From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id E7D55A04AC; Tue, 1 Sep 2020 09:57:26 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 87EDCE07; Tue, 1 Sep 2020 09:57:26 +0200 (CEST) Received: from inbox.dpdk.org (xvm-172-178.dc0.ghst.net [95.142.172.178]) by dpdk.org (Postfix) with ESMTP id 49654DE0 for ; Tue, 1 Sep 2020 09:57:25 +0200 (CEST) Received: by inbox.dpdk.org (Postfix, from userid 33) id 154AEA04B2; Tue, 1 Sep 2020 09:57:25 +0200 (CEST) From: bugzilla@dpdk.org To: dev@dpdk.org Date: Tue, 01 Sep 2020 07:57:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: DPDK X-Bugzilla-Component: ethdev X-Bugzilla-Version: 20.08 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ralf.hoffmann@allegro-packets.com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: dev@dpdk.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All MIME-Version: 1.0 Subject: [dpdk-dev] [Bug 533] stack corruption in mlx5_xstats_reset when number of stats changes X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" https://bugs.dpdk.org/show_bug.cgi?id=3D533 Bug ID: 533 Summary: stack corruption in mlx5_xstats_reset when number of stats changes Product: DPDK Version: 20.08 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: Normal Component: ethdev Assignee: dev@dpdk.org Reporter: ralf.hoffmann@allegro-packets.com Target Milestone: --- Created attachment 120 --> https://bugs.dpdk.org/attachment.cgi?id=3D120&action=3Dedit Patch to fix stack corruption I stumbled across a crash in the mellanox driver due to stack corruption. The function mlx5_xstats_reset() uses a dynamically sized array on the stack based on the last number of statistic values. Then it queries the actual nu= mber of stats. If the returned value is larger than the previous number, it will overwrite the stack frame including the return addresses usually resulting = in a crash. In my case the initial value of xstats_ctrl->mlx5_stats_n was zero and the return value of mlx5_os_get_stats_n() was 24 so it overwrote 96 bytes on the stack. The problem became visible after the update to 20.08. Apparently some statistic code has been refactored which now triggers this problem in our c= ode but the actual problem in the reset function exists for a long time. We are calling rte_eth_xstats_reset() before calling rte_eth_xstats_get() to get = the available statistics from the driver. There are two problems in this function: 1. The array is created not based on the actual number of items, but the previously known number of items. 2. The function mlx5_os_read_dev_counters() just gets a pointer to the array without knowing its size making it unsafe to use. I have attached a patch which works for me by using alloca instead. Since t= his is not completely portable, another approach can be using a separate scope block for the dynamically sized array. If it matters, the card we used is MCX516A-CDAT --=20 You are receiving this mail because: You are the assignee for the bug.=