DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
@ 2018-05-07  9:50 Qi Zhang
  2018-05-08  6:24 ` Zhao1, Wei
  2018-05-09 13:58 ` Thomas Monjalon
  0 siblings, 2 replies; 7+ messages in thread
From: Qi Zhang @ 2018-05-07  9:50 UTC (permalink / raw)
  To: adrien.mazarguil; +Cc: yuan.peng, wei.zhao1, dev, Qi Zhang

When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
mask->length is not the real size of binary pattern, it should take
spec->length, or memory size will be over counted (0xffff) and invalid
memory be access during following memcpy.

Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")

Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
---
 app/test-pmd/config.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
index 16fc481ce..bcaf429c4 100644
--- a/app/test-pmd/config.c
+++ b/app/test-pmd/config.c
@@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct rte_flow_item *item,
 		dst.raw = buf;
 		off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
 				     sizeof(*src.raw->pattern));
-		size = off + src.raw->length * sizeof(*src.raw->pattern);
+		size = off + ((const struct rte_flow_item_raw *)item->spec)->
+			length * sizeof(*src.raw->pattern);
 		if (dst.raw) {
 			memcpy(dst.raw, src.raw, sizeof(*src.raw));
 			dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
-- 
2.13.6

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
  2018-05-07  9:50 [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access Qi Zhang
@ 2018-05-08  6:24 ` Zhao1, Wei
  2018-05-08  8:31   ` Zhang, Qi Z
  2018-05-09 13:58 ` Thomas Monjalon
  1 sibling, 1 reply; 7+ messages in thread
From: Zhao1, Wei @ 2018-05-08  6:24 UTC (permalink / raw)
  To: Zhang, Qi Z, adrien.mazarguil; +Cc: Peng, Yuan, dev

Hi, zhang qi 
  This  fix patch to DPDK.or is also useful for igb flex byte core dump issue.
I have validation it. But there is some patch check warning.
https://dpdk.org/dev/patchwork/patch/39417/



> -----Original Message-----
> From: Zhang, Qi Z
> Sent: Monday, May 7, 2018 5:51 PM
> To: adrien.mazarguil@6wind.com
> Cc: Peng, Yuan <yuan.peng@intel.com>; Zhao1, Wei <wei.zhao1@intel.com>;
> dev@dpdk.org; Zhang, Qi Z <qi.z.zhang@intel.com>
> Subject: [PATCH] app/testpmd: fix invalid memory access
> 
> When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> mask->length is not the real size of binary pattern, it should take
> spec->length, or memory size will be over counted (0xffff) and invalid
> memory be access during following memcpy.
> 
> Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
> 
> Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
> ---
>  app/test-pmd/config.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index
> 16fc481ce..bcaf429c4 100644
> --- a/app/test-pmd/config.c
> +++ b/app/test-pmd/config.c
> @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct
> rte_flow_item *item,
>  		dst.raw = buf;
>  		off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
>  				     sizeof(*src.raw->pattern));
> -		size = off + src.raw->length * sizeof(*src.raw->pattern);
> +		size = off + ((const struct rte_flow_item_raw *)item->spec)->
> +			length * sizeof(*src.raw->pattern);
>  		if (dst.raw) {
>  			memcpy(dst.raw, src.raw, sizeof(*src.raw));
>  			dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
> --
> 2.13.6

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
  2018-05-08  6:24 ` Zhao1, Wei
@ 2018-05-08  8:31   ` Zhang, Qi Z
  0 siblings, 0 replies; 7+ messages in thread
From: Zhang, Qi Z @ 2018-05-08  8:31 UTC (permalink / raw)
  To: Zhao1, Wei, adrien.mazarguil; +Cc: Peng, Yuan, dev

Hi Zhao Wei:

> -----Original Message-----
> From: Zhao1, Wei
> Sent: Tuesday, May 8, 2018 2:24 PM
> To: Zhang, Qi Z <qi.z.zhang@intel.com>; adrien.mazarguil@6wind.com
> Cc: Peng, Yuan <yuan.peng@intel.com>; dev@dpdk.org
> Subject: RE: [PATCH] app/testpmd: fix invalid memory access
> 
> Hi, zhang qi
>   This  fix patch to DPDK.or is also useful for igb flex byte core dump issue.
> I have validation it. But there is some patch check warning.
> https://dpdk.org/dev/patchwork/patch/39417/

Thanks for testing, I will capture the typo if Adrien agree with the fix.

Regards
Qi

> 
> 
> 
> > -----Original Message-----
> > From: Zhang, Qi Z
> > Sent: Monday, May 7, 2018 5:51 PM
> > To: adrien.mazarguil@6wind.com
> > Cc: Peng, Yuan <yuan.peng@intel.com>; Zhao1, Wei
> <wei.zhao1@intel.com>;
> > dev@dpdk.org; Zhang, Qi Z <qi.z.zhang@intel.com>
> > Subject: [PATCH] app/testpmd: fix invalid memory access
> >
> > When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> > mask->length is not the real size of binary pattern, it should take
> > spec->length, or memory size will be over counted (0xffff) and invalid
> > memory be access during following memcpy.
> >
> > Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
> >
> > Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
> > ---
> >  app/test-pmd/config.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index
> > 16fc481ce..bcaf429c4 100644
> > --- a/app/test-pmd/config.c
> > +++ b/app/test-pmd/config.c
> > @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct
> > rte_flow_item *item,
> >  		dst.raw = buf;
> >  		off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
> >  				     sizeof(*src.raw->pattern));
> > -		size = off + src.raw->length * sizeof(*src.raw->pattern);
> > +		size = off + ((const struct rte_flow_item_raw *)item->spec)->
> > +			length * sizeof(*src.raw->pattern);
> >  		if (dst.raw) {
> >  			memcpy(dst.raw, src.raw, sizeof(*src.raw));
> >  			dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
> > --
> > 2.13.6

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
  2018-05-07  9:50 [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access Qi Zhang
  2018-05-08  6:24 ` Zhao1, Wei
@ 2018-05-09 13:58 ` Thomas Monjalon
  1 sibling, 0 replies; 7+ messages in thread
From: Thomas Monjalon @ 2018-05-09 13:58 UTC (permalink / raw)
  To: Qi Zhang; +Cc: dev, adrien.mazarguil, yuan.peng, wei.zhao1

07/05/2018 11:50, Qi Zhang:
> When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> mask->length is not the real size of binary pattern, it should take
> spec->length, or memory size will be over counted (0xffff) and invalid
> memory be access during following memcpy.
> 
> Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
> 
> Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>

Applied, thanks

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
  2021-10-12  7:50 ` Li, Xiaoyun
@ 2021-10-12  8:21   ` Sunil Kumar Kori
  0 siblings, 0 replies; 7+ messages in thread
From: Sunil Kumar Kori @ 2021-10-12  8:21 UTC (permalink / raw)
  To: Li, Xiaoyun; +Cc: dev, stable, Dumitrescu, Cristian

Regards
Sunil Kumar Kori

>-----Original Message-----
>From: Li, Xiaoyun <xiaoyun.li@intel.com>
>Sent: Tuesday, October 12, 2021 1:21 PM
>To: Sunil Kumar Kori <skori@marvell.com>
>Cc: dev@dpdk.org; stable@dpdk.org; Dumitrescu, Cristian
><cristian.dumitrescu@intel.com>
>Subject: [EXT] RE: [PATCH] app/testpmd: fix invalid memory access
>
>External Email
>
>----------------------------------------------------------------------
>Hi
>
>> -----Original Message-----
>> From: skori@marvell.com <skori@marvell.com>
>> Sent: Tuesday, October 12, 2021 15:36
>> To: Li, Xiaoyun <xiaoyun.li@intel.com>
>> Cc: dev@dpdk.org; Sunil Kumar Kori <skori@marvell.com>;
>> stable@dpdk.org
>> Subject: [PATCH] app/testpmd: fix invalid memory access
>>
>> From: Sunil Kumar Kori <skori@marvell.com>
>>
>> During parsing of DSCP entries, memory is allocated and assgined to
>*dscp_table.
>> Later on, same memory is accessed using *dscp_table[i++].
>>
>> Due to higher precedence for array subscript, dscp_table[i++] will be
>> executed first which actually does not point to the same memory which
>> was allocated previously for DSCP table entries.
>>
>> Cc: stable@dpdk.org
>>
>> Fixes: e63b50162aa3 ("app/testpmd: clean metering and policing
>> commands")
>
>I think the fix should be for patch 459463ae6c26 ("app/testpmd: fix memory
>allocation for DSCP table") Also, added metering maintainer.
>
Ack. I will update and share v2.
>BRs
>Xiaoyun
>
>>
>> Signed-off-by: Sunil Kumar Kori <skori@marvell.com>
>> ---
>>  app/test-pmd/cmdline_mtr.c | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/app/test-pmd/cmdline_mtr.c b/app/test-pmd/cmdline_mtr.c
>> index
>> b5dcfdadcf..ad7ef6ad98 100644
>> --- a/app/test-pmd/cmdline_mtr.c
>> +++ b/app/test-pmd/cmdline_mtr.c
>> @@ -101,13 +101,13 @@ parse_dscp_table_entries(char *str, enum
>> rte_color
>> **dscp_table)
>>  	while (1) {
>>  		if (strcmp(token, "G") == 0 ||
>>  			strcmp(token, "g") == 0)
>> -			*dscp_table[i++] = RTE_COLOR_GREEN;
>> +			(*dscp_table)[i++] = RTE_COLOR_GREEN;
>>  		else if (strcmp(token, "Y") == 0 ||
>>  			strcmp(token, "y") == 0)
>> -			*dscp_table[i++] = RTE_COLOR_YELLOW;
>> +			(*dscp_table)[i++] = RTE_COLOR_YELLOW;
>>  		else if (strcmp(token, "R") == 0 ||
>>  			strcmp(token, "r") == 0)
>> -			*dscp_table[i++] = RTE_COLOR_RED;
>> +			(*dscp_table)[i++] = RTE_COLOR_RED;
>>  		else {
>>  			free(*dscp_table);
>>  			return -1;
>> --
>> 2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
  2021-10-12  7:36 skori
@ 2021-10-12  7:50 ` Li, Xiaoyun
  2021-10-12  8:21   ` Sunil Kumar Kori
  0 siblings, 1 reply; 7+ messages in thread
From: Li, Xiaoyun @ 2021-10-12  7:50 UTC (permalink / raw)
  To: skori; +Cc: dev, stable, Dumitrescu, Cristian

Hi

> -----Original Message-----
> From: skori@marvell.com <skori@marvell.com>
> Sent: Tuesday, October 12, 2021 15:36
> To: Li, Xiaoyun <xiaoyun.li@intel.com>
> Cc: dev@dpdk.org; Sunil Kumar Kori <skori@marvell.com>; stable@dpdk.org
> Subject: [PATCH] app/testpmd: fix invalid memory access
> 
> From: Sunil Kumar Kori <skori@marvell.com>
> 
> During parsing of DSCP entries, memory is allocated and assgined to *dscp_table.
> Later on, same memory is accessed using *dscp_table[i++].
> 
> Due to higher precedence for array subscript, dscp_table[i++] will be executed
> first which actually does not point to the same memory which was allocated
> previously for DSCP table entries.
> 
> Cc: stable@dpdk.org
> 
> Fixes: e63b50162aa3 ("app/testpmd: clean metering and policing commands")

I think the fix should be for patch 459463ae6c26 ("app/testpmd: fix memory allocation for DSCP table")
Also, added metering maintainer.

BRs
Xiaoyun

> 
> Signed-off-by: Sunil Kumar Kori <skori@marvell.com>
> ---
>  app/test-pmd/cmdline_mtr.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/app/test-pmd/cmdline_mtr.c b/app/test-pmd/cmdline_mtr.c index
> b5dcfdadcf..ad7ef6ad98 100644
> --- a/app/test-pmd/cmdline_mtr.c
> +++ b/app/test-pmd/cmdline_mtr.c
> @@ -101,13 +101,13 @@ parse_dscp_table_entries(char *str, enum rte_color
> **dscp_table)
>  	while (1) {
>  		if (strcmp(token, "G") == 0 ||
>  			strcmp(token, "g") == 0)
> -			*dscp_table[i++] = RTE_COLOR_GREEN;
> +			(*dscp_table)[i++] = RTE_COLOR_GREEN;
>  		else if (strcmp(token, "Y") == 0 ||
>  			strcmp(token, "y") == 0)
> -			*dscp_table[i++] = RTE_COLOR_YELLOW;
> +			(*dscp_table)[i++] = RTE_COLOR_YELLOW;
>  		else if (strcmp(token, "R") == 0 ||
>  			strcmp(token, "r") == 0)
> -			*dscp_table[i++] = RTE_COLOR_RED;
> +			(*dscp_table)[i++] = RTE_COLOR_RED;
>  		else {
>  			free(*dscp_table);
>  			return -1;
> --
> 2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
@ 2021-10-12  7:36 skori
  2021-10-12  7:50 ` Li, Xiaoyun
  0 siblings, 1 reply; 7+ messages in thread
From: skori @ 2021-10-12  7:36 UTC (permalink / raw)
  To: Xiaoyun Li; +Cc: dev, Sunil Kumar Kori, stable

From: Sunil Kumar Kori <skori@marvell.com>

During parsing of DSCP entries, memory is allocated and assgined
to *dscp_table. Later on, same memory is accessed using
*dscp_table[i++].

Due to higher precedence for array subscript, dscp_table[i++] will
be executed first which actually does not point to the same memory
which was allocated previously for DSCP table entries.

Cc: stable@dpdk.org

Fixes: e63b50162aa3 ("app/testpmd: clean metering and policing commands")

Signed-off-by: Sunil Kumar Kori <skori@marvell.com>
---
 app/test-pmd/cmdline_mtr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/test-pmd/cmdline_mtr.c b/app/test-pmd/cmdline_mtr.c
index b5dcfdadcf..ad7ef6ad98 100644
--- a/app/test-pmd/cmdline_mtr.c
+++ b/app/test-pmd/cmdline_mtr.c
@@ -101,13 +101,13 @@ parse_dscp_table_entries(char *str, enum rte_color **dscp_table)
 	while (1) {
 		if (strcmp(token, "G") == 0 ||
 			strcmp(token, "g") == 0)
-			*dscp_table[i++] = RTE_COLOR_GREEN;
+			(*dscp_table)[i++] = RTE_COLOR_GREEN;
 		else if (strcmp(token, "Y") == 0 ||
 			strcmp(token, "y") == 0)
-			*dscp_table[i++] = RTE_COLOR_YELLOW;
+			(*dscp_table)[i++] = RTE_COLOR_YELLOW;
 		else if (strcmp(token, "R") == 0 ||
 			strcmp(token, "r") == 0)
-			*dscp_table[i++] = RTE_COLOR_RED;
+			(*dscp_table)[i++] = RTE_COLOR_RED;
 		else {
 			free(*dscp_table);
 			return -1;
-- 
2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-10-12  8:21 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-07  9:50 [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access Qi Zhang
2018-05-08  6:24 ` Zhao1, Wei
2018-05-08  8:31   ` Zhang, Qi Z
2018-05-09 13:58 ` Thomas Monjalon
2021-10-12  7:36 skori
2021-10-12  7:50 ` Li, Xiaoyun
2021-10-12  8:21   ` Sunil Kumar Kori

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).