On Fri, 23 Feb 2024 15:00:56 +0100
Morten Brørup <m...@smartsharesystems.com> wrote:
> Bugfix: The vlan in the bulletin does not contain a VLAN header, only the
> VLAN ID, so only copy 2 byte, not 4. The target structure has padding
> after the field, so copying 2 byte too many is effectively harmless.
> There is no need to backport this patch.
>
> Use RTE_PTR_ADD where copying arrays to the offset of a first field in a
> structure holding multiple fields, to avoid compiler warnings with
> decorated rte_memcpy.
>
> Bugzilla ID: 1146
>
> Fixes: 540a211084a7695a1c7bc43068934c140d6989be ("bnx2x: driver core")
> Cc: step...@networkplumber.org
> Cc: rm...@marvell.com
> Cc: shsha...@marvell.com
> Cc: pa...@marvell.com
>
> Signed-off-by: Morten Brørup <m...@smartsharesystems.com>
> Acked-by: Devendra Singh Rawat <dsinghra...@marvell.com>
> ---
> v9:
> * Fix checkpatch warning about spaces.
> v8:
> * Use memcpy instead of rte_memcpy in slow path. (Stephen Hemminger)
> v7:
> * No changes.
> v6:
> * Add Fixes to patch description.
> * Fix checkpatch warnings.
> v5:
> * No changes.
> v4:
> * Type casting did not fix the warnings, so use RTE_PTR_ADD instead.
> v3:
> * First patch in series.
> ---
> drivers/net/bnx2x/bnx2x_stats.c | 14 ++++++++------
> drivers/net/bnx2x/bnx2x_vfpf.c | 14 +++++++-------
> 2 files changed, 15 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/net/bnx2x/bnx2x_stats.c b/drivers/net/bnx2x/bnx2x_stats.c
> index c07b01510a..8105375d44 100644
> --- a/drivers/net/bnx2x/bnx2x_stats.c
> +++ b/drivers/net/bnx2x/bnx2x_stats.c
}
>
> @@ -817,10 +817,10 @@ bnx2x_hw_stats_update(struct bnx2x_softc *sc)
> etherstatspktsover1522octets);
> }
>
> - rte_memcpy(old, new, sizeof(struct nig_stats));
> + memcpy(old, new, sizeof(struct nig_stats));
This could just be structure assignment which is type safe.
*new = *old;
>
> - rte_memcpy(&(estats->rx_stat_ifhcinbadoctets_hi), &(pstats->mac_stx[1]),
> - sizeof(struct mac_stx));
> + memcpy(RTE_PTR_ADD(estats, offsetof(struct bnx2x_eth_stats,
> rx_stat_ifhcinbadoctets_hi)),
> + &pstats->mac_stx[1], sizeof(struct mac_stx));
> estats->brb_drop_hi = pstats->brb_drop_hi;
> estats->brb_drop_lo = pstats->brb_drop_lo;
>
> @@ -1492,9 +1492,11 @@ bnx2x_stats_init(struct bnx2x_softc *sc)
> REG_RD(sc, NIG_REG_STAT0_BRB_TRUNCATE + port*0x38);
> if (!CHIP_IS_E3(sc)) {
> REG_RD_DMAE(sc, NIG_REG_STAT0_EGRESS_MAC_PKT0 + port*0x50,
> - &(sc->port.old_nig_stats.egress_mac_pkt0_lo),
> 2);
> + RTE_PTR_ADD(&sc->port.old_nig_stats,
> + offsetof(struct nig_stats,
> egress_mac_pkt0_lo)), 2);
> REG_RD_DMAE(sc, NIG_REG_STAT0_EGRESS_MAC_PKT1 + port*0x50,
> - &(sc->port.old_nig_stats.egress_mac_pkt1_lo),
> 2);
> + RTE_PTR_ADD(&sc->port.old_nig_stats,
> + offsetof(struct nig_stats,
> egress_mac_pkt1_lo)), 2);
> }
>
> /* function stats */
> diff --git a/drivers/net/bnx2x/bnx2x_vfpf.c b/drivers/net/bnx2x/bnx2x_vfpf.c
> index 63953c2979..5411df3a38 100644
> --- a/drivers/net/bnx2x/bnx2x_vfpf.c
> +++ b/drivers/net/bnx2x/bnx2x_vfpf.c
> @@ -52,9 +52,9 @@ bnx2x_check_bull(struct bnx2x_softc *sc)
>
> /* check the mac address and VLAN and allocate memory if valid */
> if (valid_bitmap & (1 << MAC_ADDR_VALID) && memcmp(bull->mac,
> sc->old_bulletin.mac, ETH_ALEN))
> - rte_memcpy(&sc->link_params.mac_addr, bull->mac, ETH_ALEN);
> + memcpy(&sc->link_params.mac_addr, bull->mac, ETH_ALEN);
> if (valid_bitmap & (1 << VLAN_VALID))
> - rte_memcpy(&bull->vlan, &sc->old_bulletin.vlan, RTE_VLAN_HLEN);
> + memcpy(&bull->vlan, &sc->old_bulletin.vlan, sizeof(bull->vlan));
>
> sc->old_bulletin = *bull;
>
> @@ -569,7 +569,7 @@ bnx2x_vf_set_mac(struct bnx2x_softc *sc, int set)
>
> bnx2x_check_bull(sc);
>
> - rte_memcpy(query->filters[0].mac, sc->link_params.mac_addr, ETH_ALEN);
> + memcpy(query->filters[0].mac, sc->link_params.mac_addr, ETH_ALEN);
>
> bnx2x_add_tlv(sc, query, query->first_tlv.tl.length,
> BNX2X_VF_TLV_LIST_END,
> @@ -583,9 +583,9 @@ bnx2x_vf_set_mac(struct bnx2x_softc *sc, int set)
> while (BNX2X_VF_STATUS_FAILURE == reply->status &&
> bnx2x_check_bull(sc)) {
> /* A new mac was configured by PF for us */
> - rte_memcpy(sc->link_params.mac_addr, sc->pf2vf_bulletin->mac,
> + memcpy(sc->link_params.mac_addr, sc->pf2vf_bulletin->mac,
> ETH_ALEN);
> - rte_memcpy(query->filters[0].mac, sc->pf2vf_bulletin->mac,
> + memcpy(query->filters[0].mac, sc->pf2vf_bulletin->mac,
> ETH_ALEN);
>
> rc = bnx2x_do_req4pf(sc, sc->vf2pf_mbox_mapping.paddr);
> @@ -622,10 +622,10 @@ bnx2x_vf_config_rss(struct bnx2x_softc *sc,
> BNX2X_VF_TLV_LIST_END,
> sizeof(struct channel_list_end_tlv));
>
> - rte_memcpy(query->rss_key, params->rss_key, sizeof(params->rss_key));
> + memcpy(query->rss_key, params->rss_key, sizeof(params->rss_key));
> query->rss_key_size = T_ETH_RSS_KEY;
>
> - rte_memcpy(query->ind_table, params->ind_table,
> T_ETH_INDIRECTION_TABLE_SIZE);
> + memcpy(query->ind_table, params->ind_table,
> T_ETH_INDIRECTION_TABLE_SIZE);
> query->ind_table_size = T_ETH_INDIRECTION_TABLE_SIZE;
>
> query->rss_result_mask = params->rss_result_mask;
The driver is also using rte_memcpy for 2 byte values in bnx2x.c.
Another issue is the driver is using one element array as a flexible array.
A good static checker should catch this and report out of bounds access.
union bnx2x_stats_show_data {
uint32_t op; /* ioctl sub-command */
struct {
uint32_t num; /* return number of stats */
uint32_t len; /* length of each string item */
} desc;
/* variable length... */
char str[1]; /* holds names of desc.num stats, each desc.len in length */
/* variable length... */
uint64_t stats[1]; /* holds all stats */
};
