Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/133442/?format=api
{ "id": 133442, "url": "http://patchwork.dpdk.org/api/patches/133442/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/patch/bug-1306-3@http.bugs.dpdk.org%252F/", "project": { "id": 1, "url": "http://patchwork.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<bug-1306-3@http.bugs.dpdk.org/>", "list_archive_url": "https://inbox.dpdk.org/dev/bug-1306-3@http.bugs.dpdk.org/", "date": "2023-10-27T02:45:21", "name": "[Bug,1306] hash: internal hash key pointer overflow", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "557d26ab15772fcb17a2b31dc88ce28cb5ac3ae0", "submitter": { "id": 1046, "url": "http://patchwork.dpdk.org/api/people/1046/?format=api", "name": null, "email": "bugzilla@dpdk.org" }, "delegate": { "id": 1, "url": "http://patchwork.dpdk.org/api/users/1/?format=api", "username": "tmonjalo", "first_name": "Thomas", "last_name": "Monjalon", "email": "thomas@monjalon.net" }, "mbox": "http://patchwork.dpdk.org/project/dpdk/patch/bug-1306-3@http.bugs.dpdk.org%252F/mbox/", "series": [ { "id": 30014, "url": "http://patchwork.dpdk.org/api/series/30014/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/list/?series=30014", "date": "2023-10-27T02:45:21", "name": "[Bug,1306] hash: internal hash key pointer overflow", "version": 1, "mbox": "http://patchwork.dpdk.org/series/30014/mbox/" } ], "comments": "http://patchwork.dpdk.org/api/patches/133442/comments/", "check": "warning", "checks": "http://patchwork.dpdk.org/api/patches/133442/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 3BF1F4320F;\n\tFri, 27 Oct 2023 04:45:22 +0200 (CEST)", "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 0CE7E4025E;\n\tFri, 27 Oct 2023 04:45:22 +0200 (CEST)", "from inbox.dpdk.org (inbox.dpdk.org [95.142.172.178])\n by mails.dpdk.org (Postfix) with ESMTP id 94F764003C\n for <dev@dpdk.org>; Fri, 27 Oct 2023 04:45:21 +0200 (CEST)", "by inbox.dpdk.org (Postfix, from userid 33)\n id 8358A43210; Fri, 27 Oct 2023 04:45:21 +0200 (CEST)" ], "From": "bugzilla@dpdk.org", "To": "dev@dpdk.org", "Subject": "[Bug 1306] hash: internal hash key pointer overflow", "Date": "Fri, 27 Oct 2023 02:45:21 +0000", "X-Bugzilla-Reason": "AssignedTo", "X-Bugzilla-Type": "new", "X-Bugzilla-Watch-Reason": "None", "X-Bugzilla-Product": "DPDK", "X-Bugzilla-Component": "other", "X-Bugzilla-Version": "23.11", "X-Bugzilla-Keywords": "", "X-Bugzilla-Severity": "normal", "X-Bugzilla-Who": "sz.kim@navercorp.com", "X-Bugzilla-Status": "UNCONFIRMED", "X-Bugzilla-Resolution": "", "X-Bugzilla-Priority": "Normal", "X-Bugzilla-Assigned-To": "dev@dpdk.org", "X-Bugzilla-Target-Milestone": "---", "X-Bugzilla-Flags": "", "X-Bugzilla-Changed-Fields": "bug_id short_desc product version rep_platform\n op_sys bug_status bug_severity priority component assigned_to reporter\n target_milestone", "Message-ID": "<bug-1306-3@http.bugs.dpdk.org/>", "Content-Type": "multipart/alternative; boundary=16983747210.4EC6.441228", "Content-Transfer-Encoding": "7bit", "X-Bugzilla-URL": "http://bugs.dpdk.org/", "Auto-Submitted": "auto-generated", "X-Auto-Response-Suppress": "All", "MIME-Version": "1.0", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "https://bugs.dpdk.org/show_bug.cgi?id=1306\n\n Bug ID: 1306\n Summary: hash: internal hash key pointer overflow\n Product: DPDK\n Version: 23.11\n Hardware: All\n OS: All\n Status: UNCONFIRMED\n Severity: normal\n Priority: Normal\n Component: other\n Assignee: dev@dpdk.org\n Reporter: sz.kim@navercorp.com\n Target Milestone: ---\n\nHello,\nI discovered that an overflow occurred in an internal variable used in the hash\nlibrary.\n\nIf the value of [slot_id * h->key_entry_size] is more than 32 bits,\nthe pointer of [new_k] will be entered with the wrong value.\nTherefore, type casting to uint64_t is required for the calculation result.\n\n- free_slots = 1 to total entries\n- slot_id = total entries or less\n- key_entry_size = sizeof(rte_hash_key) + sizeof(user key)\n\nThe above three variables are the internal values of the DPDK HASH.\nThe free_slots is a ring structure, filled with 1 to total entries.\nThe values of free_slots is used by slot_id.\nAnd the key_entry_size becomes the size of the key value set by the user.\n\nThe following example shows a situation where the issue occurs.\n\nExample)\n- global variable :\n entries = 2^28\n key_entry_size = 32\n\n- no issue case :\n 2^26(slot_id) * 32(key_entry_size) = 0x80000000 (32bit)\n\n- issue case :\n 2^27(slot_id) * 32(key_entry_size) = 0x100000000 (33bit)\n 2^28(slot_id) * 32(key_entry_size) = 0x200000000 (34bit)\n\n\nI think it should be changed as follows diff code. Is that correct?\n\n\nSigned-off-by: SeongJoong Kim <sz.kim@navercorp.com>\n---\nlib/hash/rte_cuckoo_hash.c | 38 +++++++++++++++++++-------------------\n1 file changed, 19 insertions(+), 19 deletions(-)\n\n * should not leak after the store to pdata\n@@ -1071,7 +1071,7 @@ __rte_hash_add_key_with_hash(const struct rte_hash *h,\nconst void *key,\n return -ENOSPC;\n }\n\n- new_k = RTE_PTR_ADD(keys, slot_id * h->key_entry_size);\n+ new_k = RTE_PTR_ADD(keys, (uint64_t) slot_id * h->key_entry_size);\n /* The store to application data (by the application) at *data should\n * not leak after the store of pdata in the key store. i.e. pdata is\n * the guard variable. Release the application data to the readers.\n@@ -1256,7 +1256,7 @@ search_one_bucket_l(const struct rte_hash *h, const void\n*key,\n if (bkt->sig_current[i] == sig &&\n bkt->key_idx[i] != EMPTY_SLOT) {\n k = (struct rte_hash_key *) ((char *)keys +\n- bkt->key_idx[i] * h->key_entry_size);\n+ (uint64_t) bkt->key_idx[i] * h->key_entry_size);\n\n if (rte_hash_cmp_eq(key, k->key, h) == 0) {\n if (data != NULL)\n@@ -1294,7 +1294,7 @@ search_one_bucket_lf(const struct rte_hash *h, const void\n*key, uint16_t sig,\n __ATOMIC_ACQUIRE);\n if (key_idx != EMPTY_SLOT) {\n k = (struct rte_hash_key *) ((char *)keys +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n\n if (rte_hash_cmp_eq(key, k->key, h) == 0) {\n if (data != NULL) {\n@@ -1492,7 +1492,7 @@ __hash_rcu_qsbr_free_resource(void *p, void *e, unsigned\nint n)\n keys = h->key_store;\n\n k = (struct rte_hash_key *) ((char *)keys +\n- rcu_dq_entry.key_idx * h->key_entry_size);\n+ (uint64_t) rcu_dq_entry.key_idx * h->key_entry_size);\n key_data = k->pdata;\n if (h->hash_rcu_cfg->free_key_data_func)\n h->hash_rcu_cfg->free_key_data_func(h->hash_rcu_cfg->key_data_ptr,\n@@ -1654,7 +1654,7 @@ search_and_remove(const struct rte_hash *h, const void\n*key,\n __ATOMIC_ACQUIRE);\n if (bkt->sig_current[i] == sig && key_idx != EMPTY_SLOT) {\n k = (struct rte_hash_key *) ((char *)keys +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n if (rte_hash_cmp_eq(key, k->key, h) == 0) {\n bkt->sig_current[i] = NULL_SIGNATURE;\n /* Free the key store index if\n@@ -1806,8 +1806,8 @@ rte_hash_get_key_with_position(const struct rte_hash *h,\nconst int32_t position,\n RETURN_IF_TRUE(((h == NULL) || (key == NULL)), -EINVAL);\n\n struct rte_hash_key *k, *keys = h->key_store;\n- k = (struct rte_hash_key *) ((char *) keys + (position + 1) *\n- h->key_entry_size);\n+ k = (struct rte_hash_key *) ((char *) keys +\n+ (uint64_t) (position + 1) * h->key_entry_size);\n *key = k->key;\n\n if (position !=\n@@ -1934,7 +1934,7 @@ __bulk_lookup_l(const struct rte_hash *h, const void\n**keys,\n const struct rte_hash_key *key_slot =\n (const struct rte_hash_key *)(\n (const char *)h->key_store +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n rte_prefetch0(key_slot);\n continue;\n }\n@@ -1948,7 +1948,7 @@ __bulk_lookup_l(const struct rte_hash *h, const void\n**keys,\n const struct rte_hash_key *key_slot =\n (const struct rte_hash_key *)(\n (const char *)h->key_store +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n rte_prefetch0(key_slot);\n }\n }\n@@ -1965,7 +1965,7 @@ __bulk_lookup_l(const struct rte_hash *h, const void\n**keys,\n const struct rte_hash_key *key_slot =\n (const struct rte_hash_key *)(\n (const char *)h->key_store +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n\n /*\n * If key index is 0, do not compare key,\n@@ -1993,7 +1993,7 @@ __bulk_lookup_l(const struct rte_hash *h, const void\n**keys,\n const struct rte_hash_key *key_slot =\n (const struct rte_hash_key *)(\n (const char *)h->key_store +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n\n /*\n * If key index is 0, do not compare key,\n@@ -2091,7 +2091,7 @@ __bulk_lookup_lf(const struct rte_hash *h, const void\n**keys,\n const struct rte_hash_key *key_slot =\n (const struct rte_hash_key *)(\n (const char *)h->key_store +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n rte_prefetch0(key_slot);\n continue;\n }\n@@ -2105,7 +2105,7 @@ __bulk_lookup_lf(const struct rte_hash *h, const void\n**keys,\n const struct rte_hash_key *key_slot =\n (const struct rte_hash_key *)(\n (const char *)h->key_store +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n rte_prefetch0(key_slot);\n }\n }\n@@ -2123,7 +2123,7 @@ __bulk_lookup_lf(const struct rte_hash *h, const void\n**keys,\n const struct rte_hash_key *key_slot =\n (const struct rte_hash_key *)(\n (const char *)h->key_store +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n\n /*\n * If key index is 0, do not compare key,\n@@ -2155,7 +2155,7 @@ __bulk_lookup_lf(const struct rte_hash *h, const void\n**keys,\n const struct rte_hash_key *key_slot =\n (const struct rte_hash_key *)(\n (const char *)h->key_store +\n- key_idx * h->key_entry_size);\n+ (uint64_t) key_idx * h->key_entry_size);\n\n /*\n * If key index is 0, do not compare key,\n@@ -2506,7 +2506,7 @@ rte_hash_iterate(const struct rte_hash *h, const void\n**key, void **data, uint32\n\n __hash_rw_reader_lock(h);\n next_key = (struct rte_hash_key *) ((char *)h->key_store +\n- position * h->key_entry_size);\n+ (uint64_t) position * h->key_entry_size);\n /* Return key and data */\n *key = next_key->key;\n *data = next_key->pdata;\n@@ -2537,7 +2537,7 @@ rte_hash_iterate(const struct rte_hash *h, const void\n**key, void **data, uint32\n }\n __hash_rw_reader_lock(h);\n next_key = (struct rte_hash_key *) ((char *)h->key_store +\n- position * h->key_entry_size);\n+ (uint64_t) position * h->key_entry_size);\n /* Return key and data */\n *key = next_key->key;\n *data = next_key->pdata;\n--\n2.31.1", "diff": "diff --git a/lib/hash/rte_cuckoo_hash.c b/lib/hash/rte_cuckoo_hash.c\nindex d92a903bb3..10ffa500d2 100644\n--- a/lib/hash/rte_cuckoo_hash.c\n+++ b/lib/hash/rte_cuckoo_hash.c\n@@ -636,7 +636,7 @@ rte_hash_reset(struct rte_hash *h)\n }\n\n memset(h->buckets, 0, h->num_buckets * sizeof(struct rte_hash_bucket));\n- memset(h->key_store, 0, h->key_entry_size * (h->entries + 1));\n+ memset(h->key_store, 0, (uint64_t) h->key_entry_size * (h->entries + 1));\n *h->tbl_chng_cnt = 0;\n\n /* reset the free ring */\n@@ -705,7 +705,7 @@ search_and_update(const struct rte_hash *h, void *data,\nconst void *key,\n for (i = 0; i < RTE_HASH_BUCKET_ENTRIES; i++) {\n if (bkt->sig_current[i] == sig) {\n k = (struct rte_hash_key *) ((char *)keys +\n- bkt->key_idx[i] * h->key_entry_size);\n+ (uint64_t) bkt->key_idx[i] * h->key_entry_size);\n if (rte_hash_cmp_eq(key, k->key, h) == 0) {\n /* The store to application data at *data\n", "prefixes": [ "Bug", "1306" ] }