patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Kevin Traynor <ktraynor@redhat.com>
To: Mihai Brodschi <mihai.brodschi@broadcom.com>
Cc: Ferruh Yigit <ferruh.yigit@amd.com>, dpdk stable <stable@dpdk.org>
Subject: patch 'net/memif: fix buffer overflow in zero copy Rx' has been queued to stable release 21.11.9
Date: Wed, 27 Nov 2024 17:18:01 +0000	[thread overview]
Message-ID: <20241127171916.690404-54-ktraynor@redhat.com> (raw)
In-Reply-To: <20241127171916.690404-1-ktraynor@redhat.com>

Hi,

FYI, your patch has been queued to stable release 21.11.9

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/02/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/bf824c00c996be87956b82754b1b865dd48819de

Thanks.

Kevin

---
From bf824c00c996be87956b82754b1b865dd48819de Mon Sep 17 00:00:00 2001
From: Mihai Brodschi <mihai.brodschi@broadcom.com>
Date: Sat, 29 Jun 2024 00:01:29 +0300
Subject: [PATCH] net/memif: fix buffer overflow in zero copy Rx

[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ]

rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate
new mbufs to be provided to the sender. The allocated mbuf pointers
are stored in a ring, but the alloc function doesn't implement index
wrap-around, so it writes past the end of the array. This results in
memory corruption and duplicate mbufs being received.

Allocate 2x the space for the mbuf ring, so that the alloc function
has a contiguous array to write to, then copy the excess entries
to the start of the array.

Fixes: 43b815d88188 ("net/memif: support zero-copy slave")

Signed-off-by: Mihai Brodschi <mihai.brodschi@broadcom.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@amd.com>
---
 .mailmap                          |  1 +
 drivers/net/memif/rte_eth_memif.c | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.mailmap b/.mailmap
index 296e6528b6..13eacdbc33 100644
--- a/.mailmap
+++ b/.mailmap
@@ -932,4 +932,5 @@ Michal Wilczynski <michal.wilczynski@intel.com>
 Michel Machado <michel@digirati.com.br>
 Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>
+Mihai Brodschi <mihai.brodschi@broadcom.com>
 Mihai Pogonaru <pogonarumihai@gmail.com>
 Mike Baucom <michael.baucom@broadcom.com>
diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c
index 88908a42a5..fbef44cdb8 100644
--- a/drivers/net/memif/rte_eth_memif.c
+++ b/drivers/net/memif/rte_eth_memif.c
@@ -535,4 +535,8 @@ refill:
 	if (unlikely(ret < 0))
 		goto no_free_mbufs;
+	if (unlikely(n_slots > ring_size - (head & mask))) {
+		rte_memcpy(mq->buffers, &mq->buffers[ring_size],
+			(n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *));
+	}
 
 	while (n_slots--) {
@@ -1131,6 +1135,10 @@ memif_init_queues(struct rte_eth_dev *dev)
 		mq->buffers = NULL;
 		if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) {
+			/*
+			 * Allocate 2x ring_size to reserve a contiguous array for
+			 * rte_pktmbuf_alloc_bulk (to store allocated mbufs).
+			 */
 			mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) *
-						  (1 << mq->log2_ring_size), 0);
+						  (1 << (mq->log2_ring_size + 1)), 0);
 			if (mq->buffers == NULL)
 				return -ENOMEM;
-- 
2.47.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-11-27 17:17:39.965604386 +0000
+++ 0054-net-memif-fix-buffer-overflow-in-zero-copy-Rx.patch	2024-11-27 17:17:38.228269389 +0000
@@ -1 +1 @@
-From b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 Mon Sep 17 00:00:00 2001
+From bf824c00c996be87956b82754b1b865dd48819de Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ]
+
@@ -17 +18,0 @@
-Cc: stable@dpdk.org
@@ -27 +28 @@
-index 7b3a20af68..2e909c48a8 100644
+index 296e6528b6..13eacdbc33 100644
@@ -30,2 +31,2 @@
-@@ -1012,4 +1012,5 @@ Michel Machado <michel@digirati.com.br>
- Midde Ajijur Rehaman <ajijurx.rehaman.midde@intel.com>
+@@ -932,4 +932,5 @@ Michal Wilczynski <michal.wilczynski@intel.com>
+ Michel Machado <michel@digirati.com.br>
@@ -37 +38 @@
-index e220ffaf92..cd722f254f 100644
+index 88908a42a5..fbef44cdb8 100644
@@ -40 +41 @@
-@@ -601,4 +601,8 @@ refill:
+@@ -535,4 +535,8 @@ refill:
@@ -49 +50 @@
-@@ -1246,6 +1250,10 @@ memif_init_queues(struct rte_eth_dev *dev)
+@@ -1131,6 +1135,10 @@ memif_init_queues(struct rte_eth_dev *dev)


  parent reply	other threads:[~2024-11-27 17:21 UTC|newest]

Thread overview: 122+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-27 17:17 patch 'net/ionic: fix build with Fedora Rawhide' " Kevin Traynor
2024-11-27 17:17 ` patch 'eal/x86: fix 32-bit write combining store' " Kevin Traynor
2024-11-27 17:17 ` patch 'examples/eventdev: fix queue crash with generic pipeline' " Kevin Traynor
2024-11-27 17:17 ` patch 'crypto/dpaa2_sec: fix memory leak' " Kevin Traynor
2024-11-27 17:17 ` patch 'common/dpaax/caamflib: fix PDCP SNOW-ZUC watchdog' " Kevin Traynor
2024-11-27 17:17 ` patch 'dev: fix callback lookup when unregistering device' " Kevin Traynor
2024-11-27 17:17 ` patch 'bpf: fix free function mismatch if convert fails' " Kevin Traynor
2024-11-27 17:17 ` patch 'baseband/la12xx: fix use after free in modem config' " Kevin Traynor
2024-11-27 17:17 ` patch 'crypto/bcmfs: fix free function mismatch' " Kevin Traynor
2024-11-27 17:17 ` patch 'dma/idxd: fix free function mismatch in device probe' " Kevin Traynor
2024-11-27 17:17 ` patch 'event/cnxk: fix free function mismatch in port config' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/e1000: fix use after free in filter flush' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/sfc: fix use after free in debug logs' " Kevin Traynor
2024-11-27 17:17 ` patch 'raw/ifpga/base: fix use after free' " Kevin Traynor
2024-11-27 17:17 ` patch 'raw/ifpga: fix free function mismatch in interrupt config' " Kevin Traynor
2024-11-27 17:17 ` patch 'examples/vhost: fix free function mismatch' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/nfb: fix use after free' " Kevin Traynor
2024-11-27 17:17 ` patch 'power: enable CPPC' " Kevin Traynor
2024-11-27 17:17 ` patch 'fib6: add runtime checks in AVX512 lookup' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/cnxk: fix Rx timestamp handling for VF' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/cnxk: fix Rx offloads to handle timestamp' " Kevin Traynor
2024-11-27 17:17 ` patch 'common/cnxk: fix base log level' " Kevin Traynor
2024-11-27 17:17 ` patch 'vhost: fix offset while mapping log base address' " Kevin Traynor
2024-11-27 17:17 ` patch 'vdpa: update used flags in used ring relay' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/virtio-user: reset used index counter' " Kevin Traynor
2024-11-27 17:17 ` patch 'fib: fix AVX512 lookup' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/e1000: fix link status crash in secondary process' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/iavf: fix crash when link is unstable' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/ice/base: fix link speed for 200G' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/ice/base: fix iteration of TLVs in Preserved Fields Area' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/ixgbe/base: fix unchecked return value' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/i40e/base: fix setting flags in init function' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/i40e/base: fix misleading debug logs and comments' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/i40e/base: fix blinking X722 with X557 PHY' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/i40e/base: fix DDP loading with reserved track ID' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/i40e/base: fix repeated register dumps' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/i40e/base: fix unchecked return value' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/i40e/base: fix loop bounds' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/i40e: fix AVX-512 pointer copy on 32-bit' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/ice: " Kevin Traynor
2024-11-27 17:17 ` patch 'net/iavf: " Kevin Traynor
2024-11-27 17:17 ` patch 'net/tap: avoid memcpy with null argument' " Kevin Traynor
2024-11-27 17:17 ` patch 'app/testpmd: remove unnecessary cast' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/pcap: set live interface as non-blocking' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/ena: revert redefining memcpy' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/hns3: remove some basic address dump' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/hns3: fix dump counter of registers' " Kevin Traynor
2024-11-27 17:17 ` patch 'ethdev: fix overflow in descriptor count' " Kevin Traynor
2024-11-27 17:17 ` patch 'bus/dpaa: fix PFDRs leaks due to FQRNIs' " Kevin Traynor
2024-11-27 17:17 ` patch 'net/dpaa: fix typecasting channel ID' " Kevin Traynor
2024-11-27 17:17 ` patch 'bus/dpaa: fix VSP for 1G fm1-mac9 and 10' " Kevin Traynor
2024-11-27 17:17 ` patch 'bus/dpaa: fix the fman details status' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/dpaa: fix reallocate mbuf handling' " Kevin Traynor
2024-11-27 17:18 ` Kevin Traynor [this message]
2024-11-27 17:18 ` patch 'net/tap: restrict maximum number of MP FDs' " Kevin Traynor
2024-11-27 17:18 ` patch 'ethdev: verify queue ID in Tx done cleanup' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/hns3: verify reset type from firmware' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/pcap: fix blocking Rx' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/ice/base: add bounds check' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/ice/base: fix VLAN replay after reset' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/iavf: preserve MAC address with i40e PF Linux driver' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/mlx5: workaround list management of Rx queue control' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/mlx5: fix number of supported flex parsers' " Kevin Traynor
2024-11-27 17:18 ` patch 'app/testpmd: remove flex item init command leftover' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/mlx5: fix next protocol validation after flex item' " Kevin Traynor
2024-11-27 17:18 ` patch 'build: remove version check on compiler links function' " Kevin Traynor
2024-11-27 17:18 ` patch 'hash: fix thash LFSR initialization' " Kevin Traynor
2024-11-27 17:18 ` patch 'dmadev: fix potential null pointer access' " Kevin Traynor
2024-11-27 17:18 ` patch 'power: fix mapped lcore ID' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/netvsc: fix using Tx queue higher than Rx queues' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/hns3: restrict tunnel flow rule to one header' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/ice: detect stopping a flow director queue twice' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/ixgbe: fix link status delay on FreeBSD' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/mvneta: fix possible out-of-bounds write' " Kevin Traynor
2024-11-27 17:18 ` patch 'crypto/openssl: fix 3DES-CTR with big endian CPUs' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/mlx5: fix memory leak in metering' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/mlx5: fix reported Rx/Tx descriptor limits' " Kevin Traynor
2024-11-27 17:18 ` patch 'app/dumpcap: remove unused struct array' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/nfp: fix link change return value' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/mlx5: fix non full word sample fields in flex item' " Kevin Traynor
2024-11-27 17:18 ` patch 'bus/fslmc: fix Coverity warnings in QBMAN' " Kevin Traynor
2024-11-27 17:18 ` patch 'test/bonding: remove redundant info query' " Kevin Traynor
2024-11-27 17:18 ` patch 'examples/ntb: check info query return' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/netvsc: force Tx VLAN offload on 801.2Q packet' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/vmxnet3: fix crash after configuration failure' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/txgbe: fix SWFW mbox' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/txgbe: fix VF-PF mbox interrupt' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/txgbe: remove outer UDP checksum capability' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/txgbe: fix driver load bit to inform firmware' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/ngbe: " Kevin Traynor
2024-11-27 17:18 ` patch 'net/ngbe: reconfigure more MAC Rx registers' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/ngbe: fix interrupt lost in legacy or MSI mode' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/ngbe: restrict configuration of VLAN strip offload' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/hns3: fix error code for repeatedly create counter' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/hns3: fix fully use hardware flow director table' " Kevin Traynor
2024-11-27 17:18 ` patch 'event/octeontx: fix possible integer overflow' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/bnxt/tf_core: fix Thor TF EM key size check' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/bnxt: fix reading SFF-8436 SFP EEPROMs' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/bnxt: fix TCP and UDP checksum flags' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/bnxt: fix bad action offset in Tx BD' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/bnx2x: remove dead conditional' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/bnx2x: fix always true expression' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/bnx2x: fix possible infinite loop at startup' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/bnx2x: fix duplicate branch' " Kevin Traynor
2024-11-27 17:18 ` patch 'common/cnxk: fix build on Ubuntu 24.04' " Kevin Traynor
2024-11-27 17:18 ` patch 'examples/l2fwd-event: fix spinlock handling' " Kevin Traynor
2024-11-27 17:18 ` patch 'eventdev: fix possible array underflow/overflow' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/mlx5: fix shared queue port number in vector Rx' " Kevin Traynor
2024-11-27 17:18 ` patch 'common/mlx5: fix misalignment' " Kevin Traynor
2024-11-27 17:18 ` patch 'bus/dpaa: fix lock condition during error handling' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/iavf: add segment-length check to Tx prep' " Kevin Traynor
2024-11-27 17:18 ` patch 'net/i40e: check register read for outer VLAN' " Kevin Traynor
2024-11-27 17:19 ` patch 'app/procinfo: fix leak on exit' " Kevin Traynor
2024-11-27 17:19 ` patch 'member: fix choice of bucket for displacement' " Kevin Traynor
2024-11-27 17:19 ` patch 'app/testpmd: fix aged flow destroy' " Kevin Traynor
2024-11-27 17:19 ` patch 'test/bonding: fix loop on members' " Kevin Traynor
2024-11-27 17:19 ` patch 'test/bonding: fix MAC address comparison' " Kevin Traynor
2024-11-27 17:19 ` patch 'test/event: avoid duplicate initialization' " Kevin Traynor
2024-11-27 17:19 ` patch 'test/eal: fix loop coverage for alignment macros' " Kevin Traynor
2024-11-27 17:19 ` patch 'test/eal: fix lcore check' " Kevin Traynor
2024-11-27 17:19 ` patch 'app/testpmd: remove redundant policy action condition' " Kevin Traynor
2024-11-27 17:19 ` patch 'doc: correct definition of stats per queue feature' " Kevin Traynor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241127171916.690404-54-ktraynor@redhat.com \
    --to=ktraynor@redhat.com \
    --cc=ferruh.yigit@amd.com \
    --cc=mihai.brodschi@broadcom.com \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).