RE: [EXTERNAL] Re: [PATCH 1/2] eal: return error on devargs truncation in hotplug MP messages

Tue, 23 Jun 2026 17:07:10 -0700 

> On Wed, 25 Mar 2026 at 02:45, Long Li <[email protected]> wrote:
> >
> > The EAL hotplug multi-process messaging uses a fixed-size buffer
> > (EAL_DEV_MP_DEV_ARGS_MAX_LEN, 128 bytes) for device arguments.
> > When devargs exceeds this limit, strlcpy silently truncates the
> > string. This causes secondary processes to receive incomplete devargs
> > during hotplug re-add, leading to failed port re-initialization.
> >
> > For example, a MANA PCI device with 6 mac= arguments:
> >
> >   mac=AA:BB:CC:DD:EE:01,mac=AA:BB:CC:DD:EE:02,
> >   mac=AA:BB:CC:DD:EE:03,mac=AA:BB:CC:DD:EE:04,
> >   mac=AA:BB:CC:DD:EE:05,mac=AA:BB:CC:DD:EE:06
> >
> > produces a 131-byte devargs string that gets silently truncated to 127
> > bytes, losing the last MAC address.
> >
> > Return -E2BIG from rte_dev_probe() and rte_dev_remove() when devargs
> > would be truncated, instead of silently corrupting data.
> >
> > Signed-off-by: Long Li <[email protected]>
> 
> Worth a Fixes: tag and Cc: stable.
> 
> > ---
> >  lib/eal/common/eal_common_dev.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> >
> > diff --git a/lib/eal/common/eal_common_dev.c
> > b/lib/eal/common/eal_common_dev.c index 7185de0cb9..de24d14d28
> 100644
> > --- a/lib/eal/common/eal_common_dev.c
> > +++ b/lib/eal/common/eal_common_dev.c
> > @@ -250,6 +250,11 @@ rte_dev_probe(const char *devargs)
> >
> >         memset(&req, 0, sizeof(req));
> >         req.t = EAL_DEV_REQ_TYPE_ATTACH;
> > +       if (strlen(devargs) >= EAL_DEV_MP_DEV_ARGS_MAX_LEN) {
> > +               EAL_LOG(ERR, "devargs truncated (len %zu, max %d)",
> > +                       strlen(devargs), EAL_DEV_MP_DEV_ARGS_MAX_LEN);
> > +               return -E2BIG;
> > +       }
> >         strlcpy(req.devargs, devargs, EAL_DEV_MP_DEV_ARGS_MAX_LEN);
> 
> Please move the check before the memset().
> 
> >
> >         if (rte_eal_process_type() != RTE_PROC_PRIMARY) { @@ -397,6
> > +402,12 @@ rte_dev_remove(struct rte_device *dev)
> >
> >         memset(&req, 0, sizeof(req));
> >         req.t = EAL_DEV_REQ_TYPE_DETACH;
> > +       if (strlen(devargs) >= EAL_DEV_MP_DEV_ARGS_MAX_LEN) {
> > +               EAL_LOG(ERR, "devargs truncated (len %zu, max %d)",
> > +                       strlen(devargs), EAL_DEV_MP_DEV_ARGS_MAX_LEN);
> > +               free(devargs);
> > +               return -E2BIG;
> > +       }
> >         strlcpy(req.devargs, devargs, EAL_DEV_MP_DEV_ARGS_MAX_LEN);
> >         free(devargs);
> >
> 
> Why do we need to validate devargs on cleanup?
> Its length should have been validated during probe.
> 
> 
> --
> David Marchand

I have sent v2 with all the comments addressed.

Thanks,

Long

Reply via email to