patch 'net/bnxt: fix array overflow' has been queued to stable release 22.11.5
luca.boccassi at gmail.com
luca.boccassi at gmail.com
Thu Mar 7 02:31:42 CET 2024
Hi,
FYI, your patch has been queued to stable release 22.11.5
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/09/24. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable
This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/f94b1dffa15c635729503ca1803fbbd89d6887c5
Thanks.
Luca Boccassi
---
>From f94b1dffa15c635729503ca1803fbbd89d6887c5 Mon Sep 17 00:00:00 2001
From: Ajit Khaparde <ajit.khaparde at broadcom.com>
Date: Mon, 11 Dec 2023 09:11:03 -0800
Subject: [PATCH] net/bnxt: fix array overflow
[ upstream commit 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 ]
In some cases the number of elements in the context memory array
can exceed the MAX_CTX_PAGES and that can cause the static members
ctx_pg_arr and ctx_dma_arr to overflow.
Allocate them dynamically to prevent this overflow.
Fixes: f8168ca0e690 ("net/bnxt: support thor controller")
Signed-off-by: Ajit Khaparde <ajit.khaparde at broadcom.com>
Reviewed-by: Damodharam Ammepalli <damodharam.ammepalli at broadcom.com>
---
drivers/net/bnxt/bnxt.h | 4 ++--
drivers/net/bnxt/bnxt_ethdev.c | 42 +++++++++++++++++++++++++++-------
2 files changed, 36 insertions(+), 10 deletions(-)
diff --git a/drivers/net/bnxt/bnxt.h b/drivers/net/bnxt/bnxt.h
index c9aa45ed3b..df6442abc4 100644
--- a/drivers/net/bnxt/bnxt.h
+++ b/drivers/net/bnxt/bnxt.h
@@ -441,8 +441,8 @@ struct bnxt_ring_mem_info {
struct bnxt_ctx_pg_info {
uint32_t entries;
- void *ctx_pg_arr[MAX_CTX_PAGES];
- rte_iova_t ctx_dma_arr[MAX_CTX_PAGES];
+ void **ctx_pg_arr;
+ rte_iova_t *ctx_dma_arr;
struct bnxt_ring_mem_info ring_mem;
};
diff --git a/drivers/net/bnxt/bnxt_ethdev.c b/drivers/net/bnxt/bnxt_ethdev.c
index e3ba48ac0b..c89a31592a 100644
--- a/drivers/net/bnxt/bnxt_ethdev.c
+++ b/drivers/net/bnxt/bnxt_ethdev.c
@@ -4702,7 +4702,7 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
{
struct bnxt_ring_mem_info *rmem = &ctx_pg->ring_mem;
const struct rte_memzone *mz = NULL;
- char mz_name[RTE_MEMZONE_NAMESIZE];
+ char name[RTE_MEMZONE_NAMESIZE];
rte_iova_t mz_phys_addr;
uint64_t valid_bits = 0;
uint32_t sz;
@@ -4714,6 +4714,19 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
rmem->nr_pages = RTE_ALIGN_MUL_CEIL(mem_size, BNXT_PAGE_SIZE) /
BNXT_PAGE_SIZE;
rmem->page_size = BNXT_PAGE_SIZE;
+
+ snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_pg_arr%s_%x_%d",
+ suffix, idx, bp->eth_dev->data->port_id);
+ ctx_pg->ctx_pg_arr = rte_zmalloc(name, sizeof(void *) * rmem->nr_pages, 0);
+ if (ctx_pg->ctx_pg_arr == NULL)
+ return -ENOMEM;
+
+ snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_dma_arr%s_%x_%d",
+ suffix, idx, bp->eth_dev->data->port_id);
+ ctx_pg->ctx_dma_arr = rte_zmalloc(name, sizeof(rte_iova_t *) * rmem->nr_pages, 0);
+ if (ctx_pg->ctx_dma_arr == NULL)
+ return -ENOMEM;
+
rmem->pg_arr = ctx_pg->ctx_pg_arr;
rmem->dma_arr = ctx_pg->ctx_dma_arr;
rmem->flags = BNXT_RMEM_VALID_PTE_FLAG;
@@ -4721,13 +4734,13 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
valid_bits = PTU_PTE_VALID;
if (rmem->nr_pages > 1) {
- snprintf(mz_name, RTE_MEMZONE_NAMESIZE,
+ snprintf(name, RTE_MEMZONE_NAMESIZE,
"bnxt_ctx_pg_tbl%s_%x_%d",
suffix, idx, bp->eth_dev->data->port_id);
- mz_name[RTE_MEMZONE_NAMESIZE - 1] = 0;
- mz = rte_memzone_lookup(mz_name);
+ name[RTE_MEMZONE_NAMESIZE - 1] = 0;
+ mz = rte_memzone_lookup(name);
if (!mz) {
- mz = rte_memzone_reserve_aligned(mz_name,
+ mz = rte_memzone_reserve_aligned(name,
rmem->nr_pages * 8,
bp->eth_dev->device->numa_node,
RTE_MEMZONE_2MB |
@@ -4746,11 +4759,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
rmem->pg_tbl_mz = mz;
}
- snprintf(mz_name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_%s_%x_%d",
+ snprintf(name, RTE_MEMZONE_NAMESIZE, "bnxt_ctx_%s_%x_%d",
suffix, idx, bp->eth_dev->data->port_id);
- mz = rte_memzone_lookup(mz_name);
+ mz = rte_memzone_lookup(name);
if (!mz) {
- mz = rte_memzone_reserve_aligned(mz_name,
+ mz = rte_memzone_reserve_aligned(name,
mem_size,
bp->eth_dev->device->numa_node,
RTE_MEMZONE_1GB |
@@ -4796,6 +4809,17 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
return;
bp->ctx->flags &= ~BNXT_CTX_FLAG_INITED;
+ rte_free(bp->ctx->qp_mem.ctx_pg_arr);
+ rte_free(bp->ctx->srq_mem.ctx_pg_arr);
+ rte_free(bp->ctx->cq_mem.ctx_pg_arr);
+ rte_free(bp->ctx->vnic_mem.ctx_pg_arr);
+ rte_free(bp->ctx->stat_mem.ctx_pg_arr);
+ rte_free(bp->ctx->qp_mem.ctx_dma_arr);
+ rte_free(bp->ctx->srq_mem.ctx_dma_arr);
+ rte_free(bp->ctx->cq_mem.ctx_dma_arr);
+ rte_free(bp->ctx->vnic_mem.ctx_dma_arr);
+ rte_free(bp->ctx->stat_mem.ctx_dma_arr);
+
rte_memzone_free(bp->ctx->qp_mem.ring_mem.mz);
rte_memzone_free(bp->ctx->srq_mem.ring_mem.mz);
rte_memzone_free(bp->ctx->cq_mem.ring_mem.mz);
@@ -4808,6 +4832,8 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
rte_memzone_free(bp->ctx->stat_mem.ring_mem.pg_tbl_mz);
for (i = 0; i < bp->ctx->tqm_fp_rings_count + 1; i++) {
+ rte_free(bp->ctx->tqm_mem[i]->ctx_pg_arr);
+ rte_free(bp->ctx->tqm_mem[i]->ctx_dma_arr);
if (bp->ctx->tqm_mem[i])
rte_memzone_free(bp->ctx->tqm_mem[i]->ring_mem.mz);
}
--
2.39.2
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2024-03-07 01:05:41.948228166 +0000
+++ 0085-net-bnxt-fix-array-overflow.patch 2024-03-07 01:05:34.958943412 +0000
@@ -1 +1 @@
-From 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 Mon Sep 17 00:00:00 2001
+From f94b1dffa15c635729503ca1803fbbd89d6887c5 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 4371b402c7bdbe821fff77e3c08e2faba67cb9b3 ]
+
@@ -12 +13,0 @@
-Cc: stable at dpdk.org
@@ -22 +23 @@
-index 50f59552fa..dd08393b82 100644
+index c9aa45ed3b..df6442abc4 100644
@@ -25 +26 @@
-@@ -455,8 +455,8 @@ struct bnxt_ring_mem_info {
+@@ -441,8 +441,8 @@ struct bnxt_ring_mem_info {
@@ -37 +38 @@
-index b0589e2e49..762d863f14 100644
+index e3ba48ac0b..c89a31592a 100644
@@ -40 +41 @@
-@@ -4769,7 +4769,7 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4702,7 +4702,7 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -49 +50 @@
-@@ -4781,6 +4781,19 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4714,6 +4714,19 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -69 +70 @@
-@@ -4788,13 +4801,13 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4721,13 +4734,13 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -87 +88 @@
-@@ -4813,11 +4826,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
+@@ -4746,11 +4759,11 @@ static int bnxt_alloc_ctx_mem_blk(struct bnxt *bp,
@@ -102 +103 @@
-@@ -4863,6 +4876,17 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
+@@ -4796,6 +4809,17 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
@@ -120 +121 @@
-@@ -4875,6 +4899,8 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
+@@ -4808,6 +4832,8 @@ static void bnxt_free_ctx_mem(struct bnxt *bp)
More information about the stable
mailing list