patch 'net/memif: fix buffer overflow in zero copy Rx' has been queued to stable release 21.11.9

Kevin Traynor ktraynor at redhat.com
Wed Nov 27 18:18:01 CET 2024

Previous message (by thread): patch 'net/dpaa: fix reallocate mbuf handling' has been queued to stable release 21.11.9
Next message (by thread): patch 'net/tap: restrict maximum number of MP FDs' has been queued to stable release 21.11.9
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 21.11.9

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/02/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/bf824c00c996be87956b82754b1b865dd48819de

Thanks.

Kevin

---
>From bf824c00c996be87956b82754b1b865dd48819de Mon Sep 17 00:00:00 2001
From: Mihai Brodschi <mihai.brodschi at broadcom.com>
Date: Sat, 29 Jun 2024 00:01:29 +0300
Subject: [PATCH] net/memif: fix buffer overflow in zero copy Rx

[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ]

rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate
new mbufs to be provided to the sender. The allocated mbuf pointers
are stored in a ring, but the alloc function doesn't implement index
wrap-around, so it writes past the end of the array. This results in
memory corruption and duplicate mbufs being received.

Allocate 2x the space for the mbuf ring, so that the alloc function
has a contiguous array to write to, then copy the excess entries
to the start of the array.

Fixes: 43b815d88188 ("net/memif: support zero-copy slave")

Signed-off-by: Mihai Brodschi <mihai.brodschi at broadcom.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit at amd.com>
---
 .mailmap                          |  1 +
 drivers/net/memif/rte_eth_memif.c | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.mailmap b/.mailmap
index 296e6528b6..13eacdbc33 100644
--- a/.mailmap
+++ b/.mailmap
@@ -932,4 +932,5 @@ Michal Wilczynski <michal.wilczynski at intel.com>
 Michel Machado <michel at digirati.com.br>
 Miguel Bernal Marin <miguel.bernal.marin at linux.intel.com>
+Mihai Brodschi <mihai.brodschi at broadcom.com>
 Mihai Pogonaru <pogonarumihai at gmail.com>
 Mike Baucom <michael.baucom at broadcom.com>
diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c
index 88908a42a5..fbef44cdb8 100644
--- a/drivers/net/memif/rte_eth_memif.c
+++ b/drivers/net/memif/rte_eth_memif.c
@@ -535,4 +535,8 @@ refill:
 	if (unlikely(ret < 0))
 		goto no_free_mbufs;
+	if (unlikely(n_slots > ring_size - (head & mask))) {
+		rte_memcpy(mq->buffers, &mq->buffers[ring_size],
+			(n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *));
+	}
 
 	while (n_slots--) {
@@ -1131,6 +1135,10 @@ memif_init_queues(struct rte_eth_dev *dev)
 		mq->buffers = NULL;
 		if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) {
+			/*
+			 * Allocate 2x ring_size to reserve a contiguous array for
+			 * rte_pktmbuf_alloc_bulk (to store allocated mbufs).
+			 */
 			mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) *
-						  (1 << mq->log2_ring_size), 0);
+						  (1 << (mq->log2_ring_size + 1)), 0);
 			if (mq->buffers == NULL)
 				return -ENOMEM;
-- 
2.47.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-11-27 17:17:39.965604386 +0000
+++ 0054-net-memif-fix-buffer-overflow-in-zero-copy-Rx.patch	2024-11-27 17:17:38.228269389 +0000
@@ -1 +1 @@
-From b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 Mon Sep 17 00:00:00 2001
+From bf824c00c996be87956b82754b1b865dd48819de Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit b92b18b76858ed58ebe9c5dea9dedf9a99e7e0e2 ]
+
@@ -17 +18,0 @@
-Cc: stable at dpdk.org
@@ -27 +28 @@
-index 7b3a20af68..2e909c48a8 100644
+index 296e6528b6..13eacdbc33 100644
@@ -30,2 +31,2 @@
-@@ -1012,4 +1012,5 @@ Michel Machado <michel at digirati.com.br>
- Midde Ajijur Rehaman <ajijurx.rehaman.midde at intel.com>
+@@ -932,4 +932,5 @@ Michal Wilczynski <michal.wilczynski at intel.com>
+ Michel Machado <michel at digirati.com.br>
@@ -37 +38 @@
-index e220ffaf92..cd722f254f 100644
+index 88908a42a5..fbef44cdb8 100644
@@ -40 +41 @@
-@@ -601,4 +601,8 @@ refill:
+@@ -535,4 +535,8 @@ refill:
@@ -49 +50 @@
-@@ -1246,6 +1250,10 @@ memif_init_queues(struct rte_eth_dev *dev)
+@@ -1131,6 +1135,10 @@ memif_init_queues(struct rte_eth_dev *dev)

Previous message (by thread): patch 'net/dpaa: fix reallocate mbuf handling' has been queued to stable release 21.11.9
Next message (by thread): patch 'net/tap: restrict maximum number of MP FDs' has been queued to stable release 21.11.9
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list