From: Kalesh AP <kalesh-anakkur.pura...@broadcom.com>
If the application passes invalid mbuf for a Tx pkt, this could
escape all the existing driver checks and driver could end up sending
down invalid TX BDs to the HW. This in turn could lead to a FW reset.
Fix by validating the "mbuf->buf_iova" or "mbuf->buf_addr" passed for
the Tx pkt by the application.
Signed-off-by: Kalesh AP <kalesh-anakkur.pura...@broadcom.com>
Reviewed-by: Somnath Kotur <somnath.ko...@broadcom.com>
---
drivers/net/bnxt/bnxt_txr.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/net/bnxt/bnxt_txr.c b/drivers/net/bnxt/bnxt_txr.c
index 51d3689e9c..4e9e377d5b 100644
--- a/drivers/net/bnxt/bnxt_txr.c
+++ b/drivers/net/bnxt/bnxt_txr.c
@@ -209,6 +209,25 @@ bnxt_invalid_nb_segs(struct rte_mbuf *tx_pkt)
return (nb_segs != tx_pkt->nb_segs);
}
+static int bnxt_invalid_mbuf(struct rte_mbuf *mbuf)
+{
+ uint32_t mbuf_size = sizeof(struct rte_mbuf) + mbuf->priv_size;
+ const char *reason;
+
+ if (unlikely(rte_eal_iova_mode() != RTE_IOVA_VA &&
+ rte_eal_iova_mode() != RTE_IOVA_PA))
+ return 0;
+
+ if (unlikely(rte_mbuf_check(mbuf, 1, &reason)))
+ return -EINVAL;
+
+ if (unlikely(mbuf->buf_iova < mbuf_size ||
+ (mbuf->buf_iova != rte_mempool_virt2iova(mbuf) +
mbuf_size)))
+ return -EINVAL;
+
+ return 0;
+}
+
static uint16_t bnxt_start_xmit(struct rte_mbuf *tx_pkt,
struct bnxt_tx_queue *txq,
uint16_t *coal_pkts,
@@ -236,6 +255,9 @@ static uint16_t bnxt_start_xmit(struct rte_mbuf *tx_pkt,
if (unlikely(is_bnxt_in_error(txq->bp)))
return -EIO;
+ if (unlikely(bnxt_invalid_mbuf(tx_pkt)))
+ return -EINVAL;
+
if (unlikely(bnxt_invalid_nb_segs(tx_pkt)))
return -EINVAL;
--
2.39.5 (Apple Git-154)
