import dpdk-21.11-2.el8_7

This commit is contained in:
CentOS Sources 2023-01-16 04:02:20 -05:00 committed by Stepan Oksanichenko
parent 1cde36c233
commit b3fb893773
3 changed files with 191 additions and 3 deletions

View File

@ -0,0 +1,78 @@
From f167022606b5ccca27a627ae599538ce2348ef67 Mon Sep 17 00:00:00 2001
Message-Id: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
From: Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Thu, 16 Jun 2022 11:35:56 +0200
Subject: [PATCH 1/2] vhost: discard too small descriptor chains
[ upstream commit 71bd0cc536ad6d84188d947d6f24c17400d8f623 ]
This patch discards descriptor chains which are smaller
than the Virtio-net header size, and ones that are equal.
Indeed, such descriptor chains sizes mean there is no
packet data.
This patch also has the advantage of requesting the exact
packets sizes for the mbufs.
CVE-2022-2132
Fixes: 62250c1d0978 ("vhost: extract split ring handling from Rx and Tx functions")
Fixes: c3ff0ac70acb ("vhost: improve performance by supporting large buffer")
Fixes: 84d5204310d7 ("vhost: support async dequeue for split ring")
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
---
lib/vhost/virtio_net.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index 858187d1b0..991a7a2bd4 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -2334,10 +2334,10 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
buf_addr = buf_vec[vec_idx].buf_addr;
buf_len = buf_vec[vec_idx].buf_len;
- if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) {
- error = -1;
- goto out;
- }
+ /*
+ * The caller has checked the descriptors chain is larger than the
+ * header size.
+ */
if (virtio_net_with_host_offload(dev)) {
if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
@@ -2568,6 +2568,14 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
update_shadow_used_ring_split(vq, head_idx, 0);
+ if (unlikely(buf_len <= dev->vhost_hlen)) {
+ dropped += 1;
+ i++;
+ break;
+ }
+
+ buf_len -= dev->vhost_hlen;
+
err = virtio_dev_pktmbuf_prep(dev, pkts[i], buf_len);
if (unlikely(err)) {
/*
@@ -2771,6 +2779,11 @@ vhost_dequeue_single_packed(struct virtio_net *dev,
VHOST_ACCESS_RO) < 0))
return -1;
+ if (unlikely(buf_len <= dev->vhost_hlen))
+ return -1;
+
+ buf_len -= dev->vhost_hlen;
+
if (unlikely(virtio_dev_pktmbuf_prep(dev, pkts, buf_len))) {
if (!allocerr_warned) {
VHOST_LOG_DATA(ERR,
--
2.37.3

View File

@ -0,0 +1,106 @@
From e12d415556994d0901c317f6338ed2961185465f Mon Sep 17 00:00:00 2001
Message-Id: <e12d415556994d0901c317f6338ed2961185465f.1666780268.git.tredaelli@redhat.com>
In-Reply-To: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
References: <f167022606b5ccca27a627ae599538ce2348ef67.1666780268.git.tredaelli@redhat.com>
From: Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Thu, 16 Jun 2022 14:25:07 +0200
Subject: [PATCH 2/2] vhost: fix header spanned across more than two
descriptors
[ upstream commit dc1516e260a0df272b218392faf6db3cbf45e717 ]
This patch aims at supporting the unlikely case where a
Virtio-net header is spanned across more than two
descriptors.
CVE-2022-2132
Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
---
lib/vhost/virtio_net.c | 41 +++++++++++++----------------------------
1 file changed, 13 insertions(+), 28 deletions(-)
diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
index 991a7a2bd4..bf4d75b4bd 100644
--- a/lib/vhost/virtio_net.c
+++ b/lib/vhost/virtio_net.c
@@ -2322,25 +2322,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
uint32_t buf_avail, buf_offset;
uint64_t buf_addr, buf_len;
uint32_t mbuf_avail, mbuf_offset;
+ uint32_t hdr_remain = dev->vhost_hlen;
uint32_t cpy_len;
struct rte_mbuf *cur = m, *prev = m;
struct virtio_net_hdr tmp_hdr;
struct virtio_net_hdr *hdr = NULL;
- /* A counter to avoid desc dead loop chain */
- uint16_t vec_idx = 0;
+ uint16_t vec_idx;
struct batch_copy_elem *batch_copy = vq->batch_copy_elems;
int error = 0;
- buf_addr = buf_vec[vec_idx].buf_addr;
- buf_len = buf_vec[vec_idx].buf_len;
-
/*
* The caller has checked the descriptors chain is larger than the
* header size.
*/
if (virtio_net_with_host_offload(dev)) {
- if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
+ if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
/*
* No luck, the virtio-net header doesn't fit
* in a contiguous virtual area.
@@ -2348,34 +2345,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec);
hdr = &tmp_hdr;
} else {
- hdr = (struct virtio_net_hdr *)((uintptr_t)buf_addr);
+ hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr);
}
}
- /*
- * A virtio driver normally uses at least 2 desc buffers
- * for Tx: the first for storing the header, and others
- * for storing the data.
- */
- if (unlikely(buf_len < dev->vhost_hlen)) {
- buf_offset = dev->vhost_hlen - buf_len;
- vec_idx++;
- buf_addr = buf_vec[vec_idx].buf_addr;
- buf_len = buf_vec[vec_idx].buf_len;
- buf_avail = buf_len - buf_offset;
- } else if (buf_len == dev->vhost_hlen) {
- if (unlikely(++vec_idx >= nr_vec))
- goto out;
- buf_addr = buf_vec[vec_idx].buf_addr;
- buf_len = buf_vec[vec_idx].buf_len;
+ for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) {
+ if (buf_vec[vec_idx].buf_len > hdr_remain)
+ break;
- buf_offset = 0;
- buf_avail = buf_len;
- } else {
- buf_offset = dev->vhost_hlen;
- buf_avail = buf_vec[vec_idx].buf_len - dev->vhost_hlen;
+ hdr_remain -= buf_vec[vec_idx].buf_len;
}
+ buf_addr = buf_vec[vec_idx].buf_addr;
+ buf_len = buf_vec[vec_idx].buf_len;
+ buf_offset = hdr_remain;
+ buf_avail = buf_vec[vec_idx].buf_len - hdr_remain;
+
PRINT_PACKET(dev,
(uintptr_t)(buf_addr + buf_offset),
(uint32_t)buf_avail, 0);
--
2.37.3

View File

@ -9,7 +9,7 @@
#% define shortcommit0 %(c=%{commit0}; echo ${c:0:7}) #% define shortcommit0 %(c=%{commit0}; echo ${c:0:7})
%define ver 21.11 %define ver 21.11
%define rel 1 %define rel 2
%define srcname dpdk %define srcname dpdk
@ -26,8 +26,9 @@ Source: http://fast.dpdk.org/rel/dpdk-%{ver}.tar.xz
# Only needed for creating snapshot tarballs, not used in build itself # Only needed for creating snapshot tarballs, not used in build itself
Source100: dpdk-snapshot.sh Source100: dpdk-snapshot.sh
# Patches only in dpdk package # CVE-2022-2132
Patch1: 0001-vhost-discard-too-small-descriptor-chains.patch
Patch2: 0002-vhost-fix-header-spanned-across-more-than-two-descri.patch
Summary: Set of libraries and drivers for fast packet processing Summary: Set of libraries and drivers for fast packet processing
@ -340,6 +341,9 @@ rm -rf %{docdir}/html/.doctrees
%endif %endif
%changelog %changelog
* Wed Oct 26 2022 Timothy Redaelli <tredaelli@redhat.com> - 21.11-2
- Backport fixes for CVE-2022-2132 (#2107171)
* Tue Nov 23 2021 David Marchand <david.marchand@redhat.com> - 21.11-1 * Tue Nov 23 2021 David Marchand <david.marchand@redhat.com> - 21.11-1
- Rebase to 21.11 (#2029497) - Rebase to 21.11 (#2029497)