mbuf: fix external mbufs pool boundaries
diff mbox series

Message ID 1591025056-16031-1-git-send-email-akozyrev@mellanox.com
State Accepted
Delegated to: Thomas Monjalon
Headers show
Series
  • mbuf: fix external mbufs pool boundaries
Related show

Checks

Context Check Description
ci/Intel-compilation success Compilation OK
ci/iol-testing warning Testing issues
ci/iol-mellanox-Performance success Performance Testing PASS
ci/travis-robot success Travis build: passed
ci/iol-nxp-Performance success Performance Testing PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/checkpatch success coding style OK

Commit Message

Alexander Kozyrev June 1, 2020, 3:24 p.m. UTC
Memzones are created in testpmd in order to test external data
buffers functionality. Each memzone is 2Mb in size and divided among
the pool of external memory buffers.

Memzone may not always be fully utilized because mbufs size can vary
and some space can be left unused at the tail of a memzone. This is
not handled properly and mbuf can get the address of this leftover
space since this address is still valid (part of memzone), but there
is not enough space to fit the whole packet data. As a result packet
data may overflow and cause the memory corruption.

Take mbuf size into account when distributing memory addresses from
a memzone to external mbufs. Skip the remaining tail in case there
is not enough room for a packet and move to a next memzone instead.

Fixes: 6c8e50c2e5 ("mbuf: create pool with external memory buffers")
Cc: stable@dpdk.org
Signed-off-by: Alexander Kozyrev <akozyrev@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
---
 lib/librte_mbuf/rte_mbuf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Olivier Matz June 8, 2020, 7:50 a.m. UTC | #1
On Mon, Jun 01, 2020 at 03:24:16PM +0000, Alexander Kozyrev wrote:
> Memzones are created in testpmd in order to test external data
> buffers functionality. Each memzone is 2Mb in size and divided among
> the pool of external memory buffers.
> 
> Memzone may not always be fully utilized because mbufs size can vary
> and some space can be left unused at the tail of a memzone. This is
> not handled properly and mbuf can get the address of this leftover
> space since this address is still valid (part of memzone), but there
> is not enough space to fit the whole packet data. As a result packet
> data may overflow and cause the memory corruption.
> 
> Take mbuf size into account when distributing memory addresses from
> a memzone to external mbufs. Skip the remaining tail in case there
> is not enough room for a packet and move to a next memzone instead.
> 
> Fixes: 6c8e50c2e5 ("mbuf: create pool with external memory buffers")
> Cc: stable@dpdk.org
> Signed-off-by: Alexander Kozyrev <akozyrev@mellanox.com>
> Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>

Acked-by: Olivier Matz <olivier.matz@6wind.com>

Thanks!
Thomas Monjalon June 11, 2020, 7:27 a.m. UTC | #2
08/06/2020 09:50, Olivier Matz:
> On Mon, Jun 01, 2020 at 03:24:16PM +0000, Alexander Kozyrev wrote:
> > Memzones are created in testpmd in order to test external data
> > buffers functionality. Each memzone is 2Mb in size and divided among
> > the pool of external memory buffers.
> > 
> > Memzone may not always be fully utilized because mbufs size can vary
> > and some space can be left unused at the tail of a memzone. This is
> > not handled properly and mbuf can get the address of this leftover
> > space since this address is still valid (part of memzone), but there
> > is not enough space to fit the whole packet data. As a result packet
> > data may overflow and cause the memory corruption.
> > 
> > Take mbuf size into account when distributing memory addresses from
> > a memzone to external mbufs. Skip the remaining tail in case there
> > is not enough room for a packet and move to a next memzone instead.
> > 
> > Fixes: 6c8e50c2e5 ("mbuf: create pool with external memory buffers")
> > Cc: stable@dpdk.org
> > Signed-off-by: Alexander Kozyrev <akozyrev@mellanox.com>
> > Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
> 
> Acked-by: Olivier Matz <olivier.matz@6wind.com>

Applied, thanks

Note: there is a blank line between Fixes/Cc block and Signed/Acked block.

Patch
diff mbox series

diff --git a/lib/librte_mbuf/rte_mbuf.c b/lib/librte_mbuf/rte_mbuf.c
index 220eb2f..ae91ae2 100644
--- a/lib/librte_mbuf/rte_mbuf.c
+++ b/lib/librte_mbuf/rte_mbuf.c
@@ -191,14 +191,14 @@  struct rte_pktmbuf_extmem_init_ctx {
 	ext_mem = ctx->ext_mem + ctx->ext;
 
 	RTE_ASSERT(ctx->ext < ctx->ext_num);
-	RTE_ASSERT(ctx->off < ext_mem->buf_len);
+	RTE_ASSERT(ctx->off + ext_mem->elt_size <= ext_mem->buf_len);
 
 	m->buf_addr = RTE_PTR_ADD(ext_mem->buf_ptr, ctx->off);
 	m->buf_iova = ext_mem->buf_iova == RTE_BAD_IOVA ?
 		      RTE_BAD_IOVA : (ext_mem->buf_iova + ctx->off);
 
 	ctx->off += ext_mem->elt_size;
-	if (ctx->off >= ext_mem->buf_len) {
+	if (ctx->off + ext_mem->elt_size > ext_mem->buf_len) {
 		ctx->off = 0;
 		++ctx->ext;
 	}