Re: [PATCH 1/2] eal: return error on devargs truncation in hotplug MP messages

Tue, 09 Jun 2026 02:31:04 -0700 

On Wed, 25 Mar 2026 at 02:45, Long Li <[email protected]> wrote:
>
> The EAL hotplug multi-process messaging uses a fixed-size buffer
> (EAL_DEV_MP_DEV_ARGS_MAX_LEN, 128 bytes) for device arguments.
> When devargs exceeds this limit, strlcpy silently truncates the
> string. This causes secondary processes to receive incomplete
> devargs during hotplug re-add, leading to failed port
> re-initialization.
>
> For example, a MANA PCI device with 6 mac= arguments:
>
>   mac=AA:BB:CC:DD:EE:01,mac=AA:BB:CC:DD:EE:02,
>   mac=AA:BB:CC:DD:EE:03,mac=AA:BB:CC:DD:EE:04,
>   mac=AA:BB:CC:DD:EE:05,mac=AA:BB:CC:DD:EE:06
>
> produces a 131-byte devargs string that gets silently truncated
> to 127 bytes, losing the last MAC address.
>
> Return -E2BIG from rte_dev_probe() and rte_dev_remove() when
> devargs would be truncated, instead of silently corrupting data.
>
> Signed-off-by: Long Li <[email protected]>

Worth a Fixes: tag and Cc: stable.

> ---
>  lib/eal/common/eal_common_dev.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>
> diff --git a/lib/eal/common/eal_common_dev.c b/lib/eal/common/eal_common_dev.c
> index 7185de0cb9..de24d14d28 100644
> --- a/lib/eal/common/eal_common_dev.c
> +++ b/lib/eal/common/eal_common_dev.c
> @@ -250,6 +250,11 @@ rte_dev_probe(const char *devargs)
>
>         memset(&req, 0, sizeof(req));
>         req.t = EAL_DEV_REQ_TYPE_ATTACH;
> +       if (strlen(devargs) >= EAL_DEV_MP_DEV_ARGS_MAX_LEN) {
> +               EAL_LOG(ERR, "devargs truncated (len %zu, max %d)",
> +                       strlen(devargs), EAL_DEV_MP_DEV_ARGS_MAX_LEN);
> +               return -E2BIG;
> +       }
>         strlcpy(req.devargs, devargs, EAL_DEV_MP_DEV_ARGS_MAX_LEN);

Please move the check before the memset().

>
>         if (rte_eal_process_type() != RTE_PROC_PRIMARY) {
> @@ -397,6 +402,12 @@ rte_dev_remove(struct rte_device *dev)
>
>         memset(&req, 0, sizeof(req));
>         req.t = EAL_DEV_REQ_TYPE_DETACH;
> +       if (strlen(devargs) >= EAL_DEV_MP_DEV_ARGS_MAX_LEN) {
> +               EAL_LOG(ERR, "devargs truncated (len %zu, max %d)",
> +                       strlen(devargs), EAL_DEV_MP_DEV_ARGS_MAX_LEN);
> +               free(devargs);
> +               return -E2BIG;
> +       }
>         strlcpy(req.devargs, devargs, EAL_DEV_MP_DEV_ARGS_MAX_LEN);
>         free(devargs);
>

Why do we need to validate devargs on cleanup?
Its length should have been validated during probe.


-- 
David Marchand

Reply via email to