mbuf: fix external buffer pool boundaries

Memzones are created in testpmd in order to test external data
buffers functionality. Each memzone is 2Mb in size and divided among
the pool of external memory buffers.

Memzone may not always be fully utilized because mbufs size can vary
and some space can be left unused at the tail of a memzone. This is
not handled properly and mbuf can get the address of this leftover
space since this address is still valid (part of memzone), but there
is not enough space to fit the whole packet data. As a result packet
data may overflow and cause the memory corruption.

Take mbuf size into account when distributing memory addresses from
a memzone to external mbufs. Skip the remaining tail in case there
is not enough room for a packet and move to a next memzone instead.

Fixes: 6c8e50c2e5 ("mbuf: create pool with external memory buffers")
Cc: stable@dpdk.org
Signed-off-by: Alexander Kozyrev <akozyrev@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
Acked-by: Olivier Matz <olivier.matz@6wind.com>

diff --git a/lib/librte_mbuf/rte_mbuf.c b/lib/librte_mbuf/rte_mbuf.c
index 220eb2fb0c58d6684d5f2124cd5dd33c108df7c2..ae91ae21ce7f8962fb790711252ce3a99e0e99f6 100644 (file)
--- a/lib/librte_mbuf/rte_mbuf.c
+++ b/lib/librte_mbuf/rte_mbuf.c
@@ -191,14 +191,14 @@ __rte_pktmbuf_init_extmem(struct rte_mempool *mp,
        ext_mem = ctx->ext_mem + ctx->ext;
 
        RTE_ASSERT(ctx->ext < ctx->ext_num);
-       RTE_ASSERT(ctx->off < ext_mem->buf_len);
+       RTE_ASSERT(ctx->off + ext_mem->elt_size <= ext_mem->buf_len);
 
        m->buf_addr = RTE_PTR_ADD(ext_mem->buf_ptr, ctx->off);
        m->buf_iova = ext_mem->buf_iova == RTE_BAD_IOVA ?
                      RTE_BAD_IOVA : (ext_mem->buf_iova + ctx->off);
 
        ctx->off += ext_mem->elt_size;
-       if (ctx->off >= ext_mem->buf_len) {
+       if (ctx->off + ext_mem->elt_size > ext_mem->buf_len) {
                ctx->off = 0;
                ++ctx->ext;
        }