packages/dpdk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-28199

Browse Source
This commit is contained in:
jiangheng 2022-09-09 17:11:01 +08:00
parent 5911f0258a
commit 43d0ce1edf
4 changed files with 147 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
backport-0001-CVE-2022-2132.patch
View File

@ -15,6 +15,8 @@ Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com> Acked-by: Chenbo Xia <chenbo.xia@intel.com>
Reviewed-by: David Marchand <david.marchand@redhat.com> Reviewed-by: David Marchand <david.marchand@redhat.com>
Conflict: NA
Reference: https://git.dpdk.org/dpdk-stable/commit/?id=e12d415556
--- ---
lib/vhost/virtio_net.c | 41 +++++++++++++---------------------------- lib/vhost/virtio_net.c | 41 +++++++++++++----------------------------
1 file changed, 13 insertions(+), 28 deletions(-) 1 file changed, 13 insertions(+), 28 deletions(-)

2
backport-0002-CVE-2022-2132.patch
View File

@ -22,6 +22,8 @@ Fixes: 84d5204310d7 ("vhost: support async dequeue for split ring")
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com> Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com> Acked-by: Chenbo Xia <chenbo.xia@intel.com>
Reviewed-by: David Marchand <david.marchand@redhat.com> Reviewed-by: David Marchand <david.marchand@redhat.com>
Conflict: NA
Reference: https://git.dpdk.org/dpdk-stable/commit/?id=f16702260
--- ---
lib/vhost/virtio_net.c | 21 +++++++++++++++++---- lib/vhost/virtio_net.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-) 1 file changed, 17 insertions(+), 4 deletions(-)

138
backport-CVE-2022-28199.patch Normal file
View File

@ -0,0 +1,138 @@
From 25c01bd32374b0c3cbc260f3e3872408d749cb45 Mon Sep 17 00:00:00 2001
From: Matan Azrad <matan@nvidia.com>
Date: Thu, 11 Aug 2022 19:59:18 +0300
Subject: [PATCH] net/mlx5: fix Rx queue recovery mechanism
[ upstream commit 60b254e3923d007bcadbb8d410f95ad89a2f13fa ]
The local variables are getting inconsistent in data receiving routines
after queue error recovery.
Receive queue consumer index is getting wrong, need to reset one to the
size of the queue (as RQ was fully replenished in recovery procedure).
In MPRQ case, also the local consumed strd variable should be reset.
CVE-2022-28199
Fixes: 88c0733535d6 ("net/mlx5: extend Rx completion with error handling")
Signed-off-by: Alexander Kozyrev <akozyrev@nvidia.com>
Signed-off-by: Matan Azrad <matan@nvidia.com>
Conflict: NA
Reference: https://git.dpdk.org/dpdk-stable/commit/?id=25c01db32374
---
drivers/net/mlx5/mlx5_rx.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)
diff --git a/drivers/net/mlx5/mlx5_rx.c b/drivers/net/mlx5/mlx5_rx.c
index f388fcc313..9fcd039c22 100644
--- a/drivers/net/mlx5/mlx5_rx.c
+++ b/drivers/net/mlx5/mlx5_rx.c
@@ -390,6 +390,11 @@ mlx5_rxq_initialize(struct mlx5_rxq_data *rxq)
*rxq->rq_db = rte_cpu_to_be_32(rxq->rq_ci);
}
+/* Must be negative. */
+#define MLX5_ERROR_CQE_RET (-1)
+/* Must not be negative. */
+#define MLX5_RECOVERY_ERROR_RET 0
+
/**
* Handle a Rx error.
* The function inserts the RQ state to reset when the first error CQE is
@@ -404,7 +409,7 @@ mlx5_rxq_initialize(struct mlx5_rxq_data *rxq)
* 0 when called from non-vectorized Rx burst.
*
* @return
- * -1 in case of recovery error, otherwise the CQE status.
+ * MLX5_RECOVERY_ERROR_RET in case of recovery error, otherwise the CQE status.
*/
int
mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
@@ -433,7 +438,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
sm.queue_id = rxq->idx;
sm.state = IBV_WQS_RESET;
if (mlx5_queue_state_modify(RXQ_DEV(rxq_ctrl), &sm))
- return -1;
+ return MLX5_RECOVERY_ERROR_RET;
if (rxq_ctrl->dump_file_n <
RXQ_PORT(rxq_ctrl)->config.max_dump_files_num) {
MKSTR(err_str, "Unexpected CQE error syndrome "
@@ -473,7 +478,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
sm.queue_id = rxq->idx;
sm.state = IBV_WQS_RDY;
if (mlx5_queue_state_modify(RXQ_DEV(rxq_ctrl), &sm))
- return -1;
+ return MLX5_RECOVERY_ERROR_RET;
if (vec) {
const uint32_t elts_n =
mlx5_rxq_mprq_enabled(rxq) ?
@@ -501,7 +506,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
rte_pktmbuf_free_seg
(*elt);
}
- return -1;
+ return MLX5_RECOVERY_ERROR_RET;
}
}
for (i = 0; i < (int)elts_n; ++i) {
@@ -520,7 +525,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
}
return ret;
default:
- return -1;
+ return MLX5_RECOVERY_ERROR_RET;
}
}
@@ -538,7 +543,9 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
* written.
*
* @return
- * 0 in case of empty CQE, otherwise the packet size in bytes.
+ * 0 in case of empty CQE, MLX5_ERROR_CQE_RET in case of error CQE,
+ * otherwise the packet size in regular RxQ, and striding byte
+ * count format in mprq case.
*/
static inline int
mlx5_rx_poll_len(struct mlx5_rxq_data *rxq, volatile struct mlx5_cqe *cqe,
@@ -605,8 +612,8 @@ mlx5_rx_poll_len(struct mlx5_rxq_data *rxq, volatile struct mlx5_cqe *cqe,
rxq->err_state)) {
ret = mlx5_rx_err_handle(rxq, 0);
if (ret == MLX5_CQE_STATUS_HW_OWN ||
- ret == -1)
- return 0;
+ ret == MLX5_RECOVERY_ERROR_RET)
+ return MLX5_ERROR_CQE_RET;
} else {
return 0;
}
@@ -851,8 +858,10 @@ mlx5_rx_burst(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
if (!pkt) {
cqe = &(*rxq->cqes)[rxq->cq_ci & cqe_cnt];
len = mlx5_rx_poll_len(rxq, cqe, cqe_cnt, &mcqe);
- if (!len) {
+ if (len <= 0) {
rte_mbuf_raw_free(rep);
+ if (unlikely(len == MLX5_ERROR_CQE_RET))
+ rq_ci = rxq->rq_ci << sges_n;
break;
}
pkt = seg;
@@ -1075,8 +1084,13 @@ mlx5_rx_burst_mprq(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
}
cqe = &(*rxq->cqes)[rxq->cq_ci & cq_mask];
ret = mlx5_rx_poll_len(rxq, cqe, cq_mask, &mcqe);
- if (!ret)
+ if (ret == 0)
+ break;
+ if (unlikely(ret == MLX5_ERROR_CQE_RET)) {
+ rq_ci = rxq->rq_ci;
+ consumed_strd = rxq->consumed_strd;
break;
+ }
byte_cnt = ret;
len = (byte_cnt & MLX5_MPRQ_LEN_MASK) >> MLX5_MPRQ_LEN_SHIFT;
MLX5_ASSERT((int)len >= (rxq->crc_present << 2));
--
2.23.0

6
dpdk.spec
View File

@ -1,6 +1,6 @@
Name: dpdk Name: dpdk
Version: 21.11 Version: 21.11
Release: 15 Release: 16
Packager: packaging@6wind.com Packager: packaging@6wind.com
URL: http://dpdk.org URL: http://dpdk.org
%global source_version 21.11 %global source_version 21.11
@ -133,6 +133,7 @@ Patch6001: CVE-2021-3839.patch
Patch6002: CVE-2022-0669.patch Patch6002: CVE-2022-0669.patch
Patch6003: backport-0001-CVE-2022-2132.patch Patch6003: backport-0001-CVE-2022-2132.patch
Patch6004: backport-0002-CVE-2022-2132.patch Patch6004: backport-0002-CVE-2022-2132.patch
Patch6005: backport-CVE-2022-28199.patch
Summary: Data Plane Development Kit core Summary: Data Plane Development Kit core
Group: System Environment/Libraries Group: System Environment/Libraries
@ -254,6 +255,9 @@ strip -g $RPM_BUILD_ROOT/lib/modules/%{kern_devel_ver}/extra/dpdk/igb_uio.ko
/usr/sbin/depmod /usr/sbin/depmod
%changelog %changelog
* Fri Sep 09 2022 jiangheng <jiangheng14@huawei.com> - 21.11-16
- fix CVE-2022-28199
* Thu Sep 08 2022 jiangheng <jiangheng14@huawei.com> - 21.11-15 * Thu Sep 08 2022 jiangheng <jiangheng14@huawei.com> - 21.11-15
- fix CVE-2022-2132 - fix CVE-2022-2132