diff options
| author |   Steven Luong <sluong@cisco.com> | 2019-10-23 13:28:37 -0700 |
|---|---|---|
| committer |   Andrew Yourtchenko <ayourtch@gmail.com> | 2019-10-29 10:01:02 +0000 |
| commit | abad677803bde8b8eed86a9ceecbc5f19d08e916 (patch) | |
| tree | 1fba9cd2a2392504371701d6bc6d6673a2afc868 | |
| parent | b4c5f16889bccfce31b6007d61e7f5670179f645 (diff) | |
devices: vhoost cpu->copy array overflow on tcp jumbo frame (65535 bytes)
We reserve 40 slots in cpu->copy array prior to copy out to avoid overflowing
the array. However, 40 is not enough for the jumbo frame because desceiptor
buffer len is likely at 1536. Change the reserve to 200 and add ASSERT to avoid
encountering the same problem in the future.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ibf0c03c4b4f33e781d5be8679ccd6c3a4b4a646d
(cherry picked from commit 7331005c16d0e1499080899b2a0676a0cd945595)
| -rw-r--r-- | src/vnet/devices/virtio/vhost_user_input.c | 1 | ||||
| -rw-r--r-- | src/vnet/devices/virtio/vhost_user_output.c | 9 |
2 files changed, 8 insertions, 2 deletions
diff --git a/src/vnet/devices/virtio/vhost_user_input.c b/src/vnet/devices/virtio/vhost_user_input.c index 2d90ed1224d..ef35d23a03c 100644 --- a/src/vnet/devices/virtio/vhost_user_input.c +++ b/src/vnet/devices/virtio/vhost_user_input.c @@ -654,6 +654,7 @@ vhost_user_if_input (vlib_main_t * vm, } /* Prepare a copy order executed later for the data */ + ASSERT (copy_len < VHOST_USER_COPY_ARRAY_N); vhost_copy_t *cpy = &cpu->copy[copy_len]; copy_len++; u32 desc_data_l = desc_table[desc_current].len - desc_data_offset; diff --git a/src/vnet/devices/virtio/vhost_user_output.c b/src/vnet/devices/virtio/vhost_user_output.c index 797c1c5ff92..9b9f763b92f 100644 --- a/src/vnet/devices/virtio/vhost_user_output.c +++ b/src/vnet/devices/virtio/vhost_user_output.c @@ -51,9 +51,12 @@ * entries. In order to not corrupt memory, we have to do the copy when the * static array reaches the copy threshold. We subtract 40 in case the code * goes into the inner loop for a maximum of 64k frames which may require - * more array entries. + * more array entries. We subtract 200 because our default buffer size is + * 2048 and the default desc len is likely 1536. While it takes less than 40 + * vlib buffers for the jumbo frame, it may take twice as much descriptors + * for the same jumbo frame. Use 200 for the extra head room. */ -#define VHOST_USER_TX_COPY_THRESHOLD (VHOST_USER_COPY_ARRAY_N - 40) +#define VHOST_USER_TX_COPY_THRESHOLD (VHOST_USER_COPY_ARRAY_N - 200) extern vnet_device_class_t vhost_user_device_class; @@ -390,6 +393,7 @@ retry: vhost_user_handle_tx_offload (vui, b0, &hdr->hdr); // Prepare a copy order executed later for the header + ASSERT (copy_len < VHOST_USER_COPY_ARRAY_N); vhost_copy_t *cpy = &cpu->copy[copy_len]; copy_len++; cpy->len = vui->virtio_net_hdr_sz; @@ -477,6 +481,7 @@ retry: } { + ASSERT (copy_len < VHOST_USER_COPY_ARRAY_N); vhost_copy_t *cpy = &cpu->copy[copy_len]; copy_len++; cpy->len = bytes_left; |