| Message ID | 1559203541-24425-1-git-send-email-lirongqing@baidu.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev] netdev-dpdk: ensure that qid is valid before using it | expand |
On 30.05.2019 11:05, Li RongQing wrote: > otherwise it maybe lead to out of bound access in tx_q > > Signed-off-by: Li RongQing <lirongqing@baidu.com> > --- > lib/netdev-dpdk.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c > index c06f46931..e6cdcd454 100644 > --- a/lib/netdev-dpdk.c > +++ b/lib/netdev-dpdk.c > @@ -2319,8 +2319,6 @@ __netdev_dpdk_vhost_send(struct netdev *netdev, int qid, > int i, retries = 0; > int vid = netdev_dpdk_get_vid(dev); > > - qid = dev->tx_q[qid % netdev->n_txq].map; 'qid' passed to the function can't be negative. However, after mapping it could become negative if corresponding queue disabled and not mapped to another queue. Moving the mapping after the check you're creating the case where we'll try to send to the negative queue. So, this patch actually creates the issue that it describes in the commit message. > - > if (OVS_UNLIKELY(vid < 0 || !dev->vhost_reconfigured || qid < 0 > || !(dev->flags & NETDEV_UP))) { > rte_spinlock_lock(&dev->stats_lock); > @@ -2329,6 +2327,8 @@ __netdev_dpdk_vhost_send(struct netdev *netdev, int qid, > goto out; > } > > + qid = dev->tx_q[qid % netdev->n_txq].map; > + > rte_spinlock_lock(&dev->tx_q[qid].tx_lock); > > cnt = netdev_dpdk_filter_packet_len(dev, cur_pkts, cnt); >
diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c index c06f46931..e6cdcd454 100644 --- a/lib/netdev-dpdk.c +++ b/lib/netdev-dpdk.c @@ -2319,8 +2319,6 @@ __netdev_dpdk_vhost_send(struct netdev *netdev, int qid, int i, retries = 0; int vid = netdev_dpdk_get_vid(dev); - qid = dev->tx_q[qid % netdev->n_txq].map; - if (OVS_UNLIKELY(vid < 0 || !dev->vhost_reconfigured || qid < 0 || !(dev->flags & NETDEV_UP))) { rte_spinlock_lock(&dev->stats_lock); @@ -2329,6 +2327,8 @@ __netdev_dpdk_vhost_send(struct netdev *netdev, int qid, goto out; } + qid = dev->tx_q[qid % netdev->n_txq].map; + rte_spinlock_lock(&dev->tx_q[qid].tx_lock); cnt = netdev_dpdk_filter_packet_len(dev, cur_pkts, cnt);
otherwise it maybe lead to out of bound access in tx_q Signed-off-by: Li RongQing <lirongqing@baidu.com> --- lib/netdev-dpdk.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)