fix CVE-2022-28199

(cherry picked from commit f58059c758a721d5186c99d2aa8df2c4dcb88e51)
2022-09-09 17:24:50 +08:00 · 2022-09-09 17:24:50 +08:00 · 743ea9ef47
commit 743ea9ef47
parent 99d9187a99
5 changed files with 147 additions and 1 deletions
--- a/backport-0001-CVE-2022-2132.patch
+++ b/backport-0001-CVE-2022-2132.patch
@ -18,6 +18,8 @@ Fixes: c3ff0ac70acb ("vhost: improve performance by supporting large buffer")
 Cc: stable@dpdk.org

 Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Conflict: NA
+Reference: https://git.dpdk.org/dpdk-stable/commit/?id=5b3c25e6ee
 ---
 lib/librte_vhost/virtio_net.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)
--- a/backport-0002-CVE-2022-2131.patch
+++ b/backport-0002-CVE-2022-2131.patch
@ -12,6 +12,8 @@ Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
 Cc: stable@dpdk.org

 Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Conflict: NA
+Reference: https://git.dpdk.org/dpdk-stable/commit/?id=e73049ea26
 ---
 lib/librte_vhost/virtio_net.c | 45 +++++++++++------------------------
 1 file changed, 14 insertions(+), 31 deletions(-)
--- a/backport-CVE-2022-28199.patch
+++ b/backport-CVE-2022-28199.patch
@ -0,0 +1,136 @@
+From 8b090f2664e9d014cd8fa0fde90597aaf4349e7e Mon Sep 17 00:00:00 2001
+From: Alexander Kozyrev <akozyrev@nvidia.com>
+Date: Thu, 11 Aug 2022 21:19:36 +0300
+Subject: [PATCH] net/mlx5: fix Rx queue recovery mechanism
+
+The local variables are getting inconsistent in data receiving routines
+after queue error recovery.
+Receive queue consumer index is getting wrong, need to reset one to the
+size of the queue (as RQ was fully replenished in recovery procedure).
+
+In MPRQ case, also the local consumed strd variable should be reset.
+
+CVE-2022-28199
+Fixes: 88c0733 ("net/mlx5: extend Rx completion with error handling")
+
+Signed-off-by: Alexander Kozyrev <akozyrev@nvidia.com>
+Signed-off-by: Matan Azrad <matan@nvidia.com>
+Conflict: NA
+Reference: https://git.dpdk.org/dpdk-stable/commit/?id=8b090f2664
+---
+ drivers/net/mlx5/mlx5_rxtx.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/mlx5/mlx5_rxtx.c b/drivers/net/mlx5/mlx5_rxtx.c
+index a4f627e1a6..07c994815a 100644
+--- a/drivers/net/mlx5/mlx5_rxtx.c
+++ b/drivers/net/mlx5/mlx5_rxtx.c
+@@ -931,6 +931,11 @@ mlx5_queue_state_modify(struct rte_eth_dev *dev,
+ 	return ret;
+ }
+ 
+/* Must be negative. */
+#define MLX5_ERROR_CQE_RET (-1)
+/* Must not be negative. */
+#define MLX5_RECOVERY_ERROR_RET 0
+
+ /**
+  * Handle a Rx error.
+  * The function inserts the RQ state to reset when the first error CQE is
+@@ -945,7 +950,7 @@ mlx5_queue_state_modify(struct rte_eth_dev *dev,
+  *   0 when called from non-vectorized Rx burst.
+  *
+  * @return
+- *   -1 in case of recovery error, otherwise the CQE status.
+ *   MLX5_RECOVERY_ERROR_RET in case of recovery error, otherwise the CQE status.
+  */
+ int
+ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
+@@ -973,7 +978,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
+ 		sm.queue_id = rxq->idx;
+ 		sm.state = IBV_WQS_RESET;
+ 		if (mlx5_queue_state_modify(ETH_DEV(rxq_ctrl->priv), &sm))
+-			return -1;
+			return MLX5_RECOVERY_ERROR_RET;
+ 		if (rxq_ctrl->dump_file_n <
+ 		    rxq_ctrl->priv->config.max_dump_files_num) {
+ 			MKSTR(err_str, "Unexpected CQE error syndrome "
+@@ -1014,7 +1019,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
+ 			sm.state = IBV_WQS_RDY;
+ 			if (mlx5_queue_state_modify(ETH_DEV(rxq_ctrl->priv),
+ 						    &sm))
+-				return -1;
+				return MLX5_RECOVERY_ERROR_RET;
+ 			if (vec) {
+ 				const uint16_t q_mask = wqe_n - 1;
+ 				uint16_t elt_idx;
+@@ -1036,7 +1041,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
+ 							rte_pktmbuf_free_seg
+ 								(*elt);
+ 						}
+-						return -1;
+						return MLX5_RECOVERY_ERROR_RET;
+ 					}
+ 				}
+ 				for (i = 0; i < (int)wqe_n; ++i) {
+@@ -1055,7 +1060,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
+ 		}
+ 		return ret;
+ 	default:
+-		return -1;
+		return MLX5_RECOVERY_ERROR_RET;
+ 	}
+ }
+ 
+@@ -1073,7 +1078,9 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec)
+  *   written.
+  *
+  * @return
+- *   0 in case of empty CQE, otherwise the packet size in bytes.
+ *   0 in case of empty CQE, MLX5_ERROR_CQE_RET in case of error CQE,
+ *   otherwise the packet size in regular RxQ, and striding byte
+ *   count format in mprq case.
+  */
+ static inline int
+ mlx5_rx_poll_len(struct mlx5_rxq_data *rxq, volatile struct mlx5_cqe *cqe,
+@@ -1140,8 +1147,8 @@ mlx5_rx_poll_len(struct mlx5_rxq_data *rxq, volatile struct mlx5_cqe *cqe,
+ 					     rxq->err_state)) {
+ 					ret = mlx5_rx_err_handle(rxq, 0);
+ 					if (ret == MLX5_CQE_STATUS_HW_OWN ||
+-					    ret == -1)
+-						return 0;
+					    ret == MLX5_RECOVERY_ERROR_RET)
+						return MLX5_ERROR_CQE_RET;
+ 				} else {
+ 					return 0;
+ 				}
+@@ -1350,8 +1357,10 @@ mlx5_rx_burst(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
+ 		if (!pkt) {
+ 			cqe = &(*rxq->cqes)[rxq->cq_ci & cqe_cnt];
+ 			len = mlx5_rx_poll_len(rxq, cqe, cqe_cnt, &mcqe);
+-			if (!len) {
+			if (len <= 0) {
+ 				rte_mbuf_raw_free(rep);
+				if (unlikely(len == MLX5_ERROR_CQE_RET))
+					rq_ci = rxq->rq_ci << sges_n;
+ 				break;
+ 			}
+ 			pkt = seg;
+@@ -1630,8 +1639,13 @@ mlx5_rx_burst_mprq(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
+ 		}
+ 		cqe = &(*rxq->cqes)[rxq->cq_ci & cq_mask];
+ 		ret = mlx5_rx_poll_len(rxq, cqe, cq_mask, &mcqe);
+-		if (!ret)
+		if (ret == 0)
+ 			break;
+		if (unlikely(ret == MLX5_ERROR_CQE_RET)) {
+			rq_ci = rxq->rq_ci;
+			consumed_strd = rxq->consumed_strd;
+			break;
+		}
+ 		byte_cnt = ret;
+ 		strd_cnt = (byte_cnt & MLX5_MPRQ_STRIDE_NUM_MASK) >>
+ 			   MLX5_MPRQ_STRIDE_NUM_SHIFT;
+-- 
+2.23.0
+
--- a/backport-vhost-handle-mbuf-allocation-failure.patch
+++ b/backport-vhost-handle-mbuf-allocation-failure.patch
@ -15,6 +15,8 @@ Cc: stable@dpdk.org

 Signed-off-by: Sivaprasad Tummala <sivaprasad.tummala@intel.com>
 Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Conflict: NA
+Reference: https://git.dpdk.org/dpdk-stable/commit/?id=0fd5608ef9
 ---
 lib/librte_vhost/virtio_net.c | 70 +++++++++++++++++++++++++++--------
 1 file changed, 55 insertions(+), 15 deletions(-)
--- a/dpdk.spec
+++ b/dpdk.spec
@ -1,6 +1,6 @@
 Name: dpdk
 Version: 19.11
-Release: 19
+Release: 20
 Packager: packaging@6wind.com
 URL: http://dpdk.org
 %global source_version  19.11
@ -47,6 +47,7 @@ Patch36: CVE-2022-0669.patch
 Patch6000: backport-vhost-handle-mbuf-allocation-failure.patch
 Patch6001: backport-0001-CVE-2022-2132.patch
 Patch6002: backport-0002-CVE-2022-2131.patch
+Patch6003: backport-CVE-2022-28199.patch

 Summary: Data Plane Development Kit core
 Group: System Environment/Libraries
@ -199,6 +200,9 @@ strip -g $RPM_BUILD_ROOT/lib/modules/${namer}/extra/dpdk/rte_kni.ko
 /usr/sbin/depmod

 %changelog
+* Fri Sep 9 2022 jiangheng <jiangheng14@huawei.com> - 19.11-20
+- fix CVE-2022-28199
+
 * Thu Sep 8 2022 jiangheng <jiangheng14@huawei.com> - 19.11-19
 - fix CVE-2022-2132