memif driver segfault memory corruption.

DPDK patches and discussions
 help / color / mirror / Atom feed

* memif driver segfault memory corruption.
@ 2022-07-16  0:15 John Weston
  2022-07-18  8:17 ` Ferruh Yigit
  0 siblings, 1 reply; 2+ messages in thread
From: John Weston @ 2022-07-16  0:15 UTC (permalink / raw)
  To: dev

[-- Attachment #1: Type: text/plain, Size: 2287 bytes --]

Hi,

I have been working on the dpdk memif driver and encountered the following
issues. Please consider these patches for review.

Firstly, the zero copy code in drivers/net/memif/rte_eth_memif.c can
readilly overflow the ring buffer for mbufs. This patch adjusts the n_slots
used in rte_poktmbuf_alloc_bulk to ensure it does not run off the end of
the buffers list.

dev@dpdk.org@@ -524,14 +1196,23 @@ refill:

         */

        head = __atomic_load_n(&ring->head, __ATOMIC_RELAXED);

        n_slots = ring_size - head + mq->last_tail;

-

-       if (n_slots < 32)

-               goto no_free_mbufs;

+    // CTAM - critical BUG FIX !

+#if 1

+    // only work within mask so alloc_bulk does not overrun the buffers
array

+    if ((head&mask) + n_slots > ring_size)

+    {

+        n_slots = ring_size - (head&mask);

+    }

+    if (n_slots <=0)

+         goto no_free_mbufs;

+#else

+    if (n_slots < 32)

+         goto no_free_mbufs;

+#endif


        ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head &
mask], n_slots);

        if (unlikely(ret < 0))

                goto no_free_mbufs;

-

        while (n_slots--) {

                s0 = head++ & mask;

                if (n_slots > 0)




Secondly, a segfault can occur on the stats routine on initialisation due
to null pointer dereferencing.


@@ -1404,10 +2167,14 @@ memif_stats_get(struct rte_eth_dev *dev, struct
rte_eth_stats *stats)

        /* RX stats */

        for (i = 0; i < nq; i++) {

                mq = dev->data->rx_queues[i];

-               stats->q_ipackets[i] = mq->n_pkts;

-               stats->q_ibytes[i] = mq->n_bytes;

-               stats->ipackets += mq->n_pkts;

-               stats->ibytes += mq->n_bytes;

+        // CTAM test this, as it may not yet initialised!

+        if (mq)

+        {

+                   stats->q_ipackets[i] = mq->n_pkts;

+                   stats->q_ibytes[i] = mq->n_bytes;

+                   stats->ipackets += mq->n_pkts;

+                   stats->ibytes += mq->n_bytes;

+        }

        }


        tmp = (pmd->role == MEMIF_ROLE_CLIENT) ? pmd->run.num_s2c_rings :


This can occur in several places in the stats code, and null dereference
guards are needed in all locations.


Hope this helps someone else.


John

[-- Attachment #2: Type: text/html, Size: 18833 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: memif driver segfault memory corruption.
  2022-07-16  0:15 memif driver segfault memory corruption John Weston
@ 2022-07-18  8:17 ` Ferruh Yigit
  0 siblings, 0 replies; 2+ messages in thread
From: Ferruh Yigit @ 2022-07-18  8:17 UTC (permalink / raw)
  To: John Weston; +Cc: dev, Jakub Grajciar

On 7/16/2022 1:15 AM, John Weston wrote:
> Hi,
> 
> I have been working on the dpdk memif driver and encountered 
> the following issues. Please consider these patches for review.
> 
> Firstly, the zero copy code in drivers/net/memif/rte_eth_memif.c can 
> readilly overflow the ring buffer for mbufs. This patch adjusts the 
> n_slots used in rte_poktmbuf_alloc_bulk to ensure it does not run off 
> the end of the buffers list.
> 
> dev@dpdk.org <mailto:dev@dpdk.org>@@ -524,14 +1196,23 @@ refill:
> 
> */
> head = __atomic_load_n(&ring->head, __ATOMIC_RELAXED);
> n_slots = ring_size - head + mq->last_tail;
> -
> - if (n_slots < 32)
> - goto no_free_mbufs;
> +// CTAM - critical BUG FIX !
> +#if 1
> +// only work within mask so alloc_bulk does not overrun the buffers array
> +if ((head&mask) + n_slots > ring_size)
> +{
> +n_slots = ring_size - (head&mask);
> +}
> +if (n_slots <=0)
> + goto no_free_mbufs;
> +#else
> +if (n_slots < 32)
> + goto no_free_mbufs;
> +#endif
> 
> ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask], 
> n_slots);
> if (unlikely(ret < 0))
> goto no_free_mbufs;
> -
> while (n_slots--) {
> s0 = head++ & mask;
> if (n_slots > 0)
> 
> 
> Secondly, a segfault can occur on the stats routine on initialisation 
> due to null pointer dereferencing.
> 
> @@ -1404,10 +2167,14 @@ memif_stats_get(struct rte_eth_dev *dev, struct 
> rte_eth_stats *stats)
> 
> /* RX stats */
> for (i = 0; i < nq; i++) {
> mq = dev->data->rx_queues[i];
> - stats->q_ipackets[i] = mq->n_pkts;
> - stats->q_ibytes[i] = mq->n_bytes;
> - stats->ipackets += mq->n_pkts;
> - stats->ibytes += mq->n_bytes;
> +// CTAM test this, as it may not yet initialised!
> +if (mq)
> +{
> + stats->q_ipackets[i] = mq->n_pkts;
> + stats->q_ibytes[i] = mq->n_bytes;
> + stats->ipackets += mq->n_pkts;
> + stats->ibytes += mq->n_bytes;
> +}
> }
> 
> tmp = (pmd->role == MEMIF_ROLE_CLIENT) ? pmd->run.num_s2c_rings :
> 
> This can occur in several places in the stats code, and null dereference 
> guards are needed in all locations.
> 
> Hope this helps someone else.
> 
> John

Hi John,

Thanks for reporting. Cc'ed memif maintainer.

Meanwhile, can you please submit a defect to bugzilla [1], to be sure 
issue is recorded properly?

Also if you want to contribute the fix yourself, please check the 
contribution guide:
https://doc.dpdk.org/guides/contributing/patches.html


[1]
https://bugs.dpdk.org/


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-07-18  8:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-16  0:15 memif driver segfault memory corruption John Weston
2022-07-18  8:17 ` Ferruh Yigit

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).