From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id BC21345DB9
	for <public@inbox.dpdk.org>; Wed, 27 Nov 2024 18:21:30 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id AFD9B409FA;
	Wed, 27 Nov 2024 18:21:30 +0100 (CET)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mails.dpdk.org (Postfix) with ESMTP id C16044066C
 for <stable@dpdk.org>; Wed, 27 Nov 2024 18:21:29 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1732728089;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=KFM+rsqtDopTZYBGh1BLqKMQwpGbJ1Z+36GxCEh/GOM=;
 b=fopuRJg4RcirMuek2uU1O3sVqCGkrUriqmux3sk4bbIveMK0/Z7GPfyAE3uXn1TYXwsB9+
 sA4qh2k6QWn3dzg3wjTQ8U5Nl86hAm7+QZNAeTTEWbsxOmFw1Ez4zQWwrkcZKKPSJPnC9g
 tewyVr2XKaUWqtQE1Xio/akvusV2Dcw=
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-370-nv6zHNvtOWiSXX6bBfOjbw-1; Wed,
 27 Nov 2024 12:21:27 -0500
X-MC-Unique: nv6zHNvtOWiSXX6bBfOjbw-1
X-Mimecast-MFC-AGG-ID: nv6zHNvtOWiSXX6bBfOjbw
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id B1D3B1955E75; Wed, 27 Nov 2024 17:21:26 +0000 (UTC)
Received: from rh.redhat.com (unknown [10.39.192.52])
 by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 71296300019E; Wed, 27 Nov 2024 17:21:25 +0000 (UTC)
From: Kevin Traynor <ktraynor@redhat.com>
To: Mihai Brodschi <mihai.brodschi@broadcom.com>
Cc: Ferruh Yigit <ferruh.yigit@amd.com>,
	dpdk stable <stable@dpdk.org>
Subject: patch 'net/memif: fix buffer overflow in zero copy Rx' has been
 queued to stable release 21.11.9
Date: Wed, 27 Nov 2024 17:18:01 +0000
Message-ID: <20241127171916.690404-54-ktraynor@redhat.com>
In-Reply-To: <20241127171916.690404-1-ktraynor@redhat.com>
References: <20241127171916.690404-1-ktraynor@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 8Po6v1F6RJfO7PyLe2o-u8c8-EtmCMW5mdSOEJZkpcY_1732728086
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: 8bit
content-type: text/plain; charset="US-ASCII"; x-default=true
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

Hi,

FYI, your patch has been queued to stable release 21.11.9

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/02/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/bf824c00c996be87956b82754b1b865dd48819de

Thanks.

Kevin

---
>From bf824c00c996be87956b82754b1b865dd48819de Mon Sep 17 00:00:00 2001
From: Mihai Brodschi <mihai.brodschi@broadcom.com>
Date: Sat, 29 Jun 2024 00:01:29 +0300
Subject: [PATCH] net/memif: fix buffer overflow in zero copy Rx

[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ]

rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate
new mbufs to be provided to the sender. The allocated mbuf pointers
are stored in a ring, but the alloc function doesn't implement index
wrap-around, so it writes past the end of the array. This results in
memory corruption and duplicate mbufs being received.

Allocate 2x the space for the mbuf ring, so that the alloc function
has a contiguous array to write to, then copy the excess entries
to the start of the array.

Fixes: 43b815d88188 ("net/memif: support zero-copy slave")

Signed-off-by: Mihai Brodschi <mihai.brodschi@broadcom.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@amd.com>
---
 .mailmap                          |  1 +
 drivers/net/memif/rte_eth_memif.c | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.mailmap b/.mailmap
index 296e6528b6..13eacdbc33 100644
--- a/.mailmap
+++ b/.mailmap
@@ -932,4 +932,5 @@ Michal Wilczynski <michal.wilczynski@intel.com>
 Michel Machado <michel@digirati.com.br>
 Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>
+Mihai Brodschi <mihai.brodschi@broadcom.com>
 Mihai Pogonaru <pogonarumihai@gmail.com>
 Mike Baucom <michael.baucom@broadcom.com>
diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c
index 88908a42a5..fbef44cdb8 100644
--- a/drivers/net/memif/rte_eth_memif.c
+++ b/drivers/net/memif/rte_eth_memif.c
@@ -535,4 +535,8 @@ refill:
 	if (unlikely(ret < 0))
 		goto no_free_mbufs;
+	if (unlikely(n_slots > ring_size - (head & mask))) {
+		rte_memcpy(mq->buffers, &mq->buffers[ring_size],
+			(n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *));
+	}
 
 	while (n_slots--) {
@@ -1131,6 +1135,10 @@ memif_init_queues(struct rte_eth_dev *dev)
 		mq->buffers = NULL;
 		if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) {
+			/*
+			 * Allocate 2x ring_size to reserve a contiguous array for
+			 * rte_pktmbuf_alloc_bulk (to store allocated mbufs).
+			 */
 			mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) *
-						  (1 << mq->log2_ring_size), 0);
+						  (1 << (mq->log2_ring_size + 1)), 0);
 			if (mq->buffers == NULL)
 				return -ENOMEM;
-- 
2.47.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-11-27 17:17:39.965604386 +0000
+++ 0054-net-memif-fix-buffer-overflow-in-zero-copy-Rx.patch	2024-11-27 17:17:38.228269389 +0000
@@ -1 +1 @@
-From b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 Mon Sep 17 00:00:00 2001
+From bf824c00c996be87956b82754b1b865dd48819de Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ]
+
@@ -17 +18,0 @@
-Cc: stable@dpdk.org
@@ -27 +28 @@
-index 7b3a20af68..2e909c48a8 100644
+index 296e6528b6..13eacdbc33 100644
@@ -30,2 +31,2 @@
-@@ -1012,4 +1012,5 @@ Michel Machado <michel@digirati.com.br>
- Midde Ajijur Rehaman <ajijurx.rehaman.midde@intel.com>
+@@ -932,4 +932,5 @@ Michal Wilczynski <michal.wilczynski@intel.com>
+ Michel Machado <michel@digirati.com.br>
@@ -37 +38 @@
-index e220ffaf92..cd722f254f 100644
+index 88908a42a5..fbef44cdb8 100644
@@ -40 +41 @@
-@@ -601,4 +601,8 @@ refill:
+@@ -535,4 +535,8 @@ refill:
@@ -49 +50 @@
-@@ -1246,6 +1250,10 @@ memif_init_queues(struct rte_eth_dev *dev)
+@@ -1131,6 +1135,10 @@ memif_init_queues(struct rte_eth_dev *dev)