From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id D52DAA00C2;
	Mon, 18 Jul 2022 10:17:28 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 767CA4069F;
	Mon, 18 Jul 2022 10:17:28 +0200 (CEST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com
 (mail-bn7nam10on2081.outbound.protection.outlook.com [40.107.92.81])
 by mails.dpdk.org (Postfix) with ESMTP id 57DF940041
 for <dev@dpdk.org>; Mon, 18 Jul 2022 10:17:26 +0200 (CEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=IJcJDqviz9HXJddoweM2PgLmWdf1XTF3I2h0FBtp5g2a785iuXrIbVc2X4rAPGOYLMHKsDgTsvKWLsysAEpren1q7s5TJNv4BLuSd1RQUero+zH3bOUS4dcT4/OnAQBXbC+4Ev8I87KoEUNvXwLTU0bEFy8ip/h6v2h3xsmOOyQC6d/slPq5wRXL1WBNekSQNvR+l7GStrBO/xlqeG1JLHDQN97lxr6cEiyxnPRsZmmnnohCYwxLP+Y4iP/OiRnxu3HIdzH/xKMLHlmHcQl+OnWJM3DTW3wTNmUnqvkPH/8SuJsVW3uozjj82wBEZSbsxKBC15zui13P0FNR8qYF6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=13zuSWO7mYrZEXXWAFIzPL81cYNWNYwIaoEit6f9USU=;
 b=Gp2Hh80s0uRpEY3JfpTOYk7MacmY0pnTIHS0xfn/HmM1+yF4jjTcPK9Ca+LUNvC2YJgJV3MTb97zqcn+Yv4hSAhfafXjii9GuBgXiMOuQcDJhuthtCUqMi6RuCQujOH5fCC3oe2LaZDhJ4vxj8FciKerpAlZ44bwMS8D+KFKLNA34ftCViWOLzSbZqqraLJtLjGXaOM+PgIZ4QgtnZtcsxT5hcHiFFMszN/532BEu2HVSixbh0f2CF19rcWEl4J+cK6prfkqo63iiK8pEf7KAVcuisATLZl2Y2/cIrFZvwoJNH538Q48p1vTlteTvKrirlYO0rKc8/eXpKI8yICxGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 149.199.80.198) smtp.rcpttodomain=senetas.com smtp.mailfrom=xilinx.com;
 dmarc=pass (p=none sp=none pct=100) action=none header.from=xilinx.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=xilinx.onmicrosoft.com; s=selector2-xilinx-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=13zuSWO7mYrZEXXWAFIzPL81cYNWNYwIaoEit6f9USU=;
 b=IVekK/oagR+7yftjizhwW19r2QUp9goNBwy1ue6n0oT3bgMRBOeXzQyv8UgQ5qO3aVaLrKFHt6vqUrx+eqg5X9BCEYanyHH2xWKAVbL/rO6f+G7J3oGub6One9t+03eqpmauhPOPHAJnWaeanHNt2DAlW9aCa3tZX5RkoufekDI=
Received: from DM6PR02CA0037.namprd02.prod.outlook.com (2603:10b6:5:177::14)
 by SN1PR02MB3679.namprd02.prod.outlook.com (2603:10b6:802:31::30) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.17; Mon, 18 Jul
 2022 08:17:23 +0000
Received: from DM3NAM02FT045.eop-nam02.prod.protection.outlook.com
 (2603:10b6:5:177:cafe::4a) by DM6PR02CA0037.outlook.office365.com
 (2603:10b6:5:177::14) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.25 via Frontend
 Transport; Mon, 18 Jul 2022 08:17:23 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 149.199.80.198)
 smtp.mailfrom=xilinx.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=xilinx.com;
Received-SPF: Pass (protection.outlook.com: domain of xilinx.com designates
 149.199.80.198 as permitted sender) receiver=protection.outlook.com;
 client-ip=149.199.80.198; helo=xir-pvapexch02.xlnx.xilinx.com; pr=C
Received: from xir-pvapexch02.xlnx.xilinx.com (149.199.80.198) by
 DM3NAM02FT045.mail.protection.outlook.com (10.13.4.189) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.5438.12 via Frontend Transport; Mon, 18 Jul 2022 08:17:23 +0000
Received: from xir-pvapexch02.xlnx.xilinx.com (172.21.17.17) by
 xir-pvapexch02.xlnx.xilinx.com (172.21.17.17) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2176.14; Mon, 18 Jul 2022 09:17:21 +0100
Received: from smtp.xilinx.com (172.21.105.198) by
 xir-pvapexch02.xlnx.xilinx.com (172.21.17.17) with Microsoft SMTP Server id
 15.1.2176.14 via Frontend Transport; Mon, 18 Jul 2022 09:17:21 +0100
Envelope-to: john.weston@senetas.com,
 dev@dpdk.org,
 jgrajcia@cisco.com
Received: from [10.71.194.74] (port=64420)
 by smtp.xilinx.com with esmtp (Exim 4.90)
 (envelope-from <ferruh.yigit@xilinx.com>)
 id 1oDLwP-0004e3-3z; Mon, 18 Jul 2022 09:17:21 +0100
Message-ID: <0017fca5-e52e-d7c9-248d-376840ac3c5e@xilinx.com>
Date: Mon, 18 Jul 2022 09:17:20 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.0.2
Subject: Re: memif driver segfault memory corruption.
Content-Language: en-US
To: John Weston <john.weston@senetas.com>
References: <CAGJEGKQ4vKATojn=_jCC4_Aw4vSbgqCDXQ6+fwdj5=hrOrhH-Q@mail.gmail.com>
CC: <dev@dpdk.org>, Jakub Grajciar <jgrajcia@cisco.com>
From: Ferruh Yigit <ferruh.yigit@xilinx.com>
In-Reply-To: <CAGJEGKQ4vKATojn=_jCC4_Aw4vSbgqCDXQ6+fwdj5=hrOrhH-Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b0533908-1e9d-43ab-68ff-08da6895f157
X-MS-TrafficTypeDiagnostic: SN1PR02MB3679:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ZORuwNm0SwJUqzNdnt5rNpk3uI3cCOUS3fr6w5RJMmC60o9VLw4bZ4l5oXhwKTf3SwLFqUM3cYSsAzedQPPWHtnxGO2aJErWZFiDhAHhXuoc5N3CMymbnd5sVkkNwK94Osdadhk9lyjb2puN5gJ/8ujzlKxLRG0DKdGjX3+kk1wRGs+6Y+Ed4XED2MDIRNQbWacPxbzXU0/VlyzHEPdh2Rtw2DqNSXJILRwcWN/2U0JvA3r+IzZ1po8Q/az4KXVObF+Tg83IrBpt84crgbtkwgkst7Ke/hmPSutFObR1KjEc2KJweTqroX19tRVLqBXjjRzd9y2Cpe4XNKSBc70Yn+z+rA6s/NeQzXZt7M4ErmPAPBAejnbX7TQ84Dm44UmmK1xc37/V+4+lVxX5C6f70nNNbg5ASspgO7saQ/3+SYsD4bJHzgDocB04aYX+BNi+A3SY9/kcwOTUexLydwe8SY97PEv8tImszi/F1cnojBO2X0oCN2Y5RUZAe7F7t8YWvKBwh8aL+GhX83I++XT29DUof5hevdvljPyR5Be7kEaOXK4KgDI3Sgc4AooY2rQIMKq/MRLlav09VAL21WgwOfKDrdB/3edSryZ+iyN88lCmozF3fZfX9NVBRRmbRtKjAnLP5iyAeZ9HokYpzvKmrGFXy4kiIY5A3zw2HR4O2q5J4LM0iQmozZ05gQ1l5ktO0OYCCwHlmeLMca4tdPTdgWhXqVoZdx1lmG8/BRLEJ0k1mP2OMNx4Zu+21JQiWFhxPFm3ru5T4PrWw44kdLfFVJ1MZJnXxsSnrGLAOgD0qeWB3ZeitrpAFgLpdTv2M9Mwmhe9G/K4aUUcg0hFscE+usTyLNeTm3VMOA8ki/naycCIhNEe6mLSTp66y79P0CFkipemysGG4gKoymIFm2WyMw==
X-Forefront-Antispam-Report: CIP:149.199.80.198; CTRY:IE; LANG:en; SCL:1; SRV:;
 IPV:CAL; SFV:NSPM; H:xir-pvapexch02.xlnx.xilinx.com;
 PTR:unknown-80-198.xilinx.com; CAT:NONE;
 SFS:(13230016)(4636009)(136003)(39860400002)(376002)(346002)(396003)(40470700004)(36840700001)(46966006)(478600001)(9786002)(8936002)(8676002)(31686004)(4326008)(36860700001)(70586007)(70206006)(316002)(6916009)(966005)(54906003)(40460700003)(36756003)(44832011)(31696002)(82740400003)(53546011)(5660300002)(2906002)(26005)(41300700001)(356005)(82310400005)(7636003)(426003)(186003)(40480700001)(47076005)(2616005)(336012)(50156003)(43740500002);
 DIR:OUT; SFP:1101; 
X-OriginatorOrg: xilinx.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jul 2022 08:17:23.1987 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b0533908-1e9d-43ab-68ff-08da6895f157
X-MS-Exchange-CrossTenant-Id: 657af505-d5df-48d0-8300-c31994686c5c
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=657af505-d5df-48d0-8300-c31994686c5c; Ip=[149.199.80.198];
 Helo=[xir-pvapexch02.xlnx.xilinx.com]
X-MS-Exchange-CrossTenant-AuthSource: DM3NAM02FT045.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR02MB3679
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

On 7/16/2022 1:15 AM, John Weston wrote:
> Hi,
> 
> I have been working on the dpdk memif driver and encountered 
> the following issues. Please consider these patches for review.
> 
> Firstly, the zero copy code in drivers/net/memif/rte_eth_memif.c can 
> readilly overflow the ring buffer for mbufs. This patch adjusts the 
> n_slots used in rte_poktmbuf_alloc_bulk to ensure it does not run off 
> the end of the buffers list.
> 
> dev@dpdk.org <mailto:dev@dpdk.org>@@ -524,14 +1196,23 @@ refill:
> 
> */
> head = __atomic_load_n(&ring->head, __ATOMIC_RELAXED);
> n_slots = ring_size - head + mq->last_tail;
> -
> - if (n_slots < 32)
> - goto no_free_mbufs;
> +// CTAM - critical BUG FIX !
> +#if 1
> +// only work within mask so alloc_bulk does not overrun the buffers array
> +if ((head&mask) + n_slots > ring_size)
> +{
> +n_slots = ring_size - (head&mask);
> +}
> +if (n_slots <=0)
> + goto no_free_mbufs;
> +#else
> +if (n_slots < 32)
> + goto no_free_mbufs;
> +#endif
> 
> ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask], 
> n_slots);
> if (unlikely(ret < 0))
> goto no_free_mbufs;
> -
> while (n_slots--) {
> s0 = head++ & mask;
> if (n_slots > 0)
> 
> 
> Secondly, a segfault can occur on the stats routine on initialisation 
> due to null pointer dereferencing.
> 
> @@ -1404,10 +2167,14 @@ memif_stats_get(struct rte_eth_dev *dev, struct 
> rte_eth_stats *stats)
> 
> /* RX stats */
> for (i = 0; i < nq; i++) {
> mq = dev->data->rx_queues[i];
> - stats->q_ipackets[i] = mq->n_pkts;
> - stats->q_ibytes[i] = mq->n_bytes;
> - stats->ipackets += mq->n_pkts;
> - stats->ibytes += mq->n_bytes;
> +// CTAM test this, as it may not yet initialised!
> +if (mq)
> +{
> + stats->q_ipackets[i] = mq->n_pkts;
> + stats->q_ibytes[i] = mq->n_bytes;
> + stats->ipackets += mq->n_pkts;
> + stats->ibytes += mq->n_bytes;
> +}
> }
> 
> tmp = (pmd->role == MEMIF_ROLE_CLIENT) ? pmd->run.num_s2c_rings :
> 
> This can occur in several places in the stats code, and null dereference 
> guards are needed in all locations.
> 
> Hope this helps someone else.
> 
> John

Hi John,

Thanks for reporting. Cc'ed memif maintainer.

Meanwhile, can you please submit a defect to bugzilla [1], to be sure 
issue is recorded properly?

Also if you want to contribute the fix yourself, please check the 
contribution guide:
https://doc.dpdk.org/guides/contributing/patches.html


[1]
https://bugs.dpdk.org/