From ef226b1dc6f8eac4cbe3d3d393a07114d11311e5 Mon Sep 17 00:00:00 2001 From: erj Date: Tue, 19 Mar 2019 17:49:03 +0000 Subject: [PATCH] iflib: prevent possible infinite loop in iflib_encap From Jake: iflib_encap calls bus_dmamap_load_mbuf_sg. Upon it returning EFBIG, an m_collapse and an m_defrag are attempted to shrink the mbuf cluster to fit within the DMA segment limitations. However, if we call m_defrag, and then bus_dmamap_load_mbuf_sg returns EFBIG on the now defragmented mbuf, we will continuously re-call bus_dmamap_load_mbuf_sg over and over. This happens because m_head isn't NULL, and remap is >1, so we don't try to m_collapse or m_defrag again. The only way we exit the loop is if m_head is NULL. However, m_head can't be modified by the call to bus_dmamap_load_mbuf_sg, because we don't pass it as a double pointer. I believe this will be an incredibly rare occurrence, because it is unlikely that bus_dmamap_load_mbuf_sg will actually fail on the second defragment with an EFBIG error. However, it still seems like a possibility that we should account for. Fix the exit check to ensure that if remap is >1, we will also exit, even if m_head is not NULL. Submitted by: Jacob Keller Reviewed by: shurd@, gallatin@ MFC after: 1 week Sponsored by: Intel Corporation Differential Revision: https://reviews.freebsd.org/D19468 --- sys/net/iflib.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sys/net/iflib.c b/sys/net/iflib.c index b803c4b3ca1f..694dd9b632fb 100644 --- a/sys/net/iflib.c +++ b/sys/net/iflib.c @@ -3276,9 +3276,14 @@ iflib_encap(iflib_txq_t txq, struct mbuf **m_headp) txq->ift_mbuf_defrag++; m_head = m_defrag(*m_headp, M_NOWAIT); } - remap++; - if (__predict_false(m_head == NULL)) + /* + * remap should never be >1 unless bus_dmamap_load_mbuf_sg + * failed to map an mbuf that was run through m_defrag + */ + MPASS(remap <= 1); + if (__predict_false(m_head == NULL || remap > 1)) goto defrag_failed; + remap++; *m_headp = m_head; goto retry; break;