From: Somnath Kotur <somnath.ko...@broadcom.com>
If the application passes incorrect number of segs for a Tx pkt i.e.
sets it to 5 while actually sending down only a single mbuf, this could
escape all the existing driver checks and driver could end up sending
down garbage TX BDs to the HW. This in turn could lead to a Tx pipeline
stall.
Fix it by validating the number of segs passed for the Tx pkt against
what is actually set by the application to prevent this.
Signed-off-by: Somnath Kotur <somnath.ko...@broadcom.com>
Reviewed-by: Ajit Khaparde <ajit.khapa...@broadcom.com>
---
drivers/net/bnxt/bnxt_txr.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/net/bnxt/bnxt_txr.c b/drivers/net/bnxt/bnxt_txr.c
index 6d7e9962ce..51d3689e9c 100644
--- a/drivers/net/bnxt/bnxt_txr.c
+++ b/drivers/net/bnxt/bnxt_txr.c
@@ -194,6 +194,21 @@ bnxt_check_pkt_needs_ts(struct rte_mbuf *m)
return false;
}
+static bool
+bnxt_invalid_nb_segs(struct rte_mbuf *tx_pkt)
+{
+ uint16_t nb_segs = 1;
+ struct rte_mbuf *m_seg;
+
+ m_seg = tx_pkt->next;
+ while (m_seg) {
+ nb_segs++;
+ m_seg = m_seg->next;
+ }
+
+ return (nb_segs != tx_pkt->nb_segs);
+}
+
static uint16_t bnxt_start_xmit(struct rte_mbuf *tx_pkt,
struct bnxt_tx_queue *txq,
uint16_t *coal_pkts,
@@ -221,6 +236,9 @@ static uint16_t bnxt_start_xmit(struct rte_mbuf *tx_pkt,
if (unlikely(is_bnxt_in_error(txq->bp)))
return -EIO;
+ if (unlikely(bnxt_invalid_nb_segs(tx_pkt)))
+ return -EINVAL;
+
long_bd = bnxt_xmit_need_long_bd(tx_pkt, txq);
nr_bds = long_bd + tx_pkt->nb_segs;
--
2.39.5 (Apple Git-154)
