From: Ferruh Yigit <ferruh.yigit@amd.com>
To: Joshua Washington <joshwash@google.com>,
Jeroen de Borst <jeroendb@google.com>,
Rushil Gupta <rushilg@google.com>,
Junfeng Guo <junfeng.guo@intel.com>
Cc: dev@dpdk.org, stable@dpdk.org,
Praveen Kaligineedi <pkaligineedi@google.com>
Subject: Re: [PATCH] net/gve: fix refill logic causing memory corruption
Date: Tue, 8 Oct 2024 01:46:54 +0100 [thread overview]
Message-ID: <714c4d8b-c083-4b10-8bd6-dc887f025daa@amd.com> (raw)
In-Reply-To: <20241004010518.238331-1-joshwash@google.com>
On 10/4/2024 2:05 AM, Joshua Washington wrote:
> There is a seemingly mundane error in the RX refill path which can lead
> to major issues and ultimately program crashing.
>
> This error occurs as part of an edge case where the exact number of
> buffers the refill causes the ring to wrap around to 0. The current
> refill logic is split into two conditions: first, when the number of
> buffers to refill is greater than the number of buffers left in the ring
> before wraparound occurs; second, when the opposite is true, and there
> are enough buffers before wraparound to refill all buffers.
>
> In this edge case, the first condition erroneously uses a (<) condition
> to decide whether to wrap around, when it should have been (<=). In that
> case, the second condition would run and the tail pointer would be set
> to an invalid value (RING_SIZE). This causes a number of cascading
> failures.
>
> 1. The first issue rather mundane in that rxq->bufq_tail == RING_SIZE at
> the end of the refill, this will correct itself on the next refill
> without any sort of memory leak or courrption;
> 2. The second failure is that the head pointer would end up overrunning
> the tail because the last buffer that is refilled is refilled at
> sw_ring[RING_SIZE] instead of sw_ring[0]. This would cause the driver
> to give the application a stale mbuf, one that has been potentially
> freed or is otherwise stale;
> 3. The third failure comes from the fact that the software ring is being
> overrun. Because we directly use the sw_ring pointer to refill
> buffers, when sw_ring[RING_SIZE] is filled, a buffer overflow occurs.
> The overwritten data has the potential to be important data, and this
> can potentially cause the program to crash outright.
>
> This patch fixes the refill bug while greatly simplifying the logic so
> that it is much less error-prone.
>
> Fixes: 45da16b5b181 ("net/gve: support basic Rx data path for DQO")
> Cc: junfeng.guo@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Joshua Washington <joshwash@google.com>
> Reviewed-by: Rushil Gupta <rushilg@google.com>
> Reviewed-by: Praveen Kaligineedi <pkaligineedi@google.com>
>
Applied to dpdk-next-net/main, thanks.
prev parent reply other threads:[~2024-10-08 0:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-04 1:05 Joshua Washington
2024-10-08 0:46 ` Ferruh Yigit [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=714c4d8b-c083-4b10-8bd6-dc887f025daa@amd.com \
--to=ferruh.yigit@amd.com \
--cc=dev@dpdk.org \
--cc=jeroendb@google.com \
--cc=joshwash@google.com \
--cc=junfeng.guo@intel.com \
--cc=pkaligineedi@google.com \
--cc=rushilg@google.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).