patch 'mbuf: fix packet data read' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Fri Mar 27 11:01:28 CET 2026

Previous message (by thread): patch 'dts: avoid resources conflict on quick stop/start' has been queued to stable release 25.11.1
Next message (by thread): patch 'doc: update AMD EPYC guide' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/31/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/ee30b417b15aa4b351e0f0e697d5f1cf10d0dcf1

Thanks.

Kevin

---
>From ee30b417b15aa4b351e0f0e697d5f1cf10d0dcf1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Morten=20Br=C3=B8rup?= <mb at smartsharesystems.com>
Date: Thu, 19 Mar 2026 12:43:29 +0000
Subject: [PATCH] mbuf: fix packet data read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[ upstream commit 45f1da4401f0934ae1d5e194d8bf689c8d7a6300 ]

The sum of offset + length, both 32 bit unsigned integers, could wrap
around, causing comparisons to give the wrong result.
This was fixed by using 64 bit instead of 32 bit for calculating the sum.

Note:
When the branch is not taken for the initial "if ((uint64_t)off + len >
rte_pktmbuf_pkt_len(m))" comparison, the sum is known to not exceed the
maximum possible value of rte_pktmbuf_pkt_len(m), UINT32_MAX, and
following sum calculations can proceed using 32 bit.

Also, fixed a related bug in an mbuf test case:
It expected reading a length of UINT_MAX from a non-zero offset to not
fail.
And due to the offset+length wraparound bug, the read operation did not
fail.
This test case was updated to expect the read operation to fail.

Fixes: b84110e7baa2 ("mbuf: add function to read packet data")
Fixes: 7b295dceea07 ("test/mbuf: add unit test cases")

Signed-off-by: Morten Brørup <mb at smartsharesystems.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
Acked-by: Marat Khalili <marat.khalili at huawei.com>
Tested-by: Marat Khalili <marat.khalili at huawei.com>
---
 app/test/test_mbuf.c | 18 +++++++++---------
 lib/mbuf/rte_mbuf.c  |  2 +-
 lib/mbuf/rte_mbuf.h  |  2 +-
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/app/test/test_mbuf.c b/app/test/test_mbuf.c
index 17be977f31..408c3d70b2 100644
--- a/app/test/test_mbuf.c
+++ b/app/test/test_mbuf.c
@@ -2018,5 +2018,5 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
 	if (rte_pktmbuf_read(m, hdr_len, rte_pktmbuf_data_len(m) + 1,
 				NULL) != NULL)
-		GOTO_FAIL("%s: Requested len is larger than mbuf data len!\n",
+		GOTO_FAIL("%s: Requested offset + len is larger than mbuf data len!\n",
 				__func__);
 
@@ -2024,5 +2024,5 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
 	if (rte_pktmbuf_read(m, hdr_len, rte_pktmbuf_pkt_len(m) + 1,
 				NULL) != NULL)
-		GOTO_FAIL("%s: Requested len is larger than mbuf pkt len!\n",
+		GOTO_FAIL("%s: Requested offset + len is larger than mbuf pkt len!\n",
 				__func__);
 
@@ -2046,19 +2046,19 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
 	/* read data of max length from valid offset */
 	data_copy = rte_pktmbuf_read(m, hdr_len, UINT_MAX, NULL);
-	if (data_copy == NULL)
-		GOTO_FAIL("%s: Error in reading packet data!\n", __func__);
-	/* check if the received address is the beginning of data segment */
-	if (data_copy != data)
-		GOTO_FAIL("%s: Corrupted data address!\n", __func__);
+	if (data_copy != NULL)
+		GOTO_FAIL("%s: Requested offset + max len is larger than mbuf pkt len!\n",
+				__func__);
 
 	/* try to read from mbuf with max size offset */
 	data_copy = rte_pktmbuf_read(m, UINT_MAX, 0, NULL);
 	if (data_copy != NULL)
-		GOTO_FAIL("%s: Error in reading packet data!\n", __func__);
+		GOTO_FAIL("%s: Requested max offset is larger than mbuf pkt len!\n",
+				__func__);
 
 	/* try to read from mbuf with max size offset and len */
 	data_copy = rte_pktmbuf_read(m, UINT_MAX, UINT_MAX, NULL);
 	if (data_copy != NULL)
-		GOTO_FAIL("%s: Error in reading packet data!\n", __func__);
+		GOTO_FAIL("%s: Requested max offset + max len is larger than mbuf pkt len!\n",
+				__func__);
 
 	rte_pktmbuf_dump(stdout, m, rte_pktmbuf_pkt_len(m));
diff --git a/lib/mbuf/rte_mbuf.c b/lib/mbuf/rte_mbuf.c
index 0d931c7a15..421fdb148a 100644
--- a/lib/mbuf/rte_mbuf.c
+++ b/lib/mbuf/rte_mbuf.c
@@ -792,5 +792,5 @@ const void *__rte_pktmbuf_read(const struct rte_mbuf *m, uint32_t off,
 	uint32_t buf_off = 0, copy_len;
 
-	if (off + len > rte_pktmbuf_pkt_len(m))
+	if ((uint64_t)off + len > rte_pktmbuf_pkt_len(m))
 		return NULL;
 
diff --git a/lib/mbuf/rte_mbuf.h b/lib/mbuf/rte_mbuf.h
index 2004391f57..64f337c51c 100644
--- a/lib/mbuf/rte_mbuf.h
+++ b/lib/mbuf/rte_mbuf.h
@@ -1838,5 +1838,5 @@ static inline const void *rte_pktmbuf_read(const struct rte_mbuf *m,
 	uint32_t off, uint32_t len, void *buf)
 {
-	if (likely(off + len <= rte_pktmbuf_data_len(m)))
+	if (likely((uint64_t)off + len <= rte_pktmbuf_data_len(m)))
 		return rte_pktmbuf_mtod_offset(m, char *, off);
 	else
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-27 09:58:26.964528421 +0000
+++ 0028-mbuf-fix-packet-data-read.patch	2026-03-27 09:58:26.153625507 +0000
@@ -1 +1 @@
-From 45f1da4401f0934ae1d5e194d8bf689c8d7a6300 Mon Sep 17 00:00:00 2001
+From ee30b417b15aa4b351e0f0e697d5f1cf10d0dcf1 Mon Sep 17 00:00:00 2001
@@ -8,0 +9,2 @@
+[ upstream commit 45f1da4401f0934ae1d5e194d8bf689c8d7a6300 ]
+
@@ -28 +29,0 @@
-Cc: stable at dpdk.org
@@ -41 +42 @@
-index a41d2d0f97..db23259745 100644
+index 17be977f31..408c3d70b2 100644
@@ -44 +45 @@
-@@ -2038,5 +2038,5 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
+@@ -2018,5 +2018,5 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
@@ -51 +52 @@
-@@ -2044,5 +2044,5 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
+@@ -2024,5 +2024,5 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
@@ -58 +59 @@
-@@ -2066,19 +2066,19 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
+@@ -2046,19 +2046,19 @@ test_pktmbuf_read_from_offset(struct rte_mempool *pktmbuf_pool)
@@ -86 +87 @@
-index a5d16e4c97..c2476e7704 100644
+index 0d931c7a15..421fdb148a 100644
@@ -89 +90 @@
-@@ -796,5 +796,5 @@ const void *__rte_pktmbuf_read(const struct rte_mbuf *m, uint32_t off,
+@@ -792,5 +792,5 @@ const void *__rte_pktmbuf_read(const struct rte_mbuf *m, uint32_t off,
@@ -97 +98 @@
-index 592af2388c..d6602f74bc 100644
+index 2004391f57..64f337c51c 100644
@@ -100 +101 @@
-@@ -1844,5 +1844,5 @@ static inline const void *rte_pktmbuf_read(const struct rte_mbuf *m,
+@@ -1838,5 +1838,5 @@ static inline const void *rte_pktmbuf_read(const struct rte_mbuf *m,

Previous message (by thread): patch 'dts: avoid resources conflict on quick stop/start' has been queued to stable release 25.11.1
Next message (by thread): patch 'doc: update AMD EPYC guide' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list