[dpdk-dev] [PATCH] net: fix rte_vlan_insert with shared mbuf

[Chas Williams]

On 3/27/19 11:18 AM, Stephen Hemminger wrote:
> On Tue, 26 Mar 2019 18:38:57 -0400
> Chas Williams <3chas3 at gmail.com> wrote:
> 
>> On 3/26/19 3:15 PM, Stephen Hemminger wrote:
>>> If mbuf refcnt was > 1 then rte_vlan_insert() would incorrectly
>>> modify the original copy. Original code was expecting clone to make
>>> a copy (it doesn't). Better to let the caller deal with making
>>> a copy or setting up mbuf chain to allow for header to be added.
>>>
>>> Also fix docbook comment about parameters (function takes
>>> pointer to mbuf).
>>>
>>> Fixes: c974021a5949 ("ether: add soft vlan encap/decap")
>>> Signed-off-by: Stephen Hemminger <sthemmin at microsoft.com>
>>> ---
>>>    lib/librte_net/rte_ether.h | 15 ++++-----------
>>>    1 file changed, 4 insertions(+), 11 deletions(-)
>>>
>>> diff --git a/lib/librte_net/rte_ether.h b/lib/librte_net/rte_ether.h
>>> index c2c5e249ffe9..bab2b198fa79 100644
>>> --- a/lib/librte_net/rte_ether.h
>>> +++ b/lib/librte_net/rte_ether.h
>>> @@ -374,7 +374,7 @@ static inline int rte_vlan_strip(struct rte_mbuf *m)
>>>     * Software version of VLAN unstripping
>>>     *
>>>     * @param m
>>> - *   The packet mbuf.
>>> + *   Pointer to the packet mbuf.
>>>     * @return
>>>     *   - 0: On success
>>>     *   -EPERM: mbuf is is shared overwriting would be unsafe
>>> @@ -385,16 +385,9 @@ static inline int rte_vlan_insert(struct rte_mbuf **m)
>>>    	struct ether_hdr *oh, *nh;
>>>    	struct vlan_hdr *vh;
>>>    
>>> -	/* Can't insert header if mbuf is shared */
>>> -	if (rte_mbuf_refcnt_read(*m) > 1) {
>>> -		struct rte_mbuf *copy;
>>> -
>>> -		copy = rte_pktmbuf_clone(*m, (*m)->pool);
>>> -		if (unlikely(copy == NULL))
>>> -			return -ENOMEM;
>>> -		rte_pktmbuf_free(*m);
>>> -		*m = copy;
>>> -	}
>>> +	/* Can't directly insert header if mbuf is shared */
>>> +	if (rte_mbuf_refcnt_read(*m) > 1)
>>
>> This check probably isn't sufficient. You need something more like:
>>
>>           if (rte_mbuf_refcnt_read(mbuf) > 1 ||
>>               (RTE_MBUF_INDIRECT(mbuf) &&
>>                rte_mbuf_refcnt_read(rte_mbuf_from_indirect(mbuf)) > 1)) {
>>
>> If this is a cloned packet, the refcnt will be 1. So you need to examine
>> the parent mbuf to see if other clones exist.
>>
> 
> The problem is that indirect buffers probably can't be overwritten
> because of lack of headroom.
> 
> Actually, why not push the problem into the pktmbuf_headroom logic?

That's not what the original code is checking and why it is checking. You
should not modify the data of a packet that has other users. To check
all the possible users, you need to check your refcnt and if a clone,
check the parent to see if any other clones exist.  If they do, you
can't safely modify these packets. Yes, we have run into this bug.  Yes,
it was hard to find.

Someone local write a slightly different version of rte_vlan_insert
that clones the packet and prepends an mbuf so you can safely insert
the VLAN information. I will see about getting it submitted.