From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <yuanhan.liu@linux.intel.com>
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 by dpdk.org (Postfix) with ESMTP id CC73F3777;
 Wed, 19 Apr 2017 10:46:37 +0200 (CEST)
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
 by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 19 Apr 2017 01:46:36 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.37,220,1488873600"; d="scan'208";a="1137564539"
Received: from yliu-dev.sh.intel.com (HELO yliu-dev) ([10.239.67.162])
 by fmsmga001.fm.intel.com with ESMTP; 19 Apr 2017 01:46:35 -0700
Date: Wed, 19 Apr 2017 16:43:10 +0800
From: Yuanhan Liu <yuanhan.liu@linux.intel.com>
To: dev@dpdk.org
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>, stable@dpdk.org
Message-ID: <20170419084310.GD31523@yliu-dev.sh.intel.com>
References: <1492579561-19619-1-git-send-email-yuanhan.liu@linux.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1492579561-19619-1-git-send-email-yuanhan.liu@linux.intel.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dpdk-stable] [PATCH] vhost: fix dequeue zero copy
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2017 08:46:38 -0000

On Wed, Apr 19, 2017 at 01:26:01PM +0800, Yuanhan Liu wrote:
> For zero copy mode, we need pin the mbuf to not let the underlaying PMD
> driver (or the app) free the mbuf. Currently, only the heading mbuf is
> pinned. However, the mbuf free function would try to free all mbufs
> in the mbuf chain (-1 to the refcnt). This may lead the head mbuf being
> still pinned, while the other subsequent mbufs are actually freed. Which
> is wrong.
> 
> It becomes more fatal after the mbuf refactor, more specificly, after
> the commit 8f094a9ac5d7 ("mbuf: set mbuf fields while in pool"). The
> refcnt resets to 1 after the last real reference. OTOH, it leads to a
> situtation that we never know one mbuf is actually freed or not. This
> would result the mbuf __just__ after the heading mbuf being freed twice:
> it's firstly freed (and put back to mempool) when the underlaying PMD
> finishes the DMA.  Later, it will then be freed again when vhost unpins
> it. Meaning, one mbuf may be returned to the mempool twice, while in
> turn, being allocated twice later. Something uncertain may happen then.
> For example, the VM2VM case becomes broken.
> 
> Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")
> 
> Cc: stable@dpdk.org
> Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>

Applied to dpdk-next-virtio.

	--yliu