[dpdk-dev] [PATCH] net/mlx5: fix possible endless loop when clearing flow flags
Yongseok Koh
yskoh at mellanox.com
Tue Jul 24 23:47:19 CEST 2018
> On Jul 23, 2018, at 11:57 PM, Nélio Laranjeiro <nelio.laranjeiro at 6wind.com> wrote:
>
> On Mon, Jul 23, 2018 at 11:27:44AM -0700, Yongseok Koh wrote:
>> If one of (*priv->rxqs)[] is null, the for loop can iterate infinitely as
>> idx can't be increased.
>>
>> Fixes: cd24d526395e ("net/mlx5: add mark/flag flow action")
>> Cc: Nelio Laranjeiro <nelio.laranjeiro at 6wind.com>
>>
>> Signed-off-by: Yongseok Koh <yskoh at mellanox.com>
>> ---
>> drivers/net/mlx5/mlx5_flow.c | 8 +++-----
>> 1 file changed, 3 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
>> index 32854198b..c156f01eb 100644
>> --- a/drivers/net/mlx5/mlx5_flow.c
>> +++ b/drivers/net/mlx5/mlx5_flow.c
>> @@ -2762,22 +2762,20 @@ mlx5_flow_rxq_flags_clear(struct rte_eth_dev *dev)
>> {
>> struct priv *priv = dev->data->dev_private;
>> unsigned int i;
>> - unsigned int idx;
>>
>> - for (idx = 0, i = 0; idx != priv->rxqs_n; ++i) {
>> + for (i = 0; i != priv->rxqs_n; ++i) {
>> struct mlx5_rxq_ctrl *rxq_ctrl;
>> unsigned int j;
>>
>> - if (!(*priv->rxqs)[idx])
>> + if (!(*priv->rxqs)[i])
>> continue;
>> - rxq_ctrl = container_of((*priv->rxqs)[idx],
>> + rxq_ctrl = container_of((*priv->rxqs)[i],
>> struct mlx5_rxq_ctrl, rxq);
>> rxq_ctrl->flow_mark_n = 0;
>> rxq_ctrl->rxq.mark = 0;
>> for (j = 0; j != MLX5_FLOW_TUNNEL; ++j)
>> rxq_ctrl->flow_tunnels_n[j] = 0;
>> rxq_ctrl->rxq.tunnel = 0;
>> - ++idx;
>> }
>> }
>>
>> --
>> 2.11.0
>
> This patch is wrong, (*priv->rxqs)[i] may un-initialised by the
> application, the number of queues says how are in used, it does not mean
> they are contiguous in the rxqs arrays and this due to the DPDK API
> which configure the number of queues with rte_eth_dev_configure()
> whereas queues are instantiated with rte_eth_rx_queue_setup() which
> takes an position in the array as parameter.
>
> Indeed this code is wrong, idx should always increase whereas i should
> only increase if the (*priv->rxqs)[idx] is non null.
I don't understand what you mean. In rte_eth_rx_queue_setup(), rx_queue_id is
checked against dev->data->nb_rx_queues.
if (rx_queue_id >= dev->data->nb_rx_queues) {
RTE_ETHDEV_LOG(ERR, "Invalid RX queue_id=%u\n", rx_queue_id);
return -EINVAL;
}
This means the index should be [0, priv->rxqs_n) anyway. There is the same check
in mlx5_rx_queue_setup(). If user mistakenly doesn't configure some of queues,
then the corresponding slots could be null but indexes are still within the
range.
Then, what's your point of having both i and idx?
Thanks,
Yongseok
More information about the dev
mailing list