[Bug 194314] New: [ixgbe] driver makes some dangerous assumptions with struct mbuf sizing with IXGBE_RX_COPY_LEN
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Oct 12 09:13:05 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194314
Bug ID: 194314
Summary: [ixgbe] driver makes some dangerous assumptions with
struct mbuf sizing with IXGBE_RX_COPY_LEN
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: ngie at FreeBSD.org
The code in sys/dev/ixgbe/ixgbe.h assumes that MLEN is always > 160, and
doesn't exceed the size of the mbuf. MSIZE is set to 256, so if MHLEN = MSIZE -
sizeof(struct m_hdr) - sizeof(struct pkthdr) < 160, ixgbe will scribble over
the header information in mbufs. Similarly, if IXGBE_RX_COPY_LEN is greater
than the size of the mbuf, it will scribble over other memory, potentially in
the same mbuf chain, or elsewhere.
This optimization needs better bounds checking/handling.
155 /*
156 * Used for optimizing small rx mbufs. Effort is made to keep the copy
157 * small and aligned for the CPU L1 cache.
158 *
159 * MHLEN is typically 168 bytes, giving us 8-byte alignment. Getting
160 * 32 byte alignment needed for the fast bcopy results in 8 bytes being
161 * wasted. Getting 64 byte alignment, which _should_ be ideal for
162 * modern Intel CPUs, results in 40 bytes wasted and a significant drop
163 * in observed efficiency of the optimization, 97.9% -> 81.8%.
164 */
165 #define IXGBE_RX_COPY_LEN 160
166 #define IXGBE_RX_COPY_ALIGN (MHLEN - IXGBE_RX_COPY_LEN)
60 * MLEN is data length in a normal mbuf.
61 * MHLEN is data length in an mbuf with pktheader.
62 * MINCLSIZE is a smallest amount of data that should be put into cluster.
63 */
64 #define MLEN ((int)(MSIZE - sizeof(struct m_hdr)))
65 #define MHLEN ((int)(MLEN - sizeof(struct pkthdr)))
66 #define MINCLSIZE (MHLEN + 1)
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list