Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 Apr 2021 09:21:38 GMT
From:      Hans Petter Selasky <hselasky@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: eb008a6793db - stable/13 - MFC 4e38478c595a: ipoib: Fix incorrectly computed IPOIB_CM_RX_SG value.
Message-ID:  <202104010921.1319LcpR053024@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by hselasky:

URL: https://cgit.FreeBSD.org/src/commit/?id=eb008a6793dbbda39ad0a2fb3136eb542d7424e2

commit eb008a6793dbbda39ad0a2fb3136eb542d7424e2
Author:     Hans Petter Selasky <hselasky@FreeBSD.org>
AuthorDate: 2021-03-25 15:55:02 +0000
Commit:     Hans Petter Selasky <hselasky@FreeBSD.org>
CommitDate: 2021-04-01 09:19:42 +0000

    MFC 4e38478c595a:
    ipoib: Fix incorrectly computed IPOIB_CM_RX_SG value.
    
    The computed IPOIB_CM_RX_SG is too small. It doesn't account for fallback
    to mbuf clusters when jumbo frames are not available and it also doesn't
    account for the packet header and trailer mbuf.
    
    This causes a memory overwrite situation when IPOIB_CM is configured.
    
    While at it add a kernel assert to ensure the mapping array is not overwritten.
    
    PR:             254474
    Sponsored by:   Mellanox Technologies // NVIDIA Networking
    
    (cherry picked from commit 4e38478c595a9e6225b525890d7ee269a203c200)
---
 sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h    | 7 +++----
 sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_cm.c | 2 +-
 sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 ++++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h
index 8a2b3333abb5..eb1cb87dc888 100644
--- a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -117,12 +117,11 @@ enum {
 	IPOIB_ENCAP_LEN		  = 4,
 	IPOIB_HEADER_LEN	  = IPOIB_ENCAP_LEN + INFINIBAND_ALEN,
 	IPOIB_UD_MAX_MTU	  = 4 * 1024,
-//	IPOIB_UD_RX_SG		  = (IPOIB_UD_MAX_MTU / MJUMPAGESIZE),
-	IPOIB_UD_RX_SG		  = 2,
+	IPOIB_UD_RX_SG		  = 2,	/* packet header and one cluster */
 	IPOIB_UD_TX_SG		  = (IPOIB_UD_MAX_MTU / MCLBYTES) + 2,
 	IPOIB_CM_MAX_MTU	  = (64 * 1024),
 	IPOIB_CM_TX_SG		  = (IPOIB_CM_MAX_MTU / MCLBYTES) + 2,
-	IPOIB_CM_RX_SG		  = (IPOIB_CM_MAX_MTU / MJUMPAGESIZE),
+	IPOIB_CM_RX_SG		  = (IPOIB_CM_MAX_MTU / MCLBYTES) + 2,
 	IPOIB_RX_RING_SIZE	  = 256,
 	IPOIB_TX_RING_SIZE	  = 128,
 	IPOIB_MAX_RX_SG		  = MAX(IPOIB_CM_RX_SG, IPOIB_UD_RX_SG),
@@ -529,7 +528,7 @@ int ipoib_poll_tx(struct ipoib_dev_priv *priv, bool do_start);
 
 void ipoib_dma_unmap_rx(struct ipoib_dev_priv *priv, struct ipoib_rx_buf *rx_req);
 void ipoib_dma_mb(struct ipoib_dev_priv *priv, struct mbuf *mb, unsigned int length);
-struct mbuf *ipoib_alloc_map_mb(struct ipoib_dev_priv *priv, struct ipoib_rx_buf *rx_req, int align, int size);
+struct mbuf *ipoib_alloc_map_mb(struct ipoib_dev_priv *priv, struct ipoib_rx_buf *rx_req, int align, int size, int max_frags);
 
 
 void ipoib_set_ethtool_ops(struct ifnet *dev);
diff --git a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_cm.c
index 50c9a4f305e9..b61ebfd1495a 100644
--- a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -153,7 +153,7 @@ static struct mbuf *
 ipoib_cm_alloc_rx_mb(struct ipoib_dev_priv *priv, struct ipoib_cm_rx_buf *rx_req)
 {
 	return ipoib_alloc_map_mb(priv, (struct ipoib_rx_buf *)rx_req,
-	    sizeof(struct ipoib_pseudoheader), priv->cm.max_cm_mtu);
+	    sizeof(struct ipoib_pseudoheader), priv->cm.max_cm_mtu, IPOIB_CM_RX_SG);
 }
 
 static void ipoib_cm_free_rx_ring(struct ipoib_dev_priv *priv,
diff --git a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_ib.c
index cb52e3db75a4..a5db9a256204 100644
--- a/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -112,7 +112,7 @@ ipoib_dma_mb(struct ipoib_dev_priv *priv, struct mbuf *mb, unsigned int length)
 
 struct mbuf *
 ipoib_alloc_map_mb(struct ipoib_dev_priv *priv, struct ipoib_rx_buf *rx_req,
-    int align, int size)
+    int align, int size, int max_frags)
 {
 	struct mbuf *mb, *m;
 	int i, j;
@@ -122,6 +122,8 @@ ipoib_alloc_map_mb(struct ipoib_dev_priv *priv, struct ipoib_rx_buf *rx_req,
 	if (mb == NULL)
 		return (NULL);
 	for (i = 0, m = mb; m != NULL; m = m->m_next, i++) {
+		MPASS(i < max_frags);
+
 		m->m_len = M_SIZE(m) - align;
 		m->m_data += align;
 		align = 0;
@@ -174,9 +176,8 @@ static int ipoib_ib_post_receive(struct ipoib_dev_priv *priv, int id)
 static struct mbuf *
 ipoib_alloc_rx_mb(struct ipoib_dev_priv *priv, int id)
 {
-
 	return ipoib_alloc_map_mb(priv, &priv->rx_ring[id],
-	    0, priv->max_ib_mtu + IB_GRH_BYTES);
+	    0, priv->max_ib_mtu + IB_GRH_BYTES, IPOIB_UD_RX_SG);
 }
 
 static int ipoib_ib_post_receives(struct ipoib_dev_priv *priv)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104010921.1319LcpR053024>