[PATCH 1/2] eventdev: fix eth dev ID truncation in telemetry

Wed, 04 Mar 2026 07:16:49 -0800 

eth_dev_id is declared as int in handle_rxa_get_queue_conf(),
handle_rxa_get_queue_stats(), handle_rxa_queue_stats_reset(), and
handle_rxa_instance_get(), but is implicitly narrowed to uint16_t when
passed to rte_eth_dev_is_valid_port() via
RTE_EVENT_ETH_RX_ADAPTER_PORTID_VALID_OR_GOTO_ERR_RET().
A value like 65535 + N passes validation as N, but is then used as-is as
an array index, causing out-of-bounds access and SIGSEGV.

To reproduce (requires telemetry enabled):
  echo "/eventdev/rxa_queue_conf,0,65536,0" | \
    socat - UNIX-CONNECT:/var/run/dpdk/vpp/dpdk_telemetry.v2,type=5

Result:
  SIGSEGV at handle_rxa_get_queue_conf + 0x34a, faulting address 0x50

This patch changes eth_dev_id from int to uint16_t to avoid truncation.

Fixes: 74b034ff8172 ("eventdev/eth_rx: fix parameters parsing memory leak")
Cc: [email protected]
Cc: [email protected]

Signed-off-by: Sergei Iashin <[email protected]>
---
 lib/eventdev/rte_event_eth_rx_adapter.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/eventdev/rte_event_eth_rx_adapter.c 
b/lib/eventdev/rte_event_eth_rx_adapter.c
index d564e14b72..2183adce6f 100644
--- a/lib/eventdev/rte_event_eth_rx_adapter.c
+++ b/lib/eventdev/rte_event_eth_rx_adapter.c
@@ -3827,7 +3827,8 @@ handle_rxa_get_queue_conf(const char *cmd __rte_unused,
 {
        uint8_t rx_adapter_id;
        uint16_t rx_queue_id;
-       int eth_dev_id, ret = -1;
+       uint16_t eth_dev_id;
+       int ret = -1;
        char *token, *l_params;
        struct rte_event_eth_rx_adapter_queue_conf queue_conf;
 
@@ -3899,7 +3900,8 @@ handle_rxa_get_queue_stats(const char *cmd __rte_unused,
 {
        uint8_t rx_adapter_id;
        uint16_t rx_queue_id;
-       int eth_dev_id, ret = -1;
+       uint16_t eth_dev_id;
+       int ret = -1;
        char *token, *l_params;
        struct rte_event_eth_rx_adapter_queue_stats q_stats;
 
@@ -3970,7 +3972,8 @@ handle_rxa_queue_stats_reset(const char *cmd __rte_unused,
 {
        uint8_t rx_adapter_id;
        uint16_t rx_queue_id;
-       int eth_dev_id, ret = -1;
+       uint16_t eth_dev_id;
+       int ret = -1;
        char *token, *l_params;
 
        if (params == NULL || strlen(params) == 0 || !isdigit(*params))
@@ -4031,7 +4034,8 @@ handle_rxa_instance_get(const char *cmd __rte_unused,
 {
        uint8_t instance_id;
        uint16_t rx_queue_id;
-       int eth_dev_id, ret = -1;
+       uint16_t eth_dev_id;
+       int ret = -1;
        char *token, *l_params;
 
        if (params == NULL || strlen(params) == 0 || !isdigit(*params))
-- 
2.39.5

Reply via email to