import dpdk-21.11-3.el8
This commit is contained in:
parent
b6c7d4f609
commit
660ca4780c
78
SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch
Normal file
78
SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From f167022606b5ccca27a627ae599538ce2348ef67 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
|
||||
From: Maxime Coquelin <maxime.coquelin@redhat.com>
|
||||
Date: Thu, 16 Jun 2022 11:35:56 +0200
|
||||
Subject: [PATCH 1/2] vhost: discard too small descriptor chains
|
||||
|
||||
[ upstream commit 71bd0cc536ad6d84188d947d6f24c17400d8f623 ]
|
||||
|
||||
This patch discards descriptor chains which are smaller
|
||||
than the Virtio-net header size, and ones that are equal.
|
||||
|
||||
Indeed, such descriptor chains sizes mean there is no
|
||||
packet data.
|
||||
|
||||
This patch also has the advantage of requesting the exact
|
||||
packets sizes for the mbufs.
|
||||
|
||||
CVE-2022-2132
|
||||
Fixes: 62250c1d0978 ("vhost: extract split ring handling from Rx and Tx functions")
|
||||
Fixes: c3ff0ac70acb ("vhost: improve performance by supporting large buffer")
|
||||
Fixes: 84d5204310d7 ("vhost: support async dequeue for split ring")
|
||||
|
||||
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
|
||||
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
|
||||
Reviewed-by: David Marchand <david.marchand@redhat.com>
|
||||
---
|
||||
lib/vhost/virtio_net.c | 21 +++++++++++++++++----
|
||||
1 file changed, 17 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
|
||||
index 858187d1b0..991a7a2bd4 100644
|
||||
--- a/lib/vhost/virtio_net.c
|
||||
+++ b/lib/vhost/virtio_net.c
|
||||
@@ -2334,10 +2334,10 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
|
||||
buf_addr = buf_vec[vec_idx].buf_addr;
|
||||
buf_len = buf_vec[vec_idx].buf_len;
|
||||
|
||||
- if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) {
|
||||
- error = -1;
|
||||
- goto out;
|
||||
- }
|
||||
+ /*
|
||||
+ * The caller has checked the descriptors chain is larger than the
|
||||
+ * header size.
|
||||
+ */
|
||||
|
||||
if (virtio_net_with_host_offload(dev)) {
|
||||
if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
|
||||
@@ -2568,6 +2568,14 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
|
||||
|
||||
update_shadow_used_ring_split(vq, head_idx, 0);
|
||||
|
||||
+ if (unlikely(buf_len <= dev->vhost_hlen)) {
|
||||
+ dropped += 1;
|
||||
+ i++;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ buf_len -= dev->vhost_hlen;
|
||||
+
|
||||
err = virtio_dev_pktmbuf_prep(dev, pkts[i], buf_len);
|
||||
if (unlikely(err)) {
|
||||
/*
|
||||
@@ -2771,6 +2779,11 @@ vhost_dequeue_single_packed(struct virtio_net *dev,
|
||||
VHOST_ACCESS_RO) < 0))
|
||||
return -1;
|
||||
|
||||
+ if (unlikely(buf_len <= dev->vhost_hlen))
|
||||
+ return -1;
|
||||
+
|
||||
+ buf_len -= dev->vhost_hlen;
|
||||
+
|
||||
if (unlikely(virtio_dev_pktmbuf_prep(dev, pkts, buf_len))) {
|
||||
if (!allocerr_warned) {
|
||||
VHOST_LOG_DATA(ERR,
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,106 @@
|
||||
From e12d415556994d0901c317f6338ed2961185465f Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <e12d415556994d0901c317f6338ed2961185465f.1666780268.git.tredaelli@redhat.com>
|
||||
In-Reply-To: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
|
||||
References: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
|
||||
From: Maxime Coquelin <maxime.coquelin@redhat.com>
|
||||
Date: Thu, 16 Jun 2022 14:25:07 +0200
|
||||
Subject: [PATCH 2/2] vhost: fix header spanned across more than two
|
||||
descriptors
|
||||
|
||||
[ upstream commit dc1516e260a0df272b218392faf6db3cbf45e717 ]
|
||||
|
||||
This patch aims at supporting the unlikely case where a
|
||||
Virtio-net header is spanned across more than two
|
||||
descriptors.
|
||||
|
||||
CVE-2022-2132
|
||||
Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
|
||||
|
||||
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
|
||||
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
|
||||
Reviewed-by: David Marchand <david.marchand@redhat.com>
|
||||
---
|
||||
lib/vhost/virtio_net.c | 41 +++++++++++++----------------------------
|
||||
1 file changed, 13 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
|
||||
index 991a7a2bd4..bf4d75b4bd 100644
|
||||
--- a/lib/vhost/virtio_net.c
|
||||
+++ b/lib/vhost/virtio_net.c
|
||||
@@ -2322,25 +2322,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
|
||||
uint32_t buf_avail, buf_offset;
|
||||
uint64_t buf_addr, buf_len;
|
||||
uint32_t mbuf_avail, mbuf_offset;
|
||||
+ uint32_t hdr_remain = dev->vhost_hlen;
|
||||
uint32_t cpy_len;
|
||||
struct rte_mbuf *cur = m, *prev = m;
|
||||
struct virtio_net_hdr tmp_hdr;
|
||||
struct virtio_net_hdr *hdr = NULL;
|
||||
- /* A counter to avoid desc dead loop chain */
|
||||
- uint16_t vec_idx = 0;
|
||||
+ uint16_t vec_idx;
|
||||
struct batch_copy_elem *batch_copy = vq->batch_copy_elems;
|
||||
int error = 0;
|
||||
|
||||
- buf_addr = buf_vec[vec_idx].buf_addr;
|
||||
- buf_len = buf_vec[vec_idx].buf_len;
|
||||
-
|
||||
/*
|
||||
* The caller has checked the descriptors chain is larger than the
|
||||
* header size.
|
||||
*/
|
||||
|
||||
if (virtio_net_with_host_offload(dev)) {
|
||||
- if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
|
||||
+ if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
|
||||
/*
|
||||
* No luck, the virtio-net header doesn't fit
|
||||
* in a contiguous virtual area.
|
||||
@@ -2348,34 +2345,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
|
||||
copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec);
|
||||
hdr = &tmp_hdr;
|
||||
} else {
|
||||
- hdr = (struct virtio_net_hdr *)((uintptr_t)buf_addr);
|
||||
+ hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr);
|
||||
}
|
||||
}
|
||||
|
||||
- /*
|
||||
- * A virtio driver normally uses at least 2 desc buffers
|
||||
- * for Tx: the first for storing the header, and others
|
||||
- * for storing the data.
|
||||
- */
|
||||
- if (unlikely(buf_len < dev->vhost_hlen)) {
|
||||
- buf_offset = dev->vhost_hlen - buf_len;
|
||||
- vec_idx++;
|
||||
- buf_addr = buf_vec[vec_idx].buf_addr;
|
||||
- buf_len = buf_vec[vec_idx].buf_len;
|
||||
- buf_avail = buf_len - buf_offset;
|
||||
- } else if (buf_len == dev->vhost_hlen) {
|
||||
- if (unlikely(++vec_idx >= nr_vec))
|
||||
- goto out;
|
||||
- buf_addr = buf_vec[vec_idx].buf_addr;
|
||||
- buf_len = buf_vec[vec_idx].buf_len;
|
||||
+ for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) {
|
||||
+ if (buf_vec[vec_idx].buf_len > hdr_remain)
|
||||
+ break;
|
||||
|
||||
- buf_offset = 0;
|
||||
- buf_avail = buf_len;
|
||||
- } else {
|
||||
- buf_offset = dev->vhost_hlen;
|
||||
- buf_avail = buf_vec[vec_idx].buf_len - dev->vhost_hlen;
|
||||
+ hdr_remain -= buf_vec[vec_idx].buf_len;
|
||||
}
|
||||
|
||||
+ buf_addr = buf_vec[vec_idx].buf_addr;
|
||||
+ buf_len = buf_vec[vec_idx].buf_len;
|
||||
+ buf_offset = hdr_remain;
|
||||
+ buf_avail = buf_vec[vec_idx].buf_len - hdr_remain;
|
||||
+
|
||||
PRINT_PACKET(dev,
|
||||
(uintptr_t)(buf_addr + buf_offset),
|
||||
(uint32_t)buf_avail, 0);
|
||||
--
|
||||
2.37.3
|
||||
|
@ -9,7 +9,7 @@
|
||||
#% define shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||
|
||||
%define ver 21.11
|
||||
%define rel 1
|
||||
%define rel 3
|
||||
|
||||
%define srcname dpdk
|
||||
|
||||
@ -26,8 +26,9 @@ Source: http://fast.dpdk.org/rel/dpdk-%{ver}.tar.xz
|
||||
# Only needed for creating snapshot tarballs, not used in build itself
|
||||
Source100: dpdk-snapshot.sh
|
||||
|
||||
# Patches only in dpdk package
|
||||
|
||||
# CVE-2022-2132
|
||||
Patch1: 0001-vhost-discard-too-small-descriptor-chains.patch
|
||||
Patch2: 0002-vhost-fix-header-spanned-across-more-than-two-descri.patch
|
||||
|
||||
Summary: Set of libraries and drivers for fast packet processing
|
||||
|
||||
@ -340,6 +341,12 @@ rm -rf %{docdir}/html/.doctrees
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Dec 23 2022 Timothy Redaelli <tredaelli@redhat.com> - 21.11-3
|
||||
- Version bump just to be sure it's updated from dpdk-21.11-2.el8_7
|
||||
|
||||
* Wed Oct 26 2022 Timothy Redaelli <tredaelli@redhat.com> - 21.11-2
|
||||
- Backport fixes for CVE-2022-2132 (#2107171)
|
||||
|
||||
* Tue Nov 23 2021 David Marchand <david.marchand@redhat.com> - 21.11-1
|
||||
- Rebase to 21.11 (#2029497)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user