From: Jie Hai <haijie1@huawei.com>
To: <dev@dpdk.org>, Yisen Zhuang <yisen.zhuang@huawei.com>,
"Wei Hu (Xavier)" <xavier.huwei@huawei.com>,
Huisong Li <lihuisong@huawei.com>,
Chengwen Feng <fengchengwen@huawei.com>,
Dongdong Liu <liudongdong3@huawei.com>
Cc: <huangdengdui@huawei.com>
Subject: [PATCH 3/8] net/hns3: fix segmentfault for NEON and SVE
Date: Fri, 27 Oct 2023 14:09:41 +0800 [thread overview]
Message-ID: <20231027060947.3183983-4-haijie1@huawei.com> (raw)
In-Reply-To: <20231027060947.3183983-1-haijie1@huawei.com>
From: Huisong Li <lihuisong@huawei.com>
Driver may fail to allocate bulk mbufs for Neon and SVE when rearm
mbuf. Currently, driver keeps going to handle packets even if there
isn't available descriptors to receive packets at this moment.
As a result, driver probably fills the mbufs with invalid data to
application and accesses to illegal address because of the VLD bit
of the descriptor at the "rx_rearm_start" position still being set.
So driver has to clear VLD bit for this descriptor in this scenario
in case of receiving packets later.
In addition, it is possible that the sum of the "rx_rearm_nb" and
"rx_rearm_start" is greater than total descriptor number of Rx queue
in the above scenario. So the index of rxq->sw_ring[] to set mbuf
pointer to NULL should also be fixed to avoid out-of-bounds memory
access.
Fixes: a3d4f4d291d7 ("net/hns3: support NEON Rx")
Fixes: f81a18f49152 ("net/hns3: fix mbuf leakage when RxQ started after reset")
Cc: stable@dpdk.org
Signed-off-by: Huisong Li <lihuisong@huawei.com>
---
drivers/net/hns3/hns3_rxtx.c | 2 +-
drivers/net/hns3/hns3_rxtx_vec.h | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/hns3/hns3_rxtx.c b/drivers/net/hns3/hns3_rxtx.c
index 13214d02d536..f28ca040be41 100644
--- a/drivers/net/hns3/hns3_rxtx.c
+++ b/drivers/net/hns3/hns3_rxtx.c
@@ -51,7 +51,7 @@ hns3_rx_queue_release_mbufs(struct hns3_rx_queue *rxq)
}
}
for (i = 0; i < rxq->rx_rearm_nb; i++)
- rxq->sw_ring[rxq->rx_rearm_start + i].mbuf = NULL;
+ rxq->sw_ring[(rxq->rx_rearm_start + i) % rxq->nb_rx_desc].mbuf = NULL;
}
for (i = 0; i < rxq->bulk_mbuf_num; i++)
diff --git a/drivers/net/hns3/hns3_rxtx_vec.h b/drivers/net/hns3/hns3_rxtx_vec.h
index a9a6774294ef..9018e79c2f92 100644
--- a/drivers/net/hns3/hns3_rxtx_vec.h
+++ b/drivers/net/hns3/hns3_rxtx_vec.h
@@ -106,6 +106,11 @@ hns3_rxq_rearm_mbuf(struct hns3_rx_queue *rxq)
if (unlikely(rte_mempool_get_bulk(rxq->mb_pool, (void *)rxep,
HNS3_DEFAULT_RXQ_REARM_THRESH) < 0)) {
+ /*
+ * Clear VLD bit for the first descriptor rearmed in case
+ * of going to receive packets later.
+ */
+ rxdp[0].rx.bd_base_info = 0;
rte_eth_devices[rxq->port_id].data->rx_mbuf_alloc_failed++;
return;
}
--
2.30.0
next prev parent reply other threads:[~2023-10-27 6:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-27 6:09 [PATCH 0/8] net/hns3: add some bugfix for hns3 Jie Hai
2023-10-27 6:09 ` [PATCH 1/8] net/hns3: fix a typo Jie Hai
2023-10-27 6:09 ` [PATCH 2/8] net/hns3: fix unchecked Rx free threshold Jie Hai
2023-10-27 6:09 ` Jie Hai [this message]
2023-10-27 6:09 ` [PATCH 4/8] net/hns3: fix double stats for IMP and global reset Jie Hai
2023-10-27 6:09 ` [PATCH 5/8] net/hns3: remove reset log in secondary Jie Hai
2023-10-27 6:09 ` [PATCH 6/8] net/hns3: fix multiple reset detected log Jie Hai
2023-10-27 6:09 ` [PATCH 7/8] net/hns3: fix the imp/global reset interrupted possibly Jie Hai
2023-10-27 6:09 ` [PATCH 8/8] net/hns3: refactor interrupt state query Jie Hai
2023-10-27 7:11 ` [PATCH 0/8] net/hns3: add some bugfix for hns3 fengchengwen
2023-10-27 19:29 ` Ferruh Yigit
2023-10-28 1:57 ` Jie Hai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231027060947.3183983-4-haijie1@huawei.com \
--to=haijie1@huawei.com \
--cc=dev@dpdk.org \
--cc=fengchengwen@huawei.com \
--cc=huangdengdui@huawei.com \
--cc=lihuisong@huawei.com \
--cc=liudongdong3@huawei.com \
--cc=xavier.huwei@huawei.com \
--cc=yisen.zhuang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).