diff mbox series

net/mlx5: fix mbufs replenishment check for zipped CQEs

Message ID	20210804062316.1688851-1-akozyrev@nvidia.com (mailing list archive)
State	Accepted, archived
Delegated to:	Raslan Darawsheh
Headers	Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.34 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.34; helo=mail.nvidia.com; From: Alexander Kozyrev <akozyrev@nvidia.com> To: <dev@dpdk.org> CC: <stable@dpdk.org>, <rasland@nvidia.com>, <viacheslavo@nvidia.com>, <matan@nvidia.com> Date: Wed, 4 Aug 2021 09:23:16 +0300 Message-ID: <20210804062316.1688851-1-akozyrev@nvidia.com> MIME-Version: 1.0 Content-Type: text/plain Subject: [dpdk-dev] [PATCH] net/mlx5: fix mbufs replenishment check for zipped CQEs Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	net/mlx5: fix mbufs replenishment check for zipped CQEs \| net/mlx5: fix mbufs replenishment check for zipped CQEs

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/github-robot	success	github build: passed
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS

Commit Message

Alexander Kozyrev Aug. 4, 2021, 6:23 a.m. UTC

  A core dump is being generated with the following call stack:
0 _mm256_storeu_si256 (__A=..., __P=0x80)
1 rte_mov32 (src=0x2299c9140 "", dst=0x80)
2 rte_memcpy_aligned (n=60, src=0x2299c9140, dst=0x80)
3 rte_memcpy (n=60, src=0x2299c9140, dst=0x80)
4 mprq_buf_to_pkt (strd_cnt=1, strd_idx=0, buf=0x2299c8a00, len=60,
pkt=0x18345f0c0, rxq=0x18345ef40)
5 rxq_copy_mprq_mbuf_v (rxq=0x18345ef40, pkts=0x7f76e0ff6d18, pkts_n=5)
6 rxq_burst_mprq_v (rxq=0x18345ef40, pkts=0x7f76e0ff6d18, pkts_n=46,
err=0x7f76e0ff6a28, no_cq=0x7f76e0ff6a27)
7 mlx5_rx_burst_mprq_vec (dpdk_rxq=0x18345ef40, pkts=0x7f76e0ff6a88,
pkts_n=128)
8 rte_eth_rx_burst (nb_pkts=128, rx_pkts=0x7f76e0ff6a88,
queue_id=<optimized out>, port_id=<optimized out>)

This crash is caused by an attempt to copy previously uncompressed CQEs
into non-allocated mbufs. There is a check to make sure we only use
allocated mbufs in the rxq_burst_mprq_v() function, but it is done only
before the main processing loop. Leftovers of compressed CQEs session are
handled before that loop and may lead to the mbufs overflow as seen.

Move the check for replenished mbufs up to protect uncompressed CQEs
session leftovers from accessing non-allocated mbufs after the
mlx5_rx_mprq_replenish_bulk_mbuf() function is invoked.

Bugzilla ID: 746
Fixes: 0f20acbf5e ("net/mlx5: implement vectorized MPRQ burst")
Cc: stable@dpdk.org

Signed-off-by: Alexander Kozyrev <akozyrev@nvidia.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@nvidia.com>
---
 drivers/net/mlx5/mlx5_rxtx_vec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Raslan Darawsheh Aug. 17, 2021, 9:48 a.m. UTC | #1

Hi,
> -----Original Message-----
> From: Alexander Kozyrev <akozyrev@nvidia.com>
> Sent: Wednesday, August 4, 2021 9:23 AM
> To: dev@dpdk.org
> Cc: stable@dpdk.org; Raslan Darawsheh <rasland@nvidia.com>; Slava
> Ovsiienko <viacheslavo@nvidia.com>; Matan Azrad <matan@nvidia.com>
> Subject: [PATCH] net/mlx5: fix mbufs replenishment check for zipped CQEs
> 
> A core dump is being generated with the following call stack:
> 0 _mm256_storeu_si256 (__A=..., __P=0x80)
> 1 rte_mov32 (src=0x2299c9140 "", dst=0x80)
> 2 rte_memcpy_aligned (n=60, src=0x2299c9140, dst=0x80)
> 3 rte_memcpy (n=60, src=0x2299c9140, dst=0x80)
> 4 mprq_buf_to_pkt (strd_cnt=1, strd_idx=0, buf=0x2299c8a00, len=60,
> pkt=0x18345f0c0, rxq=0x18345ef40)
> 5 rxq_copy_mprq_mbuf_v (rxq=0x18345ef40, pkts=0x7f76e0ff6d18,
> pkts_n=5)
> 6 rxq_burst_mprq_v (rxq=0x18345ef40, pkts=0x7f76e0ff6d18, pkts_n=46,
> err=0x7f76e0ff6a28, no_cq=0x7f76e0ff6a27)
> 7 mlx5_rx_burst_mprq_vec (dpdk_rxq=0x18345ef40, pkts=0x7f76e0ff6a88,
> pkts_n=128)
> 8 rte_eth_rx_burst (nb_pkts=128, rx_pkts=0x7f76e0ff6a88,
> queue_id=<optimized out>, port_id=<optimized out>)
> 
> This crash is caused by an attempt to copy previously uncompressed CQEs
> into non-allocated mbufs. There is a check to make sure we only use
> allocated mbufs in the rxq_burst_mprq_v() function, but it is done only
> before the main processing loop. Leftovers of compressed CQEs session are
> handled before that loop and may lead to the mbufs overflow as seen.
> 
> Move the check for replenished mbufs up to protect uncompressed CQEs
> session leftovers from accessing non-allocated mbufs after the
> mlx5_rx_mprq_replenish_bulk_mbuf() function is invoked.
> 
> Bugzilla ID: 746
> Fixes: 0f20acbf5e ("net/mlx5: implement vectorized MPRQ burst")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Alexander Kozyrev <akozyrev@nvidia.com>
> Acked-by: Viacheslav Ovsiienko <viacheslavo@nvidia.com>
> ---

Patch applied to next-net-mlx,

Kindest regards,
Raslan Darawsheh

diff mbox series

Patch

diff --git a/drivers/net/mlx5/mlx5_rxtx_vec.c b/drivers/net/mlx5/mlx5_rxtx_vec.c
index e1b6d5422a..ecd273e00a 100644
--- a/drivers/net/mlx5/mlx5_rxtx_vec.c
+++ b/drivers/net/mlx5/mlx5_rxtx_vec.c
@@ -448,6 +448,8 @@  rxq_burst_mprq_v(struct mlx5_rxq_data *rxq, struct rte_mbuf **pkts,
 	rte_prefetch0(cq + 3);
 	pkts_n = RTE_MIN(pkts_n, MLX5_VPMD_RX_MAX_BURST);
 	mlx5_rx_mprq_replenish_bulk_mbuf(rxq);
+	/* Not to move past the allocated mbufs. */
+	pkts_n = RTE_MIN(pkts_n, rxq->elts_ci - rxq->rq_pi);
 	/* See if there're unreturned mbufs from compressed CQE. */
 	rcvd_pkt = rxq->decompressed;
 	if (rcvd_pkt > 0) {
@@ -463,8 +465,6 @@  rxq_burst_mprq_v(struct mlx5_rxq_data *rxq, struct rte_mbuf **pkts,
 	/* Not to cross queue end. */
 	pkts_n = RTE_MIN(pkts_n, elts_n - elts_idx);
 	pkts_n = RTE_MIN(pkts_n, q_n - cq_idx);
-	/* Not to move past the allocated mbufs. */
-	pkts_n = RTE_MIN(pkts_n, rxq->elts_ci - rxq->rq_pi);
 	if (!pkts_n) {
 		*no_cq = !cp_pkt;
 		return cp_pkt;