[dpdk-dev] [PATCH v3 0/4] Memory corruption due to HW rings allocation

[Renata Saiakhova]

Hi Ferruh,

I've just send a new corrected version of the patchset, which takes into 
account the comments of Wie and Jeff, hope it is OK now.

Kind regards and thank you,

Renata


On 06/19/2020 06:54 PM, Ferruh Yigit wrote:
> On 5/18/2020 10:48 AM, Renata Saiakhova wrote:
>> Hi Ferruh,
>>
>> thanks for comments,
>>
>> are the rte_eth_dma_zone_reserve() calls always used to allocate HW rings? It is
>> not totally clear to me. That was partly the reason I don't do the fix for every
>> driver which uses this API. I made fixes in the drivers which uses the same
>> pattern to allocate / release queues, for other drivers I was not sure but
>> anyway I couldn't spend more time for further investigations. In the company I
>> work for we use dpdk for our project and maintain it in separate tree, and the
>> vulnerability with HW rings is a real issue for igb and ixgbe drivers and needs
>> to be fixed. Therefore I would like this patch to be accepted in order to not
>> maintain the fix ourselves. But unfortunately I don't have resources (e.g. time)
>> to fix the issue for all the drivers, because, as I mentioned, they are not
>> following the same pattern to release their queues. So my proposal is that I fix
>> it in this patch in a number of drivers (including igb, ixgbe and i40e) and
>> others can take over and improve other drivers, if they see the same issue. This
>> is also a reason why the drivers' changes are not in one commit for all the drivers.
>>
>> For the proposal adding pmd name as prefix to queue memzone name or update
>> the 'rte_eth_dma_zone_reserve()' to check the size & alignment instead of just a
>> name, I don't know, as an external person, how sensitive dpdk project to change
>> an internal API and existing code (the call should be changed in all the
>> drivers). But anyway, I think the real problem is more an absence of memzone
>> pointer, and in long term it should be solved in this way, rather than search by
>> name.
> Hi Renata,
>
> 'rte_eth_dma_zone_reserve()' returning existing memzone just based on 'name'
> without checking the size, alignment, socket_id seems wrong to me, let me check
> it, it shouldn't be hard to update.
>
> But even 'rte_eth_dma_zone_reserve()' checks won't be enough (what to do if
> check fails and not returns a memzone?), the proper solution is PMD free the
> memzone as they removed, as done in this patch.
>
> Also I suggested prefixing the memzone name as workaround but instead we can go
> with this patchset with the implemented PMDs and other PMD owners can implement
> the free when they need instead of workaround.
>
> There is a comment from Wie to add more frees to i40e, and there is another from
> Jeff on 'rte_eth_dma_zone_free()' return type, can you please check them? So we
> can proceed with this patch for the release.
>
> Thanks,
> ferruh
>
>> Kind regards,
>> Renata
>> --------------------------------------------------------------------------------
>> *From:* Ferruh Yigit <ferruh.yigit at intel.com>
>> *Sent:* Wednesday, May 13, 2020 5:22 PM
>> *To:* Renata Saiakhova <renata.saiakhova at ekinops.com>; dev at dpdk.org <dev at dpdk.org>
>> *Cc:* Anatoly Burakov <anatoly.burakov at intel.com>; Thomas Monjalon
>> <thomas at monjalon.net>; Neil Horman <nhorman at tuxdriver.com>
>> *Subject:* Re: [dpdk-dev] [PATCH v3 0/4] Memory corruption due to HW rings
>> allocation
>>   
>> On 5/13/2020 2:14 PM, Renata Saiakhova wrote:
>>> igb and ixgbe and some other drivers allocate HW rings using rte_eth_dma_zone_reserve(),
>>> which checks first if the memzone exists for a given name, consisting of port
>>> id, queue_id, rx/tx direction, but not for the size, alignment, and socket_id.
>>> If the memzone with a given name exists it is returned, otherwise it is
>>> allocated.
>>> Disconnecting dpdk port from one type of interface (igb) and connecting it
>>> to another type of interface (ixgbe) for the same port id, potentially creates
>>> memory overlap and corruption, because it may require memzone of bigger size.
>>> That's what is happening from switching from igb to ixgbe having the same port
>>> id.
>>>
>>> v2->v3: Remove #undef ETH_DMA_MZONE_NAME and minor changes in code standard
>>> v1->v2: Minor changes on code standard and additional fixes in i40e em and ice drivers
>>>
>>> Renata Saiakhova (4):
>>>     librte_ethdev: Introduce a function to release HW rings
>>>     drivers/net: Fix in igb and ixgbe HW rings memory
>>>     drivers/net: Fix in i40e HW rings memory overlap
>>>     drivers/net: Fix in em and ice HW rings memory overlap
>> I think all driver patches can be squashed into single patch, overall they are
>> implementing same logic.
>>
>> But as mentioned before, there are multiple other drivers allocating HW rings
>> with exact same name. At least I can see:
>> iavf
>> nfp
>> fm10k
>> axgbe
>>
>> Or how can we know if a new PMD won't cause exact same behavior? What to you
>> think adding pmd name as prefix to queue memzone name for all PMDs? This can
>> help new PMDs using existing code as sample.
>>
>> I don't know if it has been discussed before, but wouldn't update the
>> 'rte_eth_dma_zone_reserve()' to check the size & alignment instead of just name
>> fix the issue for all drivers without needing to update them?