diff mbox series

[v1] net/memif: fix segfault with large burst size

Message ID	20230904071041.3403495-1-joyce.kong@arm.com (mailing list archive)
State	Accepted, archived
Delegated to:	Ferruh Yigit
Headers	From: Joyce Kong <joyce.kong@arm.com> To: Jakub Grajciar <jgrajcia@cisco.com>, =?utf-8?q?Morten_Br=C3=B8rup?= <mb@smartsharesystems.com>, Ruifeng Wang <ruifeng.wang@arm.com>, Joyce Kong <joyce.kong@arm.com> Cc: dev@dpdk.org, nd@arm.com, stable@dpdk.org, Feifei Wang <feifei.wang2@arm.com> Subject: [PATCH v1] net/memif: fix segfault with large burst size Date: Mon, 4 Sep 2023 07:10:41 +0000 Message-Id: <20230904071041.3403495-1-joyce.kong@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: dev-bounces@dpdk.org
Series	[v1] net/memif: fix segfault with large burst size \| [v1] net/memif: fix segfault with large burst size

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/loongarch-compilation	success	Compilation OK
ci/loongarch-unit-testing	success	Unit Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/github-robot: build	success	github build: passed
ci/intel-Functional	success	Functional PASS
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-compile-amd64-testing	success	Testing PASS
ci/iol-unit-amd64-testing	success	Testing PASS
ci/iol-sample-apps-testing	success	Testing PASS
ci/iol-compile-arm64-testing	success	Testing PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/iol-broadcom-Functional	success	Functional Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS

Commit Message

Joyce Kong Sept. 4, 2023, 7:10 a.m. UTC

  There will be a segfault when Rx burst size is greater than
MAX_PKT_BURST of memif. Fix the issue by correcting the
wrong mbuf index in eth_memif_rx, which results in accessing
invalid memory address.

Bugzilla ID: 1273
Fixes: aa17df860891 ("net/memif: add a Rx fast path")
Cc: stable@dpdk.org

Signed-off-by: Joyce Kong <joyce.kong@arm.com>
Reviewed-by: Feifei Wang <feifei.wang2@arm.com>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
---
 drivers/net/memif/rte_eth_memif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Ferruh Yigit Sept. 27, 2023, 4:37 p.m. UTC | #1

On 9/4/2023 8:10 AM, Joyce Kong wrote:
> There will be a segfault when Rx burst size is greater than
> MAX_PKT_BURST of memif. Fix the issue by correcting the
> wrong mbuf index in eth_memif_rx, which results in accessing
> invalid memory address.
> 
> Bugzilla ID: 1273
> Fixes: aa17df860891 ("net/memif: add a Rx fast path")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Joyce Kong <joyce.kong@arm.com>
> Reviewed-by: Feifei Wang <feifei.wang2@arm.com>
> Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
> ---
>  drivers/net/memif/rte_eth_memif.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c
> index 6a8ff5b4eb..f595656af5 100644
> --- a/drivers/net/memif/rte_eth_memif.c
> +++ b/drivers/net/memif/rte_eth_memif.c
> @@ -356,7 +356,7 @@ eth_memif_rx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
>  		rx_pkts = 0;
>  		pkts = nb_pkts < MAX_PKT_BURST ? nb_pkts : MAX_PKT_BURST;
>  		while (n_slots && rx_pkts < pkts) {
> -			mbuf_head = mbufs[n_rx_pkts];
> +			mbuf_head = mbufs[rx_pkts];
>  			mbuf = mbuf_head;
>  
>  next_slot1:

Hi Jakub,

Can you please look at this patch?

Thanks,
ferruh

Ferruh Yigit Sept. 29, 2023, 2:41 p.m. UTC | #2

On 9/4/2023 8:10 AM, Joyce Kong wrote:
> There will be a segfault when Rx burst size is greater than
> MAX_PKT_BURST of memif. Fix the issue by correcting the
> wrong mbuf index in eth_memif_rx, which results in accessing
> invalid memory address.
> 
> Bugzilla ID: 1273
> Fixes: aa17df860891 ("net/memif: add a Rx fast path")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Joyce Kong <joyce.kong@arm.com>
> Reviewed-by: Feifei Wang <feifei.wang2@arm.com>
> Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
> 

Hi Joyce, good catch.

Reviewed-by: Ferruh Yigit <ferruh.yigit@amd.com>

Applied to dpdk-next-net/main, thanks.

For record, if nb_pkts > MAX_PKT_BURST, memif buffer consumed in chunks
of MAX_PKT_BURST mbufs, next chunk consumption starts with 'goto
next_bulk' call.

For each chunk, MAX_PKT_BURST mbufs allocated and filled, they are
accessed by 'n_rx_pkts' index, but 'n_rx_pkts' is overall received mbuf
number, so it shouldn't be used as index for that chunk, but 'rx_pkts'
should be used which is reset at the beginning of the chunk processing.

For the first chunk using 'n_rx_pkts' or 'rx_pkts' are same, that
explains how issue lived till now, as commit log mentions issue can be
observed when nb_pkts > MAX_PKT_BURST.

diff mbox series

Patch

diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c
index 6a8ff5b4eb..f595656af5 100644
--- a/drivers/net/memif/rte_eth_memif.c
+++ b/drivers/net/memif/rte_eth_memif.c
@@ -356,7 +356,7 @@  eth_memif_rx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 		rx_pkts = 0;
 		pkts = nb_pkts < MAX_PKT_BURST ? nb_pkts : MAX_PKT_BURST;
 		while (n_slots && rx_pkts < pkts) {
-			mbuf_head = mbufs[n_rx_pkts];
+			mbuf_head = mbufs[rx_pkts];
 			mbuf = mbuf_head;
 
 next_slot1: