* [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len
@ 2021-06-15 10:38 Tudor Cornea
2021-06-21 4:20 ` Zhang, Qi Z
0 siblings, 1 reply; 3+ messages in thread
From: Tudor Cornea @ 2021-06-15 10:38 UTC (permalink / raw)
To: qiming.yang, qi.z.zhang; +Cc: dev, Tudor Cornea
The len variable, used in the computation of max_pkt_len could overflow,
if used to store the result of the following computation:
ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len
Since, we could define the mbuf size to have a large value (i.e 13312),
and ICE_SUPPORT_CHAIN_NUM is defined as 5, the computation mentioned
above could potentially result in a value which might be bigger than
MAX_USHORT.
The result will be that Jumbo Frames will not work properly
Signed-off-by: Tudor Cornea <tudor.cornea@keysight.com>
---
drivers/net/ice/ice_dcf_ethdev.c | 7 ++++---
drivers/net/ice/ice_rxtx.c | 6 +++---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ice/ice_dcf_ethdev.c b/drivers/net/ice/ice_dcf_ethdev.c
index b937cbb..f73dc80 100644
--- a/drivers/net/ice/ice_dcf_ethdev.c
+++ b/drivers/net/ice/ice_dcf_ethdev.c
@@ -54,13 +54,14 @@ ice_dcf_init_rxq(struct rte_eth_dev *dev, struct ice_rx_queue *rxq)
struct ice_dcf_adapter *dcf_ad = dev->data->dev_private;
struct rte_eth_dev_data *dev_data = dev->data;
struct iavf_hw *hw = &dcf_ad->real_hw.avf;
- uint16_t buf_size, max_pkt_len, len;
+ uint16_t buf_size, max_pkt_len;
buf_size = rte_pktmbuf_data_room_size(rxq->mp) - RTE_PKTMBUF_HEADROOM;
rxq->rx_hdr_len = 0;
rxq->rx_buf_len = RTE_ALIGN(buf_size, (1 << ICE_RLAN_CTX_DBUF_S));
- len = ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len;
- max_pkt_len = RTE_MIN(len, dev->data->dev_conf.rxmode.max_rx_pkt_len);
+ max_pkt_len = RTE_MIN((uint32_t)
+ ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len,
+ dev->data->dev_conf.rxmode.max_rx_pkt_len);
/* Check if the jumbo frame and maximum packet length are set
* correctly.
diff --git a/drivers/net/ice/ice_rxtx.c b/drivers/net/ice/ice_rxtx.c
index fc9bb5a..20352b0 100644
--- a/drivers/net/ice/ice_rxtx.c
+++ b/drivers/net/ice/ice_rxtx.c
@@ -258,7 +258,7 @@ ice_program_hw_rx_queue(struct ice_rx_queue *rxq)
struct rte_eth_dev_data *dev_data = rxq->vsi->adapter->pf.dev_data;
struct ice_rlan_ctx rx_ctx;
enum ice_status err;
- uint16_t buf_size, len;
+ uint16_t buf_size;
struct rte_eth_rxmode *rxmode = &dev_data->dev_conf.rxmode;
uint32_t rxdid = ICE_RXDID_COMMS_OVS;
uint32_t regval;
@@ -268,8 +268,8 @@ ice_program_hw_rx_queue(struct ice_rx_queue *rxq)
RTE_PKTMBUF_HEADROOM);
rxq->rx_hdr_len = 0;
rxq->rx_buf_len = RTE_ALIGN(buf_size, (1 << ICE_RLAN_CTX_DBUF_S));
- len = ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len;
- rxq->max_pkt_len = RTE_MIN(len,
+ rxq->max_pkt_len = RTE_MIN((uint32_t)
+ ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len,
dev_data->dev_conf.rxmode.max_rx_pkt_len);
if (rxmode->offloads & DEV_RX_OFFLOAD_JUMBO_FRAME) {
--
2.7.4
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len
2021-06-15 10:38 [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len Tudor Cornea
@ 2021-06-21 4:20 ` Zhang, Qi Z
0 siblings, 0 replies; 3+ messages in thread
From: Zhang, Qi Z @ 2021-06-21 4:20 UTC (permalink / raw)
To: Tudor Cornea, Yang, Qiming; +Cc: dev, Tudor Cornea
> -----Original Message-----
> From: Tudor Cornea <tudor.cornea.keysight@gmail.com>
> Sent: Tuesday, June 15, 2021 6:39 PM
> To: Yang, Qiming <qiming.yang@intel.com>; Zhang, Qi Z
> <qi.z.zhang@intel.com>
> Cc: dev@dpdk.org; Tudor Cornea <tudor.cornea@keysight.com>
> Subject: [PATCH] net/ice: fix integer overflow when computing max_pkt_len
>
> The len variable, used in the computation of max_pkt_len could overflow, if
> used to store the result of the following computation:
>
> ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len
>
> Since, we could define the mbuf size to have a large value (i.e 13312), and
> ICE_SUPPORT_CHAIN_NUM is defined as 5, the computation mentioned above
> could potentially result in a value which might be bigger than MAX_USHORT.
>
> The result will be that Jumbo Frames will not work properly
>
> Signed-off-by: Tudor Cornea <tudor.cornea@keysight.com>
Acked-by: Qi Zhang <qi.z.zhang@intel.com>
Applied to dpdk-next-net-intel after adding missing fixline and cc stable
Fixes: 1b009275e2c8 ("net/ice: add Rx queue init in DCF")
Cc: stable@dpdk.org
Thanks
Qi
^ permalink raw reply [flat|nested] 3+ messages in thread
* [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len
@ 2021-06-15 9:58 Tudor Cornea
0 siblings, 0 replies; 3+ messages in thread
From: Tudor Cornea @ 2021-06-15 9:58 UTC (permalink / raw)
To: dev, qiming.yang, qi.z.zhang
Greetings,
Please review the following patch for the dpdk-next-net-intel branch.
The len variable, used in the computation of max_pkt_len could overflow,
if used to store the result of the following computation:
ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len
Since, we could define the mbuf size to have a large value (i.e 13312),
and ICE_SUPPORT_CHAIN_NUM is defined as 5, the computation mentioned
above could potentially result in a value which might be bigger than
MAX_USHORT.
The result will be that Jumbo Frames will not work properly
Signed-off-by: Tudor Cornea <tudor.cornea@keysight.com>
---
drivers/net/ice/ice_dcf_ethdev.c | 7 ++++---
drivers/net/ice/ice_rxtx.c | 6 +++---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ice/ice_dcf_ethdev.c
b/drivers/net/ice/ice_dcf_ethdev.c
index b937cbb..f73dc80 100644
--- a/drivers/net/ice/ice_dcf_ethdev.c
+++ b/drivers/net/ice/ice_dcf_ethdev.c
@@ -54,13 +54,14 @@ ice_dcf_init_rxq(struct rte_eth_dev *dev, struct
ice_rx_queue *rxq)
struct ice_dcf_adapter *dcf_ad = dev->data->dev_private;
struct rte_eth_dev_data *dev_data = dev->data;
struct iavf_hw *hw = &dcf_ad->real_hw.avf;
- uint16_t buf_size, max_pkt_len, len;
+ uint16_t buf_size, max_pkt_len;
buf_size = rte_pktmbuf_data_room_size(rxq->mp) -
RTE_PKTMBUF_HEADROOM;
rxq->rx_hdr_len = 0;
rxq->rx_buf_len = RTE_ALIGN(buf_size, (1 << ICE_RLAN_CTX_DBUF_S));
- len = ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len;
- max_pkt_len = RTE_MIN(len,
dev->data->dev_conf.rxmode.max_rx_pkt_len);
+ max_pkt_len = RTE_MIN((uint32_t)
+ ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len,
+ dev->data->dev_conf.rxmode.max_rx_pkt_len);
/* Check if the jumbo frame and maximum packet length are set
* correctly.
diff --git a/drivers/net/ice/ice_rxtx.c b/drivers/net/ice/ice_rxtx.c
index fc9bb5a..20352b0 100644
--- a/drivers/net/ice/ice_rxtx.c
+++ b/drivers/net/ice/ice_rxtx.c
@@ -258,7 +258,7 @@ ice_program_hw_rx_queue(struct ice_rx_queue *rxq)
struct rte_eth_dev_data *dev_data = rxq->vsi->adapter->pf.dev_data;
struct ice_rlan_ctx rx_ctx;
enum ice_status err;
- uint16_t buf_size, len;
+ uint16_t buf_size;
struct rte_eth_rxmode *rxmode = &dev_data->dev_conf.rxmode;
uint32_t rxdid = ICE_RXDID_COMMS_OVS;
uint32_t regval;
@@ -268,8 +268,8 @@ ice_program_hw_rx_queue(struct ice_rx_queue *rxq)
RTE_PKTMBUF_HEADROOM);
rxq->rx_hdr_len = 0;
rxq->rx_buf_len = RTE_ALIGN(buf_size, (1 << ICE_RLAN_CTX_DBUF_S));
- len = ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len;
- rxq->max_pkt_len = RTE_MIN(len,
+ rxq->max_pkt_len = RTE_MIN((uint32_t)
+ ICE_SUPPORT_CHAIN_NUM * rxq->rx_buf_len,
dev_data->dev_conf.rxmode.max_rx_pkt_len);
if (rxmode->offloads & DEV_RX_OFFLOAD_JUMBO_FRAME) {
--
2.7.4
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-21 4:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-15 10:38 [dpdk-dev] [PATCH] net/ice: fix integer overflow when computing max_pkt_len Tudor Cornea
2021-06-21 4:20 ` Zhang, Qi Z
-- strict thread matches above, loose matches on Subject: below --
2021-06-15 9:58 Tudor Cornea
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).