mbuf: fix external mbufs pool boundaries
Checks
Commit Message
Memzones are created in testpmd in order to test external data
buffers functionality. Each memzone is 2Mb in size and divided among
the pool of external memory buffers.
Memzone may not always be fully utilized because mbufs size can vary
and some space can be left unused at the tail of a memzone. This is
not handled properly and mbuf can get the address of this leftover
space since this address is still valid (part of memzone), but there
is not enough space to fit the whole packet data. As a result packet
data may overflow and cause the memory corruption.
Take mbuf size into account when distributing memory addresses from
a memzone to external mbufs. Skip the remaining tail in case there
is not enough room for a packet and move to a next memzone instead.
Fixes: 6c8e50c2e5 ("mbuf: create pool with external memory buffers")
Cc: stable@dpdk.org
Signed-off-by: Alexander Kozyrev <akozyrev@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
---
lib/librte_mbuf/rte_mbuf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Mon, Jun 01, 2020 at 03:24:16PM +0000, Alexander Kozyrev wrote:
> Memzones are created in testpmd in order to test external data
> buffers functionality. Each memzone is 2Mb in size and divided among
> the pool of external memory buffers.
>
> Memzone may not always be fully utilized because mbufs size can vary
> and some space can be left unused at the tail of a memzone. This is
> not handled properly and mbuf can get the address of this leftover
> space since this address is still valid (part of memzone), but there
> is not enough space to fit the whole packet data. As a result packet
> data may overflow and cause the memory corruption.
>
> Take mbuf size into account when distributing memory addresses from
> a memzone to external mbufs. Skip the remaining tail in case there
> is not enough room for a packet and move to a next memzone instead.
>
> Fixes: 6c8e50c2e5 ("mbuf: create pool with external memory buffers")
> Cc: stable@dpdk.org
> Signed-off-by: Alexander Kozyrev <akozyrev@mellanox.com>
> Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
Acked-by: Olivier Matz <olivier.matz@6wind.com>
Thanks!
08/06/2020 09:50, Olivier Matz:
> On Mon, Jun 01, 2020 at 03:24:16PM +0000, Alexander Kozyrev wrote:
> > Memzones are created in testpmd in order to test external data
> > buffers functionality. Each memzone is 2Mb in size and divided among
> > the pool of external memory buffers.
> >
> > Memzone may not always be fully utilized because mbufs size can vary
> > and some space can be left unused at the tail of a memzone. This is
> > not handled properly and mbuf can get the address of this leftover
> > space since this address is still valid (part of memzone), but there
> > is not enough space to fit the whole packet data. As a result packet
> > data may overflow and cause the memory corruption.
> >
> > Take mbuf size into account when distributing memory addresses from
> > a memzone to external mbufs. Skip the remaining tail in case there
> > is not enough room for a packet and move to a next memzone instead.
> >
> > Fixes: 6c8e50c2e5 ("mbuf: create pool with external memory buffers")
> > Cc: stable@dpdk.org
> > Signed-off-by: Alexander Kozyrev <akozyrev@mellanox.com>
> > Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
>
> Acked-by: Olivier Matz <olivier.matz@6wind.com>
Applied, thanks
Note: there is a blank line between Fixes/Cc block and Signed/Acked block.
@@ -191,14 +191,14 @@ struct rte_pktmbuf_extmem_init_ctx {
ext_mem = ctx->ext_mem + ctx->ext;
RTE_ASSERT(ctx->ext < ctx->ext_num);
- RTE_ASSERT(ctx->off < ext_mem->buf_len);
+ RTE_ASSERT(ctx->off + ext_mem->elt_size <= ext_mem->buf_len);
m->buf_addr = RTE_PTR_ADD(ext_mem->buf_ptr, ctx->off);
m->buf_iova = ext_mem->buf_iova == RTE_BAD_IOVA ?
RTE_BAD_IOVA : (ext_mem->buf_iova + ctx->off);
ctx->off += ext_mem->elt_size;
- if (ctx->off >= ext_mem->buf_len) {
+ if (ctx->off + ext_mem->elt_size > ext_mem->buf_len) {
ctx->off = 0;
++ctx->ext;
}