[dpdk-dev] table: fix a crash during key8 and key32 overload
Commit Message
hash_key8_ext and hash_key32_ext tables allocate cache entries to
support table overload cases. The crash can occur when cache entry is
free after use. The problem is with computing the index of the free
cache entry. The same case for key16 was fixed with earlier patch.
Signed-off-by: Maciej Gajdzica <maciejx.t.gajdzica@intel.com>
---
lib/librte_table/rte_table_hash_key32.c | 5 ++---
lib/librte_table/rte_table_hash_key8.c | 5 ++---
2 files changed, 4 insertions(+), 6 deletions(-)
Comments
> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Maciej Gajdzica
> Sent: Monday, March 23, 2015 3:09 PM
> To: dev@dpdk.org
> Subject: [dpdk-dev] [PATCH] table: fix a crash during key8 and key32
> overload
>
> hash_key8_ext and hash_key32_ext tables allocate cache entries to
> support table overload cases. The crash can occur when cache entry is
> free after use. The problem is with computing the index of the free
> cache entry. The same case for key16 was fixed with earlier patch.
>
> Signed-off-by: Maciej Gajdzica <maciejx.t.gajdzica@intel.com>
> ---
> lib/librte_table/rte_table_hash_key32.c | 5 ++---
> lib/librte_table/rte_table_hash_key8.c | 5 ++---
> 2 files changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/lib/librte_table/rte_table_hash_key32.c
> b/lib/librte_table/rte_table_hash_key32.c
> index da0ce6a..6790594 100644
> --- a/lib/librte_table/rte_table_hash_key32.c
> +++ b/lib/librte_table/rte_table_hash_key32.c
> @@ -540,9 +540,8 @@ rte_table_hash_entry_delete_key32_ext(
>
> memset(bucket, 0,
> sizeof(struct
> rte_bucket_4_32));
> - bucket_index = (bucket -
> - ((struct rte_bucket_4_32 *)
> - f->memory)) - f->n_buckets;
> + bucket_index = (((uint8_t *)bucket -
> + (uint8_t *)f->memory)/f-
> >bucket_size) - f->n_buckets;
> f->stack[f->stack_pos++] =
> bucket_index;
> }
>
> diff --git a/lib/librte_table/rte_table_hash_key8.c
> b/lib/librte_table/rte_table_hash_key8.c
> index 443ca7d..6803eb2 100644
> --- a/lib/librte_table/rte_table_hash_key8.c
> +++ b/lib/librte_table/rte_table_hash_key8.c
> @@ -528,9 +528,8 @@ rte_table_hash_entry_delete_key8_ext(
>
> memset(bucket, 0,
> sizeof(struct
> rte_bucket_4_8));
> - bucket_index = (bucket -
> - ((struct rte_bucket_4_8 *)
> - f->memory)) - f->n_buckets;
> + bucket_index = (((uint8_t *)bucket -
> + (uint8_t *)f->memory)/f-
> >bucket_size) - f->n_buckets;
> f->stack[f->stack_pos++] =
> bucket_index;
> }
>
> --
> 1.7.9.5
Acked by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
Thanks, Maciej!
Reviewed-by: Mirek Walukiewicz <miroslaw.walukiewicz@intel.com>
> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Dumitrescu, Cristian
> Sent: Monday, March 23, 2015 4:20 PM
> To: Gajdzica, MaciejX T; dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH] table: fix a crash during key8 and key32
> overload
>
>
>
> > -----Original Message-----
> > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Maciej Gajdzica
> > Sent: Monday, March 23, 2015 3:09 PM
> > To: dev@dpdk.org
> > Subject: [dpdk-dev] [PATCH] table: fix a crash during key8 and key32
> > overload
> >
> > hash_key8_ext and hash_key32_ext tables allocate cache entries to
> > support table overload cases. The crash can occur when cache entry is
> > free after use. The problem is with computing the index of the free
> > cache entry. The same case for key16 was fixed with earlier patch.
> >
> > Signed-off-by: Maciej Gajdzica <maciejx.t.gajdzica@intel.com>
> > ---
> > lib/librte_table/rte_table_hash_key32.c | 5 ++---
> > lib/librte_table/rte_table_hash_key8.c | 5 ++---
> > 2 files changed, 4 insertions(+), 6 deletions(-)
> >
> > diff --git a/lib/librte_table/rte_table_hash_key32.c
> > b/lib/librte_table/rte_table_hash_key32.c
> > index da0ce6a..6790594 100644
> > --- a/lib/librte_table/rte_table_hash_key32.c
> > +++ b/lib/librte_table/rte_table_hash_key32.c
> > @@ -540,9 +540,8 @@ rte_table_hash_entry_delete_key32_ext(
> >
> > memset(bucket, 0,
> > sizeof(struct
> > rte_bucket_4_32));
> > - bucket_index = (bucket -
> > - ((struct rte_bucket_4_32 *)
> > - f->memory)) - f->n_buckets;
> > + bucket_index = (((uint8_t *)bucket -
> > + (uint8_t *)f->memory)/f-
> > >bucket_size) - f->n_buckets;
> > f->stack[f->stack_pos++] =
> > bucket_index;
> > }
> >
> > diff --git a/lib/librte_table/rte_table_hash_key8.c
> > b/lib/librte_table/rte_table_hash_key8.c
> > index 443ca7d..6803eb2 100644
> > --- a/lib/librte_table/rte_table_hash_key8.c
> > +++ b/lib/librte_table/rte_table_hash_key8.c
> > @@ -528,9 +528,8 @@ rte_table_hash_entry_delete_key8_ext(
> >
> > memset(bucket, 0,
> > sizeof(struct
> > rte_bucket_4_8));
> > - bucket_index = (bucket -
> > - ((struct rte_bucket_4_8 *)
> > - f->memory)) - f->n_buckets;
> > + bucket_index = (((uint8_t *)bucket -
> > + (uint8_t *)f->memory)/f-
> > >bucket_size) - f->n_buckets;
> > f->stack[f->stack_pos++] =
> > bucket_index;
> > }
> >
> > --
> > 1.7.9.5
>
> Acked by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
>
> Thanks, Maciej!
> > hash_key8_ext and hash_key32_ext tables allocate cache entries to
> > support table overload cases. The crash can occur when cache entry is
> > free after use. The problem is with computing the index of the free
> > cache entry. The same case for key16 was fixed with earlier patch.
> >
> > Signed-off-by: Maciej Gajdzica <maciejx.t.gajdzica@intel.com>
>
> Acked by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
Merged with Mirek's (key16) patch, thanks
@@ -540,9 +540,8 @@ rte_table_hash_entry_delete_key32_ext(
memset(bucket, 0,
sizeof(struct rte_bucket_4_32));
- bucket_index = (bucket -
- ((struct rte_bucket_4_32 *)
- f->memory)) - f->n_buckets;
+ bucket_index = (((uint8_t *)bucket -
+ (uint8_t *)f->memory)/f->bucket_size) - f->n_buckets;
f->stack[f->stack_pos++] = bucket_index;
}
@@ -528,9 +528,8 @@ rte_table_hash_entry_delete_key8_ext(
memset(bucket, 0,
sizeof(struct rte_bucket_4_8));
- bucket_index = (bucket -
- ((struct rte_bucket_4_8 *)
- f->memory)) - f->n_buckets;
+ bucket_index = (((uint8_t *)bucket -
+ (uint8_t *)f->memory)/f->bucket_size) - f->n_buckets;
f->stack[f->stack_pos++] = bucket_index;
}