From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id A8A7245CE3 for ; Mon, 11 Nov 2024 07:38:51 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 9CA804067A; Mon, 11 Nov 2024 07:38:51 +0100 (CET) Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on2044.outbound.protection.outlook.com [40.107.96.44]) by mails.dpdk.org (Postfix) with ESMTP id C11894067A for ; Mon, 11 Nov 2024 07:38:49 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IuWj1cp3qQXxNi5rTS+S8KEWABRYl9bVIA/Y+AisKqamZR+k0U2XVVOuxHVRdjvPTiE5y7VfSQ3Y6g2CwdA/Lq9oMAGlW3OnVz5QVEuRmfqzcgy50Fhp3G99TPw5qKh76pGIjMOxxYCM4KNYmnBBxefjvI/4cK6Oen61K8fCSaCwykbfDC8AHIjtmYy/OCrTGR61WVAJ+1eDnIKbbtkCgMIlqhWZcwObS4XFXJ31gAT35QX7McpppWcRexXuxJMEM56U3G1OHzXnTmt6qji8wriEvftvNyNcxiWWLMm5lx4i6GPYcuvaIwtYXXdzsH08s+PeFCHPnLscuijKdEtAFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=s3RffbwTxb8QhKQFwdK6EaEZBM8wL4aq5WD0Zfrm1xs=; b=sRIJyrQXdSN/l4KMrdLoAPaaJjrQkA5THSV0ZAbqeKS7vKSQCDKSHYbE1XPVrIbChZkTrHtJ4s4Jzbt/lOI6IOaLcN8jt3Q//WLyr1gCikLAaUefxZpR44UJmt7SPhuZp3PYOMHfCs7avRX5lT7efj2+zcey3gfQvwCqGwUburnWpREDFxL9P8A+DkqUILG5jndx+ZXprQbyVbdghJAdMV+bgOHLwPUHkBNo7erutE9beOcvt4uZEIBzIb6FFIzP/47aedq2WiQf/JtGJCxCYGLhKPUTfzTdwOX7MoWXE7LWpUm+aTdn6XTey/WDkCiwJhRO2+PTNFFtrvJmfXmAaw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=broadcom.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s3RffbwTxb8QhKQFwdK6EaEZBM8wL4aq5WD0Zfrm1xs=; b=TrG7623nYciaLctb6eKJ1vRtg7W4zPPixUiTRh8VqQ4BPRXkTHFkI3tAIwVYS7WHzsPIS06Ezfuf2oXJcekF1KxxM9zWkWf8iAAW9zG157FPkjSeKey/Hf9Ld1dtZWOUlhoRhn4gaRkxwpJQ1kM9GoOl/GUirMCOnXyd9kS6X/+b1IoNsjiilrfsQ6uONdsjbeOOOwnmVbd3QqWdSF6SJ9Ch4YuiUZ7Qs2PdIW8hrUz2M1xRFPf3f2rrHTP0wfAlsElx2L9+8f2JrE1T27xE4lclDGNUJhCVUItDqp8EyA3+vyegmzDECXxczdfv8CgsNPcFNAw/yjOx4klNxdx+Ow== Received: from SA1P222CA0088.NAMP222.PROD.OUTLOOK.COM (2603:10b6:806:35e::15) by SJ2PR12MB8652.namprd12.prod.outlook.com (2603:10b6:a03:53a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.26; Mon, 11 Nov 2024 06:38:43 +0000 Received: from SN1PEPF0002636E.namprd02.prod.outlook.com (2603:10b6:806:35e:cafe::17) by SA1P222CA0088.outlook.office365.com (2603:10b6:806:35e::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.28 via Frontend Transport; Mon, 11 Nov 2024 06:38:43 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by SN1PEPF0002636E.mail.protection.outlook.com (10.167.241.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8158.14 via Frontend Transport; Mon, 11 Nov 2024 06:38:43 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Sun, 10 Nov 2024 22:38:32 -0800 Received: from nvidia.com (10.126.231.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Sun, 10 Nov 2024 22:38:29 -0800 From: Xueming Li To: Mihai Brodschi CC: , Ferruh Yigit , dpdk stable Subject: patch 'net/memif: fix buffer overflow in zero copy Rx' has been queued to stable release 23.11.3 Date: Mon, 11 Nov 2024 14:28:20 +0800 Message-ID: <20241111062847.216344-95-xuemingl@nvidia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241111062847.216344-1-xuemingl@nvidia.com> References: <20241111062847.216344-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.231.35] X-ClientProxiedBy: rnnvmail202.nvidia.com (10.129.68.7) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN1PEPF0002636E:EE_|SJ2PR12MB8652:EE_ X-MS-Office365-Filtering-Correlation-Id: 13da8bc4-c24e-4ace-1489-08dd021b7cab X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|36860700013|82310400026|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?TweCHq7x2/tiSmJcp4AflFP9Mcqo/SW4gNuKUR4/Uw3ddNFoOC+7wkRGc8Ta?= =?us-ascii?Q?a785QZ1nHJ4PpGTOBe3UDbaJlT48y/CTjQFhj0t5imawey3AmIFml2b41xpf?= =?us-ascii?Q?7Gdp16HexZ6s1OiAoiXhbWiYQMlCX7sOnOfHnrsWk8aU9CcBwJYcoG3fHfhm?= =?us-ascii?Q?XHQRDyheNGWCMyJAstqkEhssg36H/oOlqBHCmp+Msa57ARmqRRB+LsQkZrNq?= =?us-ascii?Q?9i817zI0tWdoGR0v+QajS4X+odlp/SViYFuQMBpF+HtQ5cnhJTi2G85Frp7T?= =?us-ascii?Q?2vfgc4h0QP/iIf0qIHSKif0GiGMXuMQHHQFUkPtHckGFCg6Olda7PCQj1LCY?= =?us-ascii?Q?qIP1COvWNLtFKItRYiO9GMSdkpA2XO7zuJORTSmAZNk7HJRhPUp5ZAquqDYf?= =?us-ascii?Q?0FtmGpOS6rHsqJ7retm9IPiT7T0JatpM0JZr+hJEW4zMDsJqm7T1PI0tdy5g?= =?us-ascii?Q?g2ZfAG4QIEbSImUCWc7AJIU+eYRQkhqL8xGPCUT2WVN8fu/peG5pUvRtxPbt?= =?us-ascii?Q?82C8WLdmYdQsDwjuxV5QVa6I/qhs/FnLocq/zYvbU8YuMCNczppVnRrBKRm3?= =?us-ascii?Q?AoXg+iXq0Us4IVtP/sIlCa5yRivbpqnvbE89szyewTe+ae4xLJGNCG3zZBD/?= =?us-ascii?Q?2XCxJlD3eoB7Ggi3VTs3wkzN3RS0t/rlz7mqUaBkzvcnL+pPKqhzDOlNt6xR?= =?us-ascii?Q?8qMQKG8MvZpM5VFhIj8ftbER+8KsJYGYqvPZSocva8gWctyynPPLNhsE4Wll?= =?us-ascii?Q?lKe4wq15JjpsDio8jUEkNoUrWP6vyZKadgyqMfH2WdSKyY/4CLh419ElcLOs?= =?us-ascii?Q?QzaMEERw6MvQalBfMu0toUDTfU4ATAnCGG7TB7p2v4j11DXXV5g9HEZpwCL0?= =?us-ascii?Q?sx66jEhKTV38ZvwgVxPT7/N+oy9cTxbBLjGwholJ2MWHT/0HXboda2xLGGVF?= =?us-ascii?Q?+gYTU5G/6if56q2IjaCa90Q07vftMTAtpctqU4G981kLc8njiTWYAO770W45?= =?us-ascii?Q?NIV9EGANQxvNtywMFcM/jcoa83oWegKov1YYg4NUxyuC/gbp5DB0cSFQSMja?= =?us-ascii?Q?244To1CNv1vyymdRZ7e8k1c7+DpQeZdhBlN26BQA6fcTHpCCYNqoi9/pagA6?= =?us-ascii?Q?k/3XAvhOzfkKz5MUrnOg6z1d3cR95tjNQs+strCU0CftAZQCungGJFcPLBd2?= =?us-ascii?Q?xMF848nqC04ytUPHFxU2zALMHfL3jx71EIaxptALKQxFtDxs5Wk8McDiER9H?= =?us-ascii?Q?+qkp49qV3YLf8tkxYBIOF36kBL1TOCT3o+Ho2W9Y5mkV/Di9upFmAgTh/O2B?= =?us-ascii?Q?9r2GsC1MSnZRb09m7TGQYdWynWRAT/FPPsMwIME9V3Oi2VNZYKAHf72P6CVv?= =?us-ascii?Q?MTgQSrlQbfCIc0UTN2TWIz+bBBin1H8AhCMbXz93XigRBzt9rw=3D=3D?= X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE; SFS:(13230040)(36860700013)(82310400026)(1800799024)(376014); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Nov 2024 06:38:43.4031 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 13da8bc4-c24e-4ace-1489-08dd021b7cab X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF0002636E.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR12MB8652 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 23.11.3 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/30/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging This queued commit can be viewed at: https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=3061d87b232c715422e2fe93017afc85f528fc40 Thanks. Xueming Li --- >From 3061d87b232c715422e2fe93017afc85f528fc40 Mon Sep 17 00:00:00 2001 From: Mihai Brodschi Date: Sat, 29 Jun 2024 00:01:29 +0300 Subject: [PATCH] net/memif: fix buffer overflow in zero copy Rx Cc: Xueming Li [ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ] rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate new mbufs to be provided to the sender. The allocated mbuf pointers are stored in a ring, but the alloc function doesn't implement index wrap-around, so it writes past the end of the array. This results in memory corruption and duplicate mbufs being received. Allocate 2x the space for the mbuf ring, so that the alloc function has a contiguous array to write to, then copy the excess entries to the start of the array. Fixes: 43b815d88188 ("net/memif: support zero-copy slave") Signed-off-by: Mihai Brodschi Reviewed-by: Ferruh Yigit --- .mailmap | 1 + drivers/net/memif/rte_eth_memif.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.mailmap b/.mailmap index c26a1acf7a..8d7fa55d9e 100644 --- a/.mailmap +++ b/.mailmap @@ -971,6 +971,7 @@ Michal Swiatkowski Michal Wilczynski Michel Machado Miguel Bernal Marin +Mihai Brodschi Mihai Pogonaru Mike Baucom Mike Pattrick diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c index f05f4c24df..1eb41bb471 100644 --- a/drivers/net/memif/rte_eth_memif.c +++ b/drivers/net/memif/rte_eth_memif.c @@ -600,6 +600,10 @@ refill: ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask], n_slots); if (unlikely(ret < 0)) goto no_free_mbufs; + if (unlikely(n_slots > ring_size - (head & mask))) { + rte_memcpy(mq->buffers, &mq->buffers[ring_size], + (n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *)); + } while (n_slots--) { s0 = head++ & mask; @@ -1245,8 +1249,12 @@ memif_init_queues(struct rte_eth_dev *dev) } mq->buffers = NULL; if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) { + /* + * Allocate 2x ring_size to reserve a contiguous array for + * rte_pktmbuf_alloc_bulk (to store allocated mbufs). + */ mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) * - (1 << mq->log2_ring_size), 0); + (1 << (mq->log2_ring_size + 1)), 0); if (mq->buffers == NULL) return -ENOMEM; } -- 2.34.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-11-11 14:23:09.360403854 +0800 +++ 0094-net-memif-fix-buffer-overflow-in-zero-copy-Rx.patch 2024-11-11 14:23:05.242192837 +0800 @@ -1 +1 @@ -From b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 Mon Sep 17 00:00:00 2001 +From 3061d87b232c715422e2fe93017afc85f528fc40 Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Xueming Li + +[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ] @@ -17 +19,0 @@ -Cc: stable@dpdk.org @@ -27 +29 @@ -index 7b3a20af68..2e909c48a8 100644 +index c26a1acf7a..8d7fa55d9e 100644 @@ -30 +32,2 @@ -@@ -1011,6 +1011,7 @@ Michal Wilczynski +@@ -971,6 +971,7 @@ Michal Swiatkowski + Michal Wilczynski @@ -32 +34,0 @@ - Midde Ajijur Rehaman @@ -39 +41 @@ -index e220ffaf92..cd722f254f 100644 +index f05f4c24df..1eb41bb471 100644