From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id EA3B5A04EF; Mon, 1 Jun 2020 17:24:33 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 2C23A1C11F; Mon, 1 Jun 2020 17:24:32 +0200 (CEST) Received: from mellanox.co.il (mail-il-dmz.mellanox.com [193.47.165.129]) by dpdk.org (Postfix) with ESMTP id 18B301C116 for ; Mon, 1 Jun 2020 17:24:30 +0200 (CEST) Received: from Internal Mail-Server by MTLPINE2 (envelope-from akozyrev@mellanox.com) with ESMTPS (AES256-SHA encrypted); 1 Jun 2020 18:24:26 +0300 Received: from pegasus02.mtr.labs.mlnx. (pegasus02.mtr.labs.mlnx [10.210.16.122]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id 051FOQhL001179; Mon, 1 Jun 2020 18:24:26 +0300 From: Alexander Kozyrev To: dev@dpdk.org Cc: stable@dpdk.org, rasland@mellanox.com, viacheslavo@mellanox.com, olivier.matz@6wind.com Date: Mon, 1 Jun 2020 15:24:16 +0000 Message-Id: <1591025056-16031-1-git-send-email-akozyrev@mellanox.com> X-Mailer: git-send-email 1.8.3.1 Subject: [dpdk-dev] [PATCH] mbuf: fix external mbufs pool boundaries X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Memzones are created in testpmd in order to test external data buffers functionality. Each memzone is 2Mb in size and divided among the pool of external memory buffers. Memzone may not always be fully utilized because mbufs size can vary and some space can be left unused at the tail of a memzone. This is not handled properly and mbuf can get the address of this leftover space since this address is still valid (part of memzone), but there is not enough space to fit the whole packet data. As a result packet data may overflow and cause the memory corruption. Take mbuf size into account when distributing memory addresses from a memzone to external mbufs. Skip the remaining tail in case there is not enough room for a packet and move to a next memzone instead. Fixes: 6c8e50c2e5 ("mbuf: create pool with external memory buffers") Cc: stable@dpdk.org Signed-off-by: Alexander Kozyrev Acked-by: Viacheslav Ovsiienko --- lib/librte_mbuf/rte_mbuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/librte_mbuf/rte_mbuf.c b/lib/librte_mbuf/rte_mbuf.c index 220eb2f..ae91ae2 100644 --- a/lib/librte_mbuf/rte_mbuf.c +++ b/lib/librte_mbuf/rte_mbuf.c @@ -191,14 +191,14 @@ struct rte_pktmbuf_extmem_init_ctx { ext_mem = ctx->ext_mem + ctx->ext; RTE_ASSERT(ctx->ext < ctx->ext_num); - RTE_ASSERT(ctx->off < ext_mem->buf_len); + RTE_ASSERT(ctx->off + ext_mem->elt_size <= ext_mem->buf_len); m->buf_addr = RTE_PTR_ADD(ext_mem->buf_ptr, ctx->off); m->buf_iova = ext_mem->buf_iova == RTE_BAD_IOVA ? RTE_BAD_IOVA : (ext_mem->buf_iova + ctx->off); ctx->off += ext_mem->elt_size; - if (ctx->off >= ext_mem->buf_len) { + if (ctx->off + ext_mem->elt_size > ext_mem->buf_len) { ctx->off = 0; ++ctx->ext; } -- 1.8.3.1