Hello community, here is the log from the commit of package dpdk.14313 for openSUSE:Leap:15.2:Update checked in at 2020-10-04 00:22:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/dpdk.14313 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.dpdk.14313.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dpdk.14313" Sun Oct 4 00:22:22 2020 rev:1 rq:838850 version:19.11.4 Changes: -------- New Changes file: --- /dev/null 2020-09-10 00:27:47.435250138 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.dpdk.14313.new.4249/dpdk.changes 2020-10-04 00:22:22.780761792 +0200 @@ -0,0 +1,1359 @@ +------------------------------------------------------------------- +Fri Sep 18 15:13:53 UTC 2020 - Jaime CaamaƱo Ruiz <jcaam...@suse.com> + +- Update to 19.11.4. For a list of fixes check: + https://doc.dpdk.org/guides-19.11/rel_notes/release_19_11.html#id8 +- Add patches to fix vulnerability where malicious guest can harm the host + using vhost crypto, this includes executing code in host (VM Escape), + reading host application memory space to guest and causing partially + denial of service in the host (CVE-2020-14374,CVE-2020-14375,CVE-2020-14376, + CVE-2020-14377,CVE-2020-14378bsc#1176590). + * 0001-vhost-crypto-fix-pool-allocation.patch + * 0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch + * 0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch + * 0004-vhost-crypto-fix-incorrect-write-back-source.patch + * 0005-vhost-crypto-fix-data-length-check.patch + * 0006-vhost-crypto-fix-possible-TOCTOU-attack.patch + +------------------------------------------------------------------- +Tue Aug 11 06:56:10 UTC 2020 - Dirk Mueller <dmuel...@suse.com> + +- update to v19.11.3: + app/crypto-perf: fix display of sample test vector + app/eventdev: check Tx adapter service ID + app: fix usage help of options separated by dashes + app/pipeline: fix build with gcc 10 + app: remove extra new line after link duplex + app/testpmd: add parsing for QinQ VLAN headers + app/testpmd: fix DCB set + app/testpmd: fix memory failure handling for i40e DDP + app/testpmd: fix PPPoE flow command + app/testpmd: fix statistics after reset + baseband/turbo_sw: fix exposed LLR decimals assumption + bbdev: fix doxygen comments + build: disable gcc 10 zero-length-bounds warning + build: fix linker warnings with clang on Windows + build: support MinGW-w64 with Meson + buildtools: get static mlx dependencies for meson + bus/fslmc: fix dereferencing null pointer + bus/fslmc: fix size of qman fq descriptor + bus/pci: fix devargs on probing again + bus/pci: fix UIO resource access from secondary process + bus/vmbus: fix comment spelling + ci: fix telemetry dependency in Travis + common/iavf: update copyright + common/mlx5: fix build with -fno-common + common/mlx5: fix build with rdma-core 21 + common/mlx5: fix netlink buffer allocation from stack + common/mlx5: fix umem buffer alignment + common/octeontx: fix gcc 9.1 ABI break + common/qat: fix GEN3 marketing name + contigmem: cleanup properly when load fails + crypto/caam_jr: fix check of file descriptors + crypto/caam_jr: fix IRQ functions return type + crypto/ccp: fix fd leak on probe failure + cryptodev: add asymmetric session-less feature name + cryptodev: fix missing device id range checking + cryptodev: fix SHA-1 digest enum comment + crypto/kasumi: fix extern declaration + crypto/nitrox: fix CSR register address generation + crypto/nitrox: fix oversized device name + crypto/octeontx2: fix build with gcc 10 + crypto/openssl: fix out-of-place encryption + crypto/qat: fix cipher descriptor for ZUC and SNOW + crypto/qat: support plain SHA1..SHA512 hashes + devtools: fix symbol map change check + doc: add i40e limitation for flow director + doc: add NASM installation steps + doc: fix API index + doc: fix build issue in ABI guide + doc: fix build with doxygen 1.8.18 + doc: fix default symbol binding in ABI guide + doc: fix log level example in Linux guide + doc: fix LTO config option + doc: fix matrix CSS for recent sphinx + doc: fix multicast filter feature announcement + doc: fix number of failsafe sub-devices + doc: fix reference in ABI guide + doc: fix sphinx compatibility + doc: fix typo in contributors guide + doc: fix typo in contributors guide + doc: fix typos in ABI policy + doc: prefer https when pointing to dpdk.org + drivers: add crypto as dependency for event drivers + drivers/crypto: disable gcc 10 no-common errors + drivers/crypto: fix build with make 4.3 + drivers/crypto: fix log type variables for -fno-common + drivers: fix log type variables for -fno-common + eal/arm64: fix precise TSC + eal: fix C++17 compilation + eal: fix comments spelling + eal: fix log message print for regex + eal: fix PRNG init with HPET enabled + eal: fix typo in endian conversion macros + eal/freebsd: fix queuing duplicate alarm callbacks + eal/ppc: fix bool type after altivec include + eal/ppc: fix build with gcc 9.3 + eal/x86: ignore gcc 10 stringop-overflow warnings + ethdev: fix build when vtune profiling is on + ethdev: fix spelling + eventdev: fix probe and remove for secondary process + event/dsw: avoid reusing previously recorded events + event/dsw: fix enqueue burst return value + event/dsw: remove redundant control ring poll + event/dsw: remove unnecessary read barrier + event/octeontx2: fix build for O1 optimization + event/octeontx2: fix queue removal from Rx adapter + examples/eventdev: fix build with gcc 10 + examples/eventdev: fix crash on exit + examples/fips_validation: fix parsing of algorithms + examples/ip_pipeline: remove check of null response + examples/ipsec-gw: fix gcc 10 maybe-uninitialized warning + examples/kni: fix crash during MTU set + examples/kni: fix MTU change to setup Tx queue + examples/l2fwd-keepalive: fix mbuf pool size + examples/qos_sched: fix build with gcc 10 + examples: remove extra new line after link duplex + examples/vhost_blk: fix build with gcc 10 + examples/vmdq: fix output of pools/queues + examples/vmdq: fix RSS configuration + examples/vm_power: drop Unix path limit redefinition + examples/vm_power: fix build with -fno-common + fib: fix headers for C++ support + fix same typo in multiple places + fix various typos found by Lintian + ipsec: check SAD lookup error + ipsec: fix build dependency on hash lib + kvargs: fix buffer overflow when parsing list + kvargs: fix invalid token parsing on FreeBSD + kvargs: fix strcmp helper documentation + log: fix level picked with globbing on type register + lpm6: fix comments spelling + lpm6: fix size of tbl8 group + mem: fix overflow on allocation + mem: mark pages as not accessed when freeing memory + mem: mark pages as not accessed when reserving VA + mempool/dpaa2: install missing header with meson + mempool/octeontx2: fix build for gcc O1 optimization + mempool: remove inline functions from export list + mem: preallocate VA space in no-huge mode + mk: fix static linkage of mlx dependency + net/avp: fix gcc 10 maybe-uninitialized warning + net/bnxt: do not use PMD log type + net/bnxt: fix error log for command timeout + net/bnxt: fix FW version query + net/bnxt: fix HWRM command during FW reset + net/bnxt: fix max ring count + net/bnxt: fix memory leak during queue restart + net/bnxt: fix number of TQM ring + net/bnxt: fix port start failure handling + net/bnxt: fix possible stack smashing + net/bnxt: fix Rx ring producer index + net/bnxt: fix storing MAC address twice + net/bnxt: fix TQM ring context memory size + net/bnxt: fix using RSS config struct + net/bnxt: fix VLAN add when port is stopped + net/bnxt: fix VNIC Rx queue count on VNIC free + net/bnxt: use true/false for bool types + net/dpaa2: fix 10G port negotiation + net/dpaa2: fix congestion ID for multiple traffic classes + net/dpaa: use dynamic log type + net/e1000: fix port hotplug for multi-process + net/ena/base: fix documentation of functions + net/ena/base: fix indentation in CQ polling + net/ena/base: fix indentation of multiple defines + net/ena/base: fix testing for supported hash function + net/ena/base: make allocation macros thread-safe + net/ena/base: prevent allocation of zero sized memory + net/ena: fix build for O1 optimization + net/ena: set IO ring size to valid value + net/enetc: fix Rx lock-up + net/enic: fix flow action reordering + net/failsafe: fix fd leak + net/hinic: allocate IO memory with socket id + net/hinic/base: fix PF firmware hot-active problem + net/hinic/base: fix port start during FW hot update + net/hinic: fix LRO + net/hinic: fix queues resource free + net/hinic: fix repeating cable log and length check + net/hinic: fix snprintf length of cable info + net/hinic: fix TSO + net/hinic: fix Tx mbuf length while copying + net/hns3: add free threshold in Rx + net/hns3: add RSS hash offload to capabilities + net/hns3: clear residual flow rules on init + net/hns3: fix configuring illegal VLAN PVID + net/hns3: fix configuring RSS hash when rules are flushed + net/hns3: fix crash when flushing RSS flow rules with FLR + net/hns3: fix default error code of command interface + net/hns3: fix default VLAN filter configuration for PF + net/hns3: fix mailbox opcode data type + net/hns3: fix MSI-X interrupt during initialization + net/hns3: fix packets offload features flags in Rx + net/hns3: fix promiscuous mode for PF + net/hns3: fix return value of setting VLAN offload + net/hns3: fix return value when clearing statistics + net/hns3: fix RSS indirection table configuration + net/hns3: fix RSS key length ++++ 1162 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.dpdk.14313.new.4249/dpdk.changes New: ---- 0001-fix-cpu-compatibility.patch 0001-vhost-crypto-fix-pool-allocation.patch 0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch 0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch 0004-vhost-crypto-fix-incorrect-write-back-source.patch 0005-vhost-crypto-fix-data-length-check.patch 0006-vhost-crypto-fix-possible-TOCTOU-attack.patch _constraints _multibuild dpdk-19.11.4.tar.xz dpdk.changes dpdk.spec preamble ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dpdk.spec ++++++ # # spec file for package dpdk # # Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # # needssslcertforbuild %define flavor @BUILD_FLAVOR@%{nil} %define aarch64_machine2 armv8a %define exclusive_arch aarch64 x86_64 ppc64le %define name_tag %{nil} %define summary_tag %{nil} %if "%flavor" == "thunderx" %define name_tag -thunderx %define summary_tag (thunderx) %define aarch64_machine2 thunderx %define exclusive_arch aarch64 %endif %define machine native %define machine2 default %ifarch x86_64 %define machine native %define target x86_64-%{machine}-linuxapp-gcc %endif %ifarch aarch64 %define machine2 %aarch64_machine2 %define target arm64-%{machine2}-linuxapp-gcc %endif %ifarch ppc64le %define machine2 power8 %define target ppc_64-%{machine2}-linuxapp-gcc %endif # This is in sync with <src>/ABI_VERSION # TODO: automate this sync %define maj 20 %define min 0 %define lname libdpdk-%{maj}_%{min} %bcond_without shared # Add option to build without examples %bcond_without examples # Add option to build without tools %bcond_without tools Name: dpdk%{name_tag} Version: 19.11.4 Release: 0 Summary: Set of libraries and drivers for fast packet processing License: BSD-3-Clause AND GPL-2.0-only AND LGPL-2.1-only Group: System/Libraries URL: http://dpdk.org Source: http://fast.dpdk.org/rel/dpdk-%{version}.tar.xz Source1: preamble Patch1: 0001-fix-cpu-compatibility.patch Patch2: 0001-vhost-crypto-fix-pool-allocation.patch Patch3: 0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch Patch4: 0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch Patch5: 0004-vhost-crypto-fix-incorrect-write-back-source.patch Patch6: 0005-vhost-crypto-fix-data-length-check.patch Patch7: 0006-vhost-crypto-fix-possible-TOCTOU-attack.patch BuildRequires: doxygen BuildRequires: fdupes BuildRequires: libelf-devel BuildRequires: libmnl-devel BuildRequires: libnuma-devel BuildRequires: libpcap-devel BuildRequires: pesign-obs-integration BuildRequires: zlib-devel Conflicts: dpdk-any Provides: dpdk-any = %{version} ExclusiveArch: %exclusive_arch %if 0%{?sle_version} >= 120400 BuildRequires: rdma-core-devel %endif %description The Data Plane Development Kit is a set of libraries and drivers for fast packet processing in the user space. %package devel Summary: Data Plane Development Kit development files %{summary_tag} Group: Development/Libraries/C and C++ Requires: %{lname} = %{version} Conflicts: dpdk-any-devel Provides: dpdk-any-devel = %{version} %description devel This package contains the headers and other files needed for developing applications with the Data Plane Development Kit. %package -n %{lname} Summary: Data Plane Development Kit runtime libraries %{summary_tag} Group: Development/Libraries/C and C++ Provides: %{lname}-any = %{version} %description -n %{lname} This package contains the runtime libraries needed for 3rd party application to use the Data Plane Development Kit. %package doc Summary: Data Plane Development Kit API documentation %{summary_tag} Group: System/Libraries Conflicts: dpdk-any-doc Provides: dpdk-any-doc = %{version} BuildArch: noarch %description doc API programming documentation for the Data Plane Development Kit. %if %{with tools} %package tools Summary: Tools for setting up Data Plane Development Kit environment %{summary_tag} Group: System/Libraries Requires: %{name} = %{version} Requires: findutils Requires: iproute Requires: kmod Requires: pciutils Conflicts: dpdk-any-tools Provides: dpdk-any-tools = %{version} %description tools This package contains tools for setting up Data Plane Development Kit environment %endif %if %{with examples} %package examples Summary: Data Plane Development Kit example applications %{summary_tag} Group: System/Libraries BuildRequires: libvirt-devel Conflicts: dpdk-any-examples Provides: dpdk-any-examples = %{version} %description examples Example applications utilizing the Data Plane Development Kit, such as L2 and L3 forwarding. %endif %package kmp Summary: DPDK KNI kernel module %{summary_tag} Group: System/Kernel BuildRequires: %{kernel_module_package_buildreqs} Conflicts: dpdk-any-kmp %suse_kernel_module_package -p %{_sourcedir}/preamble pae 64kb %description kmp The DPDK Kernel NIC Interface (KNI) allows userspace applications access to the Linux* control plane. %define sdkdir %{_datadir}/dpdk %define docdir %{_docdir}/dpdk %define incdir %{_includedir}/dpdk %define pmddir %{_libdir}/dpdk-pmds-%{maj}.%{min} %prep # can't use %{name} because of dpdk-thunderx %setup -q -n dpdk-stable-%{version} %patch1 -p1 -z .init %patch2 -p1 -z .init %patch3 -p1 -z .init %patch4 -p1 -z .init %patch5 -p1 -z .init %patch6 -p1 -z .init %patch7 -p1 -z .init # This fixes CROSS compilation (broken) in the mk file for ThunderX sed -i '/^CROSS /s/^/#/' mk/machine/thunderx/rte.vars.mk # Verify ABI [ "$(cat ABI_VERSION)" = "%{maj}.%{min}" ] || exit 1 %build cp mk/machine/armv8a/rte.vars.mk mk/machine/thunderx # set up a method for modifying the resulting .config file function setconf() { if grep -q ^$1= $3/.config; then sed -i "s:^$1=.*$:$1=$2:g" $3/.config else echo $1=$2 >> $3/.config fi } function setdefaultconf() { # Remove the below once upstream fixes the DPAA for NXP ARM setconf CONFIG_RTE_LIBRTE_DPAA_BUS n $1 setconf CONFIG_RTE_LIBRTE_DPAA_MEMPOOL n $1 setconf CONFIG_RTE_LIBRTE_DPAA_PMD n $1 setconf CONFIG_RTE_LIBRTE_PMD_CAAM_JR n $1 setconf CONFIG_RTE_LIBRTE_PMD_DPAA_SEC n $1 setconf CONFIG_RTE_LIBRTE_PMD_DPAA_EVENTDEV n $1 %ifarch aarch64 setconf CONFIG_RTE_LIBRTE_PFE_PMD n $1 %endif setconf CONFIG_RTE_MACHINE '"%{machine2}"' $1 # Disable experimental features setconf CONFIG_RTE_NEXT_ABI n $1 # Enable automatic driver loading from this path setconf CONFIG_RTE_EAL_PMD_PATH '"%{pmddir}"' $1 setconf CONFIG_RTE_LIBRTE_BNX2X_PMD y $1 setconf CONFIG_RTE_LIBRTE_BNX2X_MF_SUPPORT y $1 setconf CONFIG_RTE_LIBRTE_PMD_PCAP y $1 setconf CONFIG_RTE_LIBRTE_VHOST_NUMA y $1 %if 0%{?sle_version} >= 120400 setconf CONFIG_RTE_LIBRTE_MLX5_PMD y $1 setconf CONFIG_RTE_LIBRTE_MLX4_PMD y $1 %endif setconf CONFIG_RTE_EAL_IGB_UIO n $1 setconf CONFIG_RTE_KNI_KMOD n $1 %if %{with shared} setconf CONFIG_RTE_BUILD_SHARED_LIB y $1 %endif %ifarch aarch64 ppc64le setconf CONFIG_RTE_LIBRTE_DISTRIBUTOR n $1 %endif %ifarch ppc64le setconf CONFIG_RTE_LIBRTE_PMD_RING n $1 setconf CONFIG_RTE_LIBRTE_IXGBE_PMD n $1 setconf CONFIG_RTE_LIBRTE_POWER n $1 %endif } # In case dpdk-devel is installed, we should ignore its hints about the SDK directories unset RTE_SDK RTE_INCLUDE RTE_TARGET export EXTRA_CFLAGS="%{optflags} -Wformat -fPIC -U_FORTIFY_SOURCE" # DPDK defaults to using builder-specific compiler flags. However, # the config has been changed by specifying CONFIG_RTE_MACHINE=default # in order to build for a more generic host. NOTE: It is possible that # the compiler flags used still won't work for all Fedora-supported # machines, but runtime checks in DPDK will catch those situations. make V=1 O=%{target} T=%{target} %{?_smp_mflags} config setdefaultconf %{target} export EXTRA_CFLAGS='-DVERSION=\"%{version}\"' for flavor in %{flavors_to_build}; do export RTE_KERNELDIR=%{_prefix}/src/linux-obj/%{_target_cpu}/$flavor make V=1 O=%{target}-$flavor T=%{target} %{?_smp_mflags} config setdefaultconf %{target}-$flavor setconf CONFIG_RTE_EAL_IGB_UIO y %{target}-$flavor setconf CONFIG_RTE_KNI_KMOD y %{target}-$flavor cd %{target}-$flavor make V=1 %{?_smp_mflags} cd - done make V=1 O=%{target} %{?_smp_mflags} make V=1 O=%{target} %{?_smp_mflags} doc-api-html %if %{with examples} make V=1 O=%{target}/examples T=%{target} %{?_smp_mflags} examples %endif %install # export needed for kmp package export EXTRA_CFLAGS='-DVERSION=\"%{version}\"' export INSTALL_MOD_PATH=%{buildroot} export INSTALL_MOD_DIR=updates export BRP_PESIGN_FILES="*.ko" for flavor in %{flavors_to_build}; do cd %{target}-$flavor export RTE_KERNELDIR=%{_prefix}/src/linux-obj/%{_target_cpu}/$flavor dir=%{_prefix}/src/linux-obj/%{_target_cpu}/$flavor krel=$(make -s -C "$dir" kernelrelease) mkdir -p %{buildroot}/lib/modules/$krel/extra/dpdk/ #make install expects same kernel for build and target, lets copy it manually install -m644 ../%{target}-$flavor/kmod/*.ko %{buildroot}/lib/modules/$krel/extra/dpdk/ cd - done # In case dpdk-devel is installed unset RTE_SDK RTE_INCLUDE RTE_TARGET %make_install O=%{target} prefix=%{_usr} libdir=%{_libdir} %if ! %{with tools} rm -rf %{buildroot}%{sdkdir}/usertools/ rm -rf %{buildroot}%{_sbindir}/dpdk_nic_bind %endif rm -f %{buildroot}%{sdkdir}/usertools/setup.sh #TODO pip elftools has issues to fix rm -rf %{buildroot}%{_bindir}/dpdk-pmdinfo %if %{with examples} find %{target}/examples/ -name "*.map" | xargs rm -f for f in %{target}/examples/*/%{target}/app/*; do bn=`basename ${f}` cp -p ${f} %{buildroot}%{_bindir}/dpdk_example_${bn} done %endif # Create a driver directory with symlinks to all pmds mkdir -p %{buildroot}/%{pmddir} for f in %{buildroot}/%{_libdir}/*_pmd_*.so.*; do bn=$(basename ${f}) ln -s ../${bn} %{buildroot}%{pmddir}/${bn} done #mempool is a driver now from 16.07 mkdir -p %{buildroot}/%{pmddir} for f in %{buildroot}/%{_libdir}/*_mempool_*.so.*; do bn=$(basename ${f}) ln -s ../${bn} %{buildroot}%{pmddir}/${bn} done # Setup RTE_SDK environment as expected by apps etc mkdir -p %{buildroot}/%{_sysconfdir}/profile.d cat << EOF > %{buildroot}/%{_sysconfdir}/profile.d/dpdk-sdk-%{_arch}.sh if [ -z "\${RTE_SDK}" ]; then export RTE_SDK="%{sdkdir}" export RTE_TARGET="%{target}" export RTE_INCLUDE="%{incdir}" fi EOF cat << EOF > %{buildroot}/%{_sysconfdir}/profile.d/dpdk-sdk-%{_arch}.csh if ( ! \${?RTE_SDK} ) then setenv RTE_SDK "%{sdkdir}" setenv RTE_TARGET "%{target}" setenv RTE_INCLUDE "%{incdir}" endif EOF # Fixup target machine mismatch sed -i -e 's:-%{machine}-:-%{machine2}-:g' %{buildroot}/%{_sysconfdir}/profile.d/dpdk-sdk* #doc mkdir %{buildroot}%{_docdir}/ mv %{buildroot}%{_datadir}/doc/dpdk %{buildroot}%{_docdir}/ ln -s %{_bindir}/dpdk-procinfo %{buildroot}%{_bindir}/dpdk_proc_info ln -s %{_sbindir}/dpdk-devbind %{buildroot}%{_sbindir}/dpdk_nic_bind # Remove duplicates %fdupes %{buildroot}/%{_prefix} %post devel -p /sbin/ldconfig %postun devel -p /sbin/ldconfig %post -n %{lname} -p /sbin/ldconfig %postun -n %{lname} -p /sbin/ldconfig %files %defattr(-,root,root) # BSD %{_bindir}/testpmd %{_bindir}/testbbdev %{_bindir}/testsad %{_bindir}/dpdk-procinfo %{_bindir}/dpdk_proc_info %{_bindir}/dpdk-pdump %files -n %{lname} %defattr(-,root,root) %if %{with shared} %{_libdir}/*.so.* %{pmddir} %endif %files doc %defattr(-,root,root) #BSD %docdir %doc license/gpl-2.0.txt license/lgpl-2.1.txt %files devel %defattr(-,root,root) #BSD %{incdir}/ %{sdkdir} %if %{with tools} %exclude %{sdkdir}/usertools/ %endif %if %{with examples} %exclude %{sdkdir}/examples/ %endif %{_sysconfdir}/profile.d/dpdk-sdk-*.* %if ! %{with shared} %{_libdir}/*.a %else %{_libdir}/*.so %endif %if %{with tools} %files tools %defattr(-,root,root) %{sdkdir}/usertools/ %{_sbindir}/dpdk-devbind %{_sbindir}/dpdk_nic_bind %{_bindir}/dpdk-test-eventdev %{_bindir}/dpdk-test-compress-perf %{_bindir}/dpdk-test-crypto-perf %endif %if %{with examples} %files examples %defattr(-,root,root) %{_bindir}/dpdk_example_* %doc %{sdkdir}/examples %endif %changelog ++++++ 0001-fix-cpu-compatibility.patch ++++++ >From e2950fec9cd9c235a7847ed97b6914174857bf93 Mon Sep 17 00:00:00 2001 From: "mvarl...@suse.de" <mvarl...@suse.de> Date: Wed, 29 Apr 2020 12:24:16 +0200 Subject: [PATCH] fix cpu compatibility --- drivers/bus/vdev/vdev.c | 4 ++++ lib/librte_eal/common/eal_common_bus.c | 5 ++++- lib/librte_eal/common/include/rte_common.h | 14 +++++++++++++- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/drivers/bus/vdev/vdev.c b/drivers/bus/vdev/vdev.c index a89ea2353..cf8e8dca6 100644 --- a/drivers/bus/vdev/vdev.c +++ b/drivers/bus/vdev/vdev.c @@ -55,7 +55,11 @@ static struct vdev_custom_scans vdev_custom_scans = static rte_spinlock_t vdev_custom_scan_lock = RTE_SPINLOCK_INITIALIZER; /* register a driver */ +#if defined(__x86_64__) || defined(__i386__) +void __attribute__((target ("sse2"))) +#else void +#endif rte_vdev_register(struct rte_vdev_driver *driver) { TAILQ_INSERT_TAIL(&vdev_driver_list, driver, next); diff --git a/lib/librte_eal/common/eal_common_bus.c b/lib/librte_eal/common/eal_common_bus.c index baa5b532a..58f3fdbaa 100644 --- a/lib/librte_eal/common/eal_common_bus.c +++ b/lib/librte_eal/common/eal_common_bus.c @@ -15,8 +15,11 @@ static struct rte_bus_list rte_bus_list = TAILQ_HEAD_INITIALIZER(rte_bus_list); - +#if defined(__x86_64__) || defined(__i386__) +void __attribute__((target ("sse2"))) +#else void +#endif rte_bus_register(struct rte_bus *bus) { RTE_VERIFY(bus); diff --git a/lib/librte_eal/common/include/rte_common.h b/lib/librte_eal/common/include/rte_common.h index c35283807..8f4f98ed4 100644 --- a/lib/librte_eal/common/include/rte_common.h +++ b/lib/librte_eal/common/include/rte_common.h @@ -107,8 +107,20 @@ typedef uint16_t unaligned_uint16_t; * Lowest number is the first to run. */ #ifndef RTE_INIT_PRIO /* Allow to override from EAL */ +#if defined(__x86_64__) || defined(__i386__) #define RTE_INIT_PRIO(func, prio) \ -static void __attribute__((constructor(RTE_PRIO(prio)), used)) func(void) +static void \ + __attribute__((constructor(RTE_PRIO(prio)), used)) \ + __attribute__((target ("sse2"))) \ + __attribute__((target ("no-sse3"))) \ + __attribute__((target ("no-sse4"))) \ + func(void) +#else +#define RTE_INIT_PRIO(func, prio) \ +static void \ + __attribute__((constructor(RTE_PRIO(prio)), used)) \ + func(void) +#endif #endif /** -- 2.16.4 ++++++ 0001-vhost-crypto-fix-pool-allocation.patch ++++++ >From b04635713247368935040234d11d33914312096c Mon Sep 17 00:00:00 2001 From: Fan Zhang <roy.fan.zh...@intel.com> Date: Tue, 14 Apr 2020 16:19:51 +0100 Subject: [PATCH 1/6] vhost/crypto: fix pool allocation This patch fixes the missing iv space allocation in crypto operation mempool. Fixes: 709521f4c2cd ("examples/vhost_crypto: support multi-core") Cc: sta...@dpdk.org Signed-off-by: Fan Zhang <roy.fan.zh...@intel.com> Acked-by: Chenbo Xia <chenbo....@intel.com> --- examples/vhost_crypto/main.c | 2 +- lib/librte_vhost/rte_vhost_crypto.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/vhost_crypto/main.c b/examples/vhost_crypto/main.c index 1d7ba9419..11b022e81 100644 --- a/examples/vhost_crypto/main.c +++ b/examples/vhost_crypto/main.c @@ -544,7 +544,7 @@ main(int argc, char *argv[]) snprintf(name, 127, "COPPOOL_%u", lo->lcore_id); info->cop_pool = rte_crypto_op_pool_create(name, RTE_CRYPTO_OP_TYPE_SYMMETRIC, NB_MEMPOOL_OBJS, - NB_CACHE_OBJS, 0, + NB_CACHE_OBJS, VHOST_CRYPTO_MAX_IV_LEN, rte_lcore_to_socket_id(lo->lcore_id)); if (!info->cop_pool) { diff --git a/lib/librte_vhost/rte_vhost_crypto.h b/lib/librte_vhost/rte_vhost_crypto.h index d29871c7e..866a592a5 100644 --- a/lib/librte_vhost/rte_vhost_crypto.h +++ b/lib/librte_vhost/rte_vhost_crypto.h @@ -10,6 +10,7 @@ #define VHOST_CRYPTO_SESSION_MAP_ENTRIES (1024) /**< Max nb sessions */ /** max nb virtual queues in a burst for finalizing*/ #define VIRTIO_CRYPTO_MAX_NUM_BURST_VQS (64) +#define VHOST_CRYPTO_MAX_IV_LEN (32) enum rte_vhost_crypto_zero_copy { RTE_VHOST_CRYPTO_ZERO_COPY_DISABLE = 0, -- 2.26.2 ++++++ 0002-vhost-crypto-fix-incorrect-descriptor-deduction.patch ++++++ >From b485f950c85374f4969c5fa380b574b34622df91 Mon Sep 17 00:00:00 2001 From: Fan Zhang <roy.fan.zh...@intel.com> Date: Tue, 14 Apr 2020 16:52:47 +0100 Subject: [PATCH 2/6] vhost/crypto: fix incorrect descriptor deduction This patch fixes the incorrect descriptor deduction for vhost crypto. CVE-2020-14378 Fixes: 16d2e718b8ce ("vhost/crypto: fix possible out of bound access") Cc: sta...@dpdk.org Signed-off-by: Fan Zhang <roy.fan.zh...@intel.com> Acked-by: Chenbo Xia <chenbo....@intel.com> --- lib/librte_vhost/vhost_crypto.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c index 0f9df4059..86747dd5f 100644 --- a/lib/librte_vhost/vhost_crypto.c +++ b/lib/librte_vhost/vhost_crypto.c @@ -530,13 +530,14 @@ move_desc(struct vring_desc *head, struct vring_desc **cur_desc, int left = size - desc->len; while ((desc->flags & VRING_DESC_F_NEXT) && left > 0) { - (*nb_descs)--; if (unlikely(*nb_descs == 0 || desc->next >= vq_size)) return -1; desc = &head[desc->next]; rte_prefetch0(&head[desc->next]); left -= desc->len; + if (left > 0) + (*nb_descs)--; } if (unlikely(left > 0)) -- 2.26.2 ++++++ 0003-vhost-crypto-fix-missed-request-check-for-copy-mode.patch ++++++ >From 50d3b2ef804fed4c46515dc67ec51d4b08c4165b Mon Sep 17 00:00:00 2001 From: Fan Zhang <roy.fan.zh...@intel.com> Date: Tue, 14 Apr 2020 17:26:48 +0100 Subject: [PATCH 3/6] vhost/crypto: fix missed request check for copy mode This patch fixes the missed request check to vhost crypto copy mode. CVE-2020-14376 CVE-2020-14377 Fixes: 3bb595ecd682 ("vhost/crypto: add request handler") Cc: sta...@dpdk.org Signed-off-by: Fan Zhang <roy.fan.zh...@intel.com> Acked-by: Chenbo Xia <chenbo....@intel.com> --- lib/librte_vhost/vhost_crypto.c | 68 +++++++++++++++++++++++---------- 1 file changed, 47 insertions(+), 21 deletions(-) diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c index 86747dd5f..494f49084 100644 --- a/lib/librte_vhost/vhost_crypto.c +++ b/lib/librte_vhost/vhost_crypto.c @@ -756,7 +756,7 @@ prepare_write_back_data(struct vhost_crypto_data_req *vc_req, } wb_data->dst = dst; - wb_data->len = desc->len - offset; + wb_data->len = RTE_MIN(desc->len - offset, write_back_len); write_back_len -= wb_data->len; src += offset + wb_data->len; offset = 0; @@ -840,6 +840,17 @@ prepare_write_back_data(struct vhost_crypto_data_req *vc_req, return NULL; } +static __rte_always_inline uint8_t +vhost_crypto_check_cipher_request(struct virtio_crypto_cipher_data_req *req) +{ + if (likely((req->para.iv_len <= VHOST_CRYPTO_MAX_IV_LEN) && + (req->para.src_data_len <= RTE_MBUF_DEFAULT_BUF_SIZE) && + (req->para.dst_data_len >= req->para.src_data_len) && + (req->para.dst_data_len <= RTE_MBUF_DEFAULT_BUF_SIZE))) + return VIRTIO_CRYPTO_OK; + return VIRTIO_CRYPTO_BADMSG; +} + static uint8_t prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, struct vhost_crypto_data_req *vc_req, @@ -851,7 +862,10 @@ prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, struct vhost_crypto_writeback_data *ewb = NULL; struct rte_mbuf *m_src = op->sym->m_src, *m_dst = op->sym->m_dst; uint8_t *iv_data = rte_crypto_op_ctod_offset(op, uint8_t *, IV_OFFSET); - uint8_t ret = 0; + uint8_t ret = vhost_crypto_check_cipher_request(cipher); + + if (unlikely(ret != VIRTIO_CRYPTO_OK)) + goto error_exit; /* prepare */ /* iv */ @@ -861,10 +875,9 @@ prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, goto error_exit; } - m_src->data_len = cipher->para.src_data_len; - switch (vcrypto->option) { case RTE_VHOST_CRYPTO_ZERO_COPY_ENABLE: + m_src->data_len = cipher->para.src_data_len; m_src->buf_iova = gpa_to_hpa(vcrypto->dev, desc->addr, cipher->para.src_data_len); m_src->buf_addr = get_data_ptr(vc_req, desc, VHOST_ACCESS_RO); @@ -886,13 +899,7 @@ prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, break; case RTE_VHOST_CRYPTO_ZERO_COPY_DISABLE: vc_req->wb_pool = vcrypto->wb_pool; - - if (unlikely(cipher->para.src_data_len > - RTE_MBUF_DEFAULT_BUF_SIZE)) { - VC_LOG_ERR("Not enough space to do data copy"); - ret = VIRTIO_CRYPTO_ERR; - goto error_exit; - } + m_src->data_len = cipher->para.src_data_len; if (unlikely(copy_data(rte_pktmbuf_mtod(m_src, uint8_t *), vc_req, &desc, cipher->para.src_data_len, nb_descs, vq_size) < 0)) { @@ -975,6 +982,29 @@ prepare_sym_cipher_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, return ret; } +static __rte_always_inline uint8_t +vhost_crypto_check_chain_request(struct virtio_crypto_alg_chain_data_req *req) +{ + if (likely((req->para.iv_len <= VHOST_CRYPTO_MAX_IV_LEN) && + (req->para.src_data_len <= RTE_MBUF_DEFAULT_DATAROOM) && + (req->para.dst_data_len >= req->para.src_data_len) && + (req->para.dst_data_len <= RTE_MBUF_DEFAULT_DATAROOM) && + (req->para.cipher_start_src_offset < + RTE_MBUF_DEFAULT_DATAROOM) && + (req->para.len_to_cipher < RTE_MBUF_DEFAULT_DATAROOM) && + (req->para.hash_start_src_offset < + RTE_MBUF_DEFAULT_DATAROOM) && + (req->para.len_to_hash < RTE_MBUF_DEFAULT_DATAROOM) && + (req->para.cipher_start_src_offset + req->para.len_to_cipher <= + req->para.src_data_len) && + (req->para.hash_start_src_offset + req->para.len_to_hash <= + req->para.src_data_len) && + (req->para.dst_data_len + req->para.hash_result_len <= + RTE_MBUF_DEFAULT_DATAROOM))) + return VIRTIO_CRYPTO_OK; + return VIRTIO_CRYPTO_BADMSG; +} + static uint8_t prepare_sym_chain_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, struct vhost_crypto_data_req *vc_req, @@ -988,7 +1018,10 @@ prepare_sym_chain_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, uint8_t *iv_data = rte_crypto_op_ctod_offset(op, uint8_t *, IV_OFFSET); uint32_t digest_offset; void *digest_addr; - uint8_t ret = 0; + uint8_t ret = vhost_crypto_check_chain_request(chain); + + if (unlikely(ret != VIRTIO_CRYPTO_OK)) + goto error_exit; /* prepare */ /* iv */ @@ -998,10 +1031,9 @@ prepare_sym_chain_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, goto error_exit; } - m_src->data_len = chain->para.src_data_len; - switch (vcrypto->option) { case RTE_VHOST_CRYPTO_ZERO_COPY_ENABLE: + m_src->data_len = chain->para.src_data_len; m_dst->data_len = chain->para.dst_data_len; m_src->buf_iova = gpa_to_hpa(vcrypto->dev, desc->addr, @@ -1023,13 +1055,7 @@ prepare_sym_chain_op(struct vhost_crypto *vcrypto, struct rte_crypto_op *op, break; case RTE_VHOST_CRYPTO_ZERO_COPY_DISABLE: vc_req->wb_pool = vcrypto->wb_pool; - - if (unlikely(chain->para.src_data_len > - RTE_MBUF_DEFAULT_BUF_SIZE)) { - VC_LOG_ERR("Not enough space to do data copy"); - ret = VIRTIO_CRYPTO_ERR; - goto error_exit; - } + m_src->data_len = chain->para.src_data_len; if (unlikely(copy_data(rte_pktmbuf_mtod(m_src, uint8_t *), vc_req, &desc, chain->para.src_data_len, nb_descs, vq_size) < 0)) { -- 2.26.2 ++++++ 0004-vhost-crypto-fix-incorrect-write-back-source.patch ++++++ >From 03aa702205544346d11ed7ca5693f9382ef51922 Mon Sep 17 00:00:00 2001 From: Fan Zhang <roy.fan.zh...@intel.com> Date: Wed, 15 Apr 2020 11:48:52 +0100 Subject: [PATCH 4/6] vhost/crypto: fix incorrect write back source This patch fixes vhost crypto library for the incorrect source and destination buffer calculation in the copy mode. Fixes: cd1e8f03abf0 ("vhost/crypto: fix packet copy in chaining mode") Cc: sta...@dpdk.org Signed-off-by: Fan Zhang <roy.fan.zh...@intel.com> Acked-by: Chenbo Xia <chenbo....@intel.com> --- lib/librte_vhost/vhost_crypto.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c index 494f49084..f1cc32a9b 100644 --- a/lib/librte_vhost/vhost_crypto.c +++ b/lib/librte_vhost/vhost_crypto.c @@ -749,14 +749,14 @@ prepare_write_back_data(struct vhost_crypto_data_req *vc_req, wb_data->src = src + offset; dlen = desc->len; dst = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, - &dlen, VHOST_ACCESS_RW) + offset; + &dlen, VHOST_ACCESS_RW); if (unlikely(!dst || dlen != desc->len)) { VC_LOG_ERR("Failed to map descriptor"); goto error_exit; } - wb_data->dst = dst; - wb_data->len = RTE_MIN(desc->len - offset, write_back_len); + wb_data->dst = dst + offset; + wb_data->len = RTE_MIN(dlen - offset, write_back_len); write_back_len -= wb_data->len; src += offset + wb_data->len; offset = 0; @@ -801,7 +801,7 @@ prepare_write_back_data(struct vhost_crypto_data_req *vc_req, goto error_exit; } - wb_data->src = src; + wb_data->src = src + offset; wb_data->dst = dst; wb_data->len = RTE_MIN(desc->len - offset, write_back_len); write_back_len -= wb_data->len; -- 2.26.2 ++++++ 0005-vhost-crypto-fix-data-length-check.patch ++++++ >From 2fca489d58acfee297d0b9a7dc14e7fa119e8867 Mon Sep 17 00:00:00 2001 From: Fan Zhang <roy.fan.zh...@intel.com> Date: Thu, 16 Apr 2020 11:29:06 +0100 Subject: [PATCH 5/6] vhost/crypto: fix data length check This patch fixes the incorrect data length check to vhost crypto. Instead of blindly accepting the descriptor length as data length, the change compare the request provided data length and descriptor length first. The security issue CVE-2020-14374 is not fixed alone by this patch, part of the fix is done through: "vhost/crypto: fix missed request check for copy mode". CVE-2020-14374 Fixes: 3c79609fda7c ("vhost/crypto: handle virtually non-contiguous buffers") Cc: sta...@dpdk.org Signed-off-by: Fan Zhang <roy.fan.zh...@intel.com> Acked-by: Chenbo Xia <chenbo....@intel.com> --- lib/librte_vhost/vhost_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c index f1cc32a9b..cf9aa2566 100644 --- a/lib/librte_vhost/vhost_crypto.c +++ b/lib/librte_vhost/vhost_crypto.c @@ -624,7 +624,7 @@ copy_data(void *dst_data, struct vhost_crypto_data_req *vc_req, desc = &vc_req->head[desc->next]; rte_prefetch0(&vc_req->head[desc->next]); to_copy = RTE_MIN(desc->len, (uint32_t)left); - dlen = desc->len; + dlen = to_copy; src = IOVA_TO_VVA(uint8_t *, vc_req, desc->addr, &dlen, VHOST_ACCESS_RO); if (unlikely(!src || !dlen)) { -- 2.26.2 ++++++ 0006-vhost-crypto-fix-possible-TOCTOU-attack.patch ++++++ ++++ 801 lines (skipped) ++++++ _constraints ++++++ <?xml version="1.0"?> <constraints> <overwrite> <conditions> <arch>i586</arch> <arch>x86_64</arch> </conditions> <hardware> <cpu> <flag>mmx</flag> <flag>sse</flag> <flag>sse2</flag> <flag>ssse3</flag> <!-- TODO add SSE4.2 before that need to fix obs, patch on the way --> </cpu> </hardware> </overwrite> </constraints> ++++++ _multibuild ++++++ <multibuild> <package>thunderx</package> </multibuild> ++++++ preamble ++++++ Requires: kernel-%1 Enhances: kernel-%1 Supplements: packageand(kernel-%1:%{-n*})
