12xx: fix use after free in modem config' " Xueming Li
2024-11-11 6:27 ` patch 'common/qat: fix use after free in device probe' " Xueming Li
2024-11-11 6:27 ` patch 'common/idpf: fix use after free in mailbox init' " Xueming Li
2024-11-11 6:27 ` patch 'crypto/bcmfs: fix free function mismatch' " Xueming Li
2024-11-11 6:27 ` patch 'dma/idxd: fix free function mismatch in device probe' " Xueming Li
2024-11-11 6:27 ` patch 'event/cnxk: fix free function mismatch in port config' " Xueming Li
2024-11-11 6:27 ` patch 'net/cnxk: fix use after free in mempool create' " Xueming Li
2024-11-11 6:27 ` patch 'net/cpfl: fix invalid free in JSON parser' " Xueming Li
2024-11-11 6:27 ` patch 'net/e1000: fix use after free in filter flush' " Xueming Li
2024-11-11 6:27 ` patch 'net/nfp: fix double free in flow destroy' " Xueming Li
2024-11-11 6:27 ` patch 'net/sfc: fix use after free in debug logs' " Xueming Li
2024-11-11 6:27 ` patch 'raw/ifpga/base: fix use after free' " Xueming Li
2024-11-11 6:27 ` patch 'raw/ifpga: fix free function mismatch in interrupt config' " Xueming Li
2024-11-11 6:27 ` patch 'examples/vhost: fix free function mismatch' " Xueming Li
2024-11-11 6:27 ` patch 'net/nfb: fix use after free' " Xueming Li
2024-11-11 6:27 ` patch 'power: enable CPPC' " Xueming Li
2024-11-11 6:27 ` patch 'fib6: add runtime checks in AVX512 lookup' " Xueming Li
2024-11-11 6:27 ` patch 'pcapng: fix handling of chained mbufs' " Xueming Li
2024-11-11 6:27 ` patch 'app/dumpcap: fix handling of jumbo frames' " Xueming Li
2024-11-11 6:27 ` patch 'ml/cnxk: fix handling of TVM model I/O' " Xueming Li
2024-11-11 6:27 ` patch 'net/cnxk: fix Rx timestamp handling for VF' " Xueming Li
2024-11-11 6:27 ` patch 'net/cnxk: fix Rx offloads to handle timestamp' " Xueming Li
2024-11-11 6:27 ` patch 'event/cnxk: fix Rx timestamp handling' " Xueming Li
2024-11-11 6:27 ` patch 'common/cnxk: fix MAC address change with active VF' " Xueming Li
2024-11-11 6:27 ` patch 'common/cnxk: fix inline CTX write' " Xueming Li
2024-11-11 6:27 ` patch 'common/cnxk: fix CPT HW word size for outbound SA' " Xueming Li
2024-11-11 6:27 ` patch 'net/cnxk: fix OOP handling for inbound packets' " Xueming Li
2024-11-11 6:27 ` patch 'event/cnxk: fix OOP handling in event mode' " Xueming Li
2024-11-11 6:27 ` patch 'common/cnxk: fix base log level' " Xueming Li
2024-11-11 6:27 ` patch 'common/cnxk: fix IRQ reconfiguration' " Xueming Li
2024-11-11 6:27 ` patch 'baseband/acc: fix access to deallocated mem' " Xueming Li
2024-11-11 6:27 ` patch 'baseband/acc: fix soft output bypass RM' " Xueming Li
2024-11-11 6:27 ` patch 'vhost: fix offset while mapping log base address' " Xueming Li
2024-11-11 6:27 ` patch 'vdpa: update used flags in used ring relay' " Xueming Li
2024-11-11 6:27 ` patch 'vdpa/nfp: fix hardware initialization' " Xueming Li
2024-11-11 6:27 ` patch 'vdpa/nfp: fix reconfiguration' " Xueming Li
2024-11-11 6:27 ` patch 'net/virtio-user: reset used index counter' " Xueming Li
2024-11-11 6:27 ` patch 'vhost: restrict set max queue pair API to VDUSE' " Xueming Li
2024-11-11 6:27 ` patch 'fib: fix AVX512 lookup' " Xueming Li
2024-11-11 6:27 ` patch 'net/e1000: fix link status crash in secondary process' " Xueming Li
2024-11-11 6:27 ` patch 'net/cpfl: add checks for flow action types' " Xueming Li
2024-11-11 6:27 ` patch 'net/iavf: fix crash when link is unstable' " Xueming Li
2024-11-11 6:27 ` patch 'net/cpfl: fix parsing protocol ID mask field' " Xueming Li
2024-11-11 6:27 ` patch 'net/ice/base: fix link speed for 200G' " Xueming Li
2024-11-11 6:27 ` patch 'net/ice/base: fix iteration of TLVs in Preserved Fields Area' " Xueming Li
2024-11-11 6:27 ` patch 'net/ixgbe/base: fix unchecked return value' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e/base: fix setting flags in init function' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e/base: fix misleading debug logs and comments' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e/base: add missing X710TL device check' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e/base: fix blinking X722 with X557 PHY' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e/base: fix DDP loading with reserved track ID' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e/base: fix repeated register dumps' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e/base: fix unchecked return value' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e/base: fix loop bounds' " Xueming Li
2024-11-11 6:27 ` patch 'net/iavf: delay VF reset command' " Xueming Li
2024-11-11 6:27 ` patch 'net/i40e: fix AVX-512 pointer copy on 32-bit' " Xueming Li
2024-11-11 6:27 ` patch 'net/ice: " Xueming Li
2024-11-11 6:27 ` patch 'net/iavf: " Xueming Li
2024-11-11 6:27 ` patch 'common/idpf: " Xueming Li
2024-11-11 6:27 ` patch 'net/gve: fix queue setup and stop' " Xueming Li
2024-11-11 6:28 ` patch 'net/gve: fix Tx for chained mbuf' " Xueming Li
2024-11-11 6:28 ` patch 'net/tap: avoid memcpy with null argument' " Xueming Li
2024-11-11 6:28 ` patch 'app/testpmd: remove unnecessary cast' " Xueming Li
2024-11-11 6:28 ` patch 'net/pcap: set live interface as non-blocking' " Xueming Li
2024-11-11 6:28 ` patch 'net/mana: support rdma-core via pkg-config' " Xueming Li
2024-11-11 6:28 ` patch 'net/ena: revert redefining memcpy' " Xueming Li
2024-11-11 6:28 ` patch 'net/hns3: remove some basic address dump' " Xueming Li
2024-11-11 6:28 ` patch 'net/hns3: fix dump counter of registers' " Xueming Li
2024-11-11 6:28 ` patch 'ethdev: fix overflow in descriptor count' " Xueming Li
2024-11-11 6:28 ` patch 'bus/dpaa: fix PFDRs leaks due to FQRNIs' " Xueming Li
2024-11-11 6:28 ` patch 'net/dpaa: fix typecasting channel ID' " Xueming Li
2024-11-11 6:28 ` patch 'bus/dpaa: fix VSP for 1G fm1-mac9 and 10' " Xueming Li
2024-11-11 6:28 ` patch 'bus/dpaa: fix the fman details status' " Xueming Li
2024-11-11 6:28 ` patch 'net/dpaa: fix reallocate mbuf handling' " Xueming Li
2024-11-11 6:28 ` patch 'net/gve: fix mbuf allocation memory leak for DQ Rx' " Xueming Li
2024-11-11 6:28 ` patch 'net/gve: always attempt Rx refill on DQ' " Xueming Li
2024-11-11 6:28 ` patch 'net/nfp: fix type declaration of some variables' " Xueming Li
2024-11-11 6:28 ` patch 'net/nfp: fix representor port link status update' " Xueming Li
2024-11-11 6:28 ` patch 'net/gve: fix refill logic causing memory corruption' " Xueming Li
2024-11-11 6:28 ` patch 'net/gve: add IO memory barriers before reading descriptors' " Xueming Li
2024-11-11 6:28 ` Xueming Li [this message]
2024-11-11 6:28 ` patch 'net/tap: restrict maximum number of MP FDs' " Xueming Li
2024-11-11 6:28 ` patch 'ethdev: verify queue ID in Tx done cleanup' " Xueming Li
2024-11-11 6:28 ` patch 'net/hns3: verify reset type from firmware' " Xueming Li
2024-11-11 6:28 ` patch 'net/nfp: fix link change return value' " Xueming Li
2024-11-11 6:28 ` patch 'net/nfp: fix pause frame setting check' " Xueming Li
2024-11-11 6:28 ` patch 'net/pcap: fix blocking Rx' " Xueming Li
2024-11-11 6:28 ` patch 'net/ice/base: add bounds check' " Xueming Li
2024-11-11 6:28 ` patch 'net/ice/base: fix VLAN replay after reset' " Xueming Li
2024-11-11 6:28 ` patch 'net/iavf: preserve MAC address with i40e PF Linux driver' " Xueming Li
2024-11-11 6:28 ` patch 'net/mlx5: workaround list management of Rx queue control' " Xueming Li
2024-11-11 6:28 ` patch 'net/mlx5/hws: fix flex item as tunnel header' " Xueming Li
2024-11-11 6:28 ` patch 'net/mlx5: add flex item query for tunnel mode' " Xueming Li
2024-11-11 6:28 ` patch 'net/mlx5: fix flex item " Xueming Li
2024-11-11 6:28 ` patch 'net/mlx5: fix number of supported flex parsers' " Xueming Li
2024-11-11 6:28 ` patch 'app/testpmd: remove flex item init command leftover' " Xueming Li
2024-11-11 6:28 ` patch 'net/mlx5: fix next protocol validation after flex item' " Xueming Li
2024-11-11 6:28 ` patch 'net/mlx5: fix non full word sample fields in " Xueming Li
2024-11-11 6:28 ` patch 'net/mlx5: fix flex item header length field translation' " Xueming Li
2024-11-11 6:28 ` patch 'build: remove version check on compiler links function' " Xueming Li
2024-11-11 6:28 ` patch 'hash: fix thash LFSR initialization' " Xueming Li
2024-11-11 6:28 ` patch 'net/nfp: notify flower firmware about PF speed' " Xueming Li
2024-11-11 6:28 ` patch 'net/nfp: do not set IPv6 flag in transport mode' " Xueming Li
2024-11-11 6:28 ` patch 'dmadev: fix potential null pointer access' " Xueming Li
2024-11-11 6:28 ` patch 'net/gve/base: fix build with Fedora Rawhide' " Xueming Li
2024-11-11 6:28 ` patch 'power: fix mapped lcore ID' " Xueming Li
2024-11-11 6:28 ` patch 'net/ionic: fix build with Fedora Rawhide' " Xueming Li
2024-11-11 6:28 ` patch '' " Xueming Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241111062847.216344-95-xuemingl@nvidia.com \
--to=xuemingl@nvidia.com \
--cc=ferruh.yigit@amd.com \
--cc=mihai.brodschi@broadcom.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).