patch 'net/bnxt: fix array overflow' has been queued to stable release 21.11.7
Kevin Traynor
ktraynor at redhat.com
Tue Mar 5 16:34:31 CET 2024
Hi,
FYI, your patch has been queued to stable release 21.11.7
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/11/24. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable
This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/f6e82481277302959b2e0b05a73a61d5607ec240
Thanks.
Kevin
---
>From f6e82481277302959b2e0b05a73a61d5607ec240 Mon Sep 17 00:00:00 2001
From: Ajit Khaparde <ajit.khaparde at broadcom.com>
Date: Mon, 11 Dec 2023 09:11:03 -0800
Subject: [PATCH] net/bnxt: fix array overflow
[ upstream commit 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 ]
In some cases the number of elements in the context memory array
can exceed the MAX_CTX_PAGES and that can cause the static members
ctx_pg_arr and ctx_dma_arr to overflow.
Allocate them dynamically to prevent this overflow.
Fixes: f8168ca0e690 ("net/bnxt: support thor controller")
Signed-off-by: Ajit Khaparde <ajit.khaparde at broadcom.com>
Reviewed-by: Damodharam Ammepalli <damodharam.ammepalli at broadcom.com>
---
drivers/net/bnxt/bnxt.h | 4 ++--
drivers/net/bnxt/bnxt_ethdev.c | 42 +++++++++++++++++++++++++++-------
2 files changed, 36 insertions(+), 10 deletions(-)
diff --git a/drivers/net/bnxt/bnxt.h b/drivers/net/bnxt/bnxt.h
index 76783eb3a1..31761f4804 100644
--- a/drivers/net/bnxt/bnxt.h
+++ b/drivers/net/bnxt/bnxt.h
@@ -442,6 +442,6 @@ struct bnxt_ring_mem_info {
struct bnxt_ctx_pg_info {
uint32_t entries;
- void *ctx_pg_arr[MAX_CTX_PAGES];
- rte_iova_t ctx_dma_arr[MAX_CTX_PAGES];
+ void **ctx_pg_arr;
+ rte_iova_t *ctx_dma_arr;
struct bnxt_ring_mem_info ring_mem;
};
diff --git a/drivers/net/bnxt/bnxt_ethdev.c b/drivers/net/bnxt/bnxt_ethdev.c
index 44fd45a4e9..55f96f0699 100644
--- a/drivers/net/bnxt/bnxt_ethdev.c
+++ b/drivers/net/bnxt/bnxt_ethdev.c
@@ -4691,5 +4691,5 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
struct bnxt_ring_mem_info *rmem = &ctx_pg->ring_mem;
const struct rte_memzone *mz = NULL;
- char mz_name[RTE_MEMZONE_NAMESIZE];
+ char name[RTE_MEMZONE_NAMESIZE];
rte_iova_t mz_phys_addr;
uint64_t valid_bits = 0;
@@ -4703,4 +4703,17 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
BNXT_PAGE_SIZE;
rmem->page_size = BNXT_PAGE_SIZE;
+
+ snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_pg_arr%s_%x_%d",
+ suffix, idx, bp->eth_dev->data->port_id);
+ ctx_pg->ctx_pg_arr = rte_zmalloc(name, sizeof(void *) * rmem->nr_pages, 0);
+ if (ctx_pg->ctx_pg_arr == NULL)
+ return -ENOMEM;
+
+ snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_dma_arr%s_%x_%d",
+ suffix, idx, bp->eth_dev->data->port_id);
+ ctx_pg->ctx_dma_arr = rte_zmalloc(name, sizeof(rte_iova_t *) * rmem->nr_pages, 0);
+ if (ctx_pg->ctx_dma_arr == NULL)
+ return -ENOMEM;
+
rmem->pg_arr = ctx_pg->ctx_pg_arr;
rmem->dma_arr = ctx_pg->ctx_dma_arr;
@@ -4710,11 +4723,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
if (rmem->nr_pages > 1) {
- snprintf(mz_name, RTE_MEMZONE_NAMESIZE,
+ snprintf(name, RTE_MEMZONE_NAMESIZE,
"bnxt_ctx_pg_tbl%s_%x_%d",
suffix, idx, bp->eth_dev->data->port_id);
- mz_name[RTE_MEMZONE_NAMESIZE - 1] = 0;
- mz = rte_memzone_lookup(mz_name);
+ name[RTE_MEMZONE_NAMESIZE - 1] = 0;
+ mz = rte_memzone_lookup(name);
if (!mz) {
- mz = rte_memzone_reserve_aligned(mz_name,
+ mz = rte_memzone_reserve_aligned(name,
rmem->nr_pages * 8,
bp->eth_dev->device->numa_node,
@@ -4735,9 +4748,9 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
}
- snprintf(mz_name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_%s_%x_%d",
+ snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_%s_%x_%d",
suffix, idx, bp->eth_dev->data->port_id);
- mz = rte_memzone_lookup(mz_name);
+ mz = rte_memzone_lookup(name);
if (!mz) {
- mz = rte_memzone_reserve_aligned(mz_name,
+ mz = rte_memzone_reserve_aligned(name,
mem_size,
bp->eth_dev->device->numa_node,
@@ -4785,4 +4798,15 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
bp->ctx->flags &= ~BNXT_CTX_FLAG_INITED;
+ rte_free(bp->ctx->qp_mem.ctx_pg_arr);
+ rte_free(bp->ctx->srq_mem.ctx_pg_arr);
+ rte_free(bp->ctx->cq_mem.ctx_pg_arr);
+ rte_free(bp->ctx->vnic_mem.ctx_pg_arr);
+ rte_free(bp->ctx->stat_mem.ctx_pg_arr);
+ rte_free(bp->ctx->qp_mem.ctx_dma_arr);
+ rte_free(bp->ctx->srq_mem.ctx_dma_arr);
+ rte_free(bp->ctx->cq_mem.ctx_dma_arr);
+ rte_free(bp->ctx->vnic_mem.ctx_dma_arr);
+ rte_free(bp->ctx->stat_mem.ctx_dma_arr);
+
rte_memzone_free(bp->ctx->qp_mem.ring_mem.mz);
rte_memzone_free(bp->ctx->srq_mem.ring_mem.mz);
@@ -4797,4 +4821,6 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
for (i = 0; i < bp->ctx->tqm_fp_rings_count + 1; i++) {
+ rte_free(bp->ctx->tqm_mem[i]->ctx_pg_arr);
+ rte_free(bp->ctx->tqm_mem[i]->ctx_dma_arr);
if (bp->ctx->tqm_mem[i])
rte_memzone_free(bp->ctx->tqm_mem[i]->ring_mem.mz);
--
2.43.2
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2024-03-05 14:08:56.021503363 +0000
+++ 0058-net-bnxt-fix-array-overflow.patch 2024-03-05 14:08:54.706520913 +0000
@@ -1 +1 @@
-From 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 Mon Sep 17 00:00:00 2001
+From f6e82481277302959b2e0b05a73a61d5607ec240 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 ]
+
@@ -12 +13,0 @@
-Cc: stable at dpdk.org
@@ -22 +23 @@
-index 50f59552fa..dd08393b82 100644
+index 76783eb3a1..31761f4804 100644
@@ -25 +26 @@
-@@ -456,6 +456,6 @@ struct bnxt_ring_mem_info {
+@@ -442,6 +442,6 @@ struct bnxt_ring_mem_info {
@@ -35 +36 @@
-index b0589e2e49..762d863f14 100644
+index 44fd45a4e9..55f96f0699 100644
@@ -38 +39 @@
-@@ -4770,5 +4770,5 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4691,5 +4691,5 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -45 +46 @@
-@@ -4782,4 +4782,17 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4703,4 +4703,17 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -63 +64 @@
-@@ -4789,11 +4802,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4710,11 +4723,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -79 +80 @@
-@@ -4814,9 +4827,9 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4735,9 +4748,9 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -92 +93 @@
-@@ -4864,4 +4877,15 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
+@@ -4785,4 +4798,15 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
@@ -108 +109 @@
-@@ -4876,4 +4900,6 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
+@@ -4797,4 +4821,6 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
More information about the stable
mailing list