From patchwork Fri Jun 28 21:01:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mihai Brodschi X-Patchwork-Id: 141979 X-Patchwork-Delegate: ferruh.yigit@amd.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4BAE645527; Fri, 28 Jun 2024 23:01:35 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6834242D35; Fri, 28 Jun 2024 23:01:34 +0200 (CEST) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mails.dpdk.org (Postfix) with ESMTP id 15A5B40EE2 for ; Fri, 28 Jun 2024 23:01:33 +0200 (CEST) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4256742f67fso7839435e9.3 for ; Fri, 28 Jun 2024 14:01:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1719608492; x=1720213292; darn=dpdk.org; h=subject:from:cc:to:user-agent:mime-version:date:message-id:from:to :cc:subject:date:message-id:reply-to; bh=ZA+cKKvYAMCXXkgq2knQjVImZqZRcohnUrj3J+TkJ2U=; b=aFVbTqTQXPzSyzAOHp9r9aBTRbGn4DFb2GkNNb2kOfwn9OTSIG+BdZTwz4tlJReDBK ZvSJ20XSIVpifrqUJtrCB2SNsa+xcaZLfe8uf99/M/L7QNhpdVsFdsq9LByNbaOgFpmW AqIe+c6Sn4yjNc3tWEONVItQV0Spln9+r28fc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719608492; x=1720213292; h=subject:from:cc:to:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZA+cKKvYAMCXXkgq2knQjVImZqZRcohnUrj3J+TkJ2U=; b=rSRlRPXZpe5rAXAxdJhOwDRl/LTXyY6Euan7XtpUfELuxb9iQMS6dsXjkF3auu1WGw 5NX66KM+2w9t/MpWZYoXR7efc7ZjFdwH0SJhoSlpDKuw4iuBkAgA9g/bUygLiU9t1TDh 8XM3SlXXeiYptMCsbA+HNXe0JW/ARmZEfhJ6BpwJIWnS3eI6cKjOX+dBxUqKQZ0rbTG9 wh1AUKByzRDF+BBWaIkdgela/kqwAVzKv48gvA8j0/PqxmJSOXyHFyilrNht/415nHsy J64P/AQkBuBlZy22G/TswTnM0mnexyrnt3AtbddUpQHoF3Y6CP948Tw7nMRuNGrx4sN7 VSYA== X-Gm-Message-State: AOJu0YwLykTmpBoj754tyn7JPcLpQ2G2PfVDbt1Rtq86iGwdbjvk8pce htxjKBtEKVMuvWVBYGc9ynn/49bjfvnxnLPJ977WedXoWdbTQ/Yaz0hWSXwhFhZvpe9crdqBFs/ Vmc2iDuC0cURP4sYDzRK3gmnE5Xz9HA== X-Google-Smtp-Source: AGHT+IHGQ4xkM0qU0ET8AgstQMerDBoIFfd/pLS26QGATN661m16lM2/pGZy0b/WP21j7U7voriSuw== X-Received: by 2002:a05:600c:4fd6:b0:425:73c9:e60e with SMTP id 5b1f17b1804b1-42573c9e72fmr13724335e9.25.1719608492474; Fri, 28 Jun 2024 14:01:32 -0700 (PDT) Received: from [192.168.0.8] ([92.81.76.237]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4256af376easm50465595e9.5.2024.06.28.14.01.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Jun 2024 14:01:31 -0700 (PDT) Message-ID: Date: Sat, 29 Jun 2024 00:01:29 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Jakub Grajciar , Ferruh Yigit Cc: dev@dpdk.org, Mihai Brodschi , stable@dpdk.org From: Mihai Brodschi Subject: [PATCH v2] net/memif: fix buffer overflow in zero copy Rx X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate new mbufs to be provided to the sender. The allocated mbuf pointers are stored in a ring, but the alloc function doesn't implement index wrap-around, so it writes past the end of the array. This results in memory corruption and duplicate mbufs being received. Allocate 2x the space for the mbuf ring, so that the alloc function has a contiguous array to write to, then copy the excess entries to the start of the array. Fixes: 43b815d88188 ("net/memif: support zero-copy slave") Cc: stable@dpdk.org Signed-off-by: Mihai Brodschi Reviewed-by: Ferruh Yigit --- v2: - fix email formatting --- drivers/net/memif/rte_eth_memif.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c index 16da22b5c6..3491c53cf1 100644 --- a/drivers/net/memif/rte_eth_memif.c +++ b/drivers/net/memif/rte_eth_memif.c @@ -600,6 +600,10 @@ eth_memif_rx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask], n_slots); if (unlikely(ret < 0)) goto no_free_mbufs; + if (unlikely(n_slots > ring_size - (head & mask))) { + rte_memcpy(mq->buffers, &mq->buffers[ring_size], + (n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *)); + } while (n_slots--) { s0 = head++ & mask; @@ -1245,8 +1249,12 @@ memif_init_queues(struct rte_eth_dev *dev) } mq->buffers = NULL; if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) { + /* + * Allocate 2x ring_size to reserve a contiguous array for + * rte_pktmbuf_alloc_bulk (to store allocated mbufs). + */ mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) * - (1 << mq->log2_ring_size), 0); + (1 << (mq->log2_ring_size + 1)), 0); if (mq->buffers == NULL) return -ENOMEM; }