From: Ferruh Yigit <ferruh.yigit@amd.com>
To: Chaoyong He <chaoyong.he@corigine.com>, "dev@dpdk.org" <dev@dpdk.org>
Cc: oss-drivers <oss-drivers@corigine.com>,
	Long Wu <Long.Wu@nephogine.com>,
	"stable@dpdk.org" <stable@dpdk.org>,
	Nole Zhang <peng.zhang@corigine.com>
Subject: Re: [PATCH 2/3] net/nfp: fix free resource problem
Date: Fri, 12 Jan 2024 10:06:13 +0000	[thread overview]
Message-ID: <a5527209-8b54-48a0-8ed2-d8a6d2048bcf@amd.com> (raw)
In-Reply-To: <SJ0PR13MB5545ED092BD22B1316090D589E6F2@SJ0PR13MB5545.namprd13.prod.outlook.com>
On 1/12/2024 1:19 AM, Chaoyong He wrote:
>> On 1/11/2024 2:02 AM, Chaoyong He wrote:
>>>> On 1/9/2024 7:56 AM, Chaoyong He wrote:
>>>>>> On 12/18/2023 1:50 AM, Chaoyong He wrote:
>>>>>>>> On 12/14/2023 10:24 AM, Chaoyong He wrote:
>>>>>>>>> From: Long Wu <long.wu@corigine.com>
>>>>>>>>>
>>>>>>>>> Set the representor array to NULL to avoid that close interface
>>>>>>>>> does not free some resource.
>>>>>>>>>
>>>>>>>>> Fixes: a135bc1644d6 ("net/nfp: fix resource leak for flower
>>>>>>>>> firmware")
>>>>>>>>> Cc: chaoyong.he@corigine.com
>>>>>>>>> Cc: stable@dpdk.org
>>>>>>>>>
>>>>>>>>> Signed-off-by: Long Wu <long.wu@corigine.com>
>>>>>>>>> Reviewed-by: Chaoyong He <chaoyong.he@corigine.com>
>>>>>>>>> Reviewed-by: Peng Zhang <peng.zhang@corigine.com>
>>>>>>>>> ---
>>>>>>>>>  drivers/net/nfp/flower/nfp_flower_representor.c | 15
>>>>>>>>> ++++++++++++++-
>>>>>>>>>  1 file changed, 14 insertions(+), 1 deletion(-)
>>>>>>>>>
>>>>>>>>> diff --git a/drivers/net/nfp/flower/nfp_flower_representor.c
>>>>>>>>> b/drivers/net/nfp/flower/nfp_flower_representor.c
>>>>>>>>> index 27ea3891bd..5f7c1fa737 100644
>>>>>>>>> --- a/drivers/net/nfp/flower/nfp_flower_representor.c
>>>>>>>>> +++ b/drivers/net/nfp/flower/nfp_flower_representor.c
>>>>>>>>> @@ -294,17 +294,30 @@ nfp_flower_repr_tx_burst(void
>> *tx_queue,
>>>>>>>>> static int  nfp_flower_repr_uninit(struct rte_eth_dev *eth_dev)
>>>>>>>>> {
>>>>>>>>> +	uint16_t index;
>>>>>>>>>  	struct nfp_flower_representor *repr;
>>>>>>>>>
>>>>>>>>>  	repr = eth_dev->data->dev_private;
>>>>>>>>>  	rte_ring_free(repr->ring);
>>>>>>>>>
>>>>>>>>> +	if (repr->repr_type == NFP_REPR_TYPE_PHYS_PORT) {
>>>>>>>>> +		index =
>> NFP_FLOWER_CMSG_PORT_PHYS_PORT_NUM(repr-
>>>>>>>>> port_id);
>>>>>>>>> +		repr->app_fw_flower->phy_reprs[index] = NULL;
>>>>>>>>> +	} else {
>>>>>>>>> +		index = repr->vf_id;
>>>>>>>>> +		repr->app_fw_flower->vf_reprs[index] = NULL;
>>>>>>>>> +	}
>>>>>>>>> +
>>>>>>>>>  	return 0;
>>>>>>>>>  }
>>>>>>>>>
>>>>>>>>>  static int
>>>>>>>>> -nfp_flower_pf_repr_uninit(__rte_unused struct rte_eth_dev
>>>>>>>>> *eth_dev)
>>>>>>>>> +nfp_flower_pf_repr_uninit(struct rte_eth_dev *eth_dev)
>>>>>>>>>  {
>>>>>>>>> +	struct nfp_flower_representor *repr =
>>>>>>>>> +eth_dev->data->dev_private;
>>>>>>>>> +
>>>>>>>>> +	repr->app_fw_flower->pf_repr = NULL;
>>>>>>>>>
>>>>>>>>
>>>>>>>> Here it is assigned to NULL but is it freed? If freed, why not
>>>>>>>> set to NULL where it is freed?
>>>>>>>>
>>>>>>>> Same for above phy_reprs & vf_reprs.
>>>>>>>
>>>>>>> The whole invoke view:
>>>>>>> rte_eth_dev_close()
>>>>>>>     --> nfp_flower_repr_dev_close()
>>>>>>>         --> nfp_flower_repr_free()
>>>>>>>             --> nfp_flower_pf_repr_uninit()
>>>>>>>             --> nfp_flower_repr_uninit()
>>>>>>>            // In these two functions, we just assigned to NULL but
>>>>>>> not freed
>>>> yet.
>>>>>>>            // It is still refer by the `eth_dev->data->dev_private`.
>>>>>>>     --> rte_eth_dev_release_port()
>>>>>>>         --> rte_free(eth_dev->data->dev_private);
>>>>>>>         // And here it is really freed (by the rte framework).
>>>>>>>
>>>>>>
>>>>>> 'rte_eth_dev_release_port()' frees the device private data, but not
>>>>>> all pointers, like 'repr->app_fw_flower->pf_repr', in the struct
>>>>>> are freed, it is dev_close() or
>>>>>> unint() functions responsibility.
>>>>>>
>>>>>> Can you please double check if
>>>>>> 'eth_dev->data->dev_private->app_fw_flower->pf_repr' freed or not?
>>>>>
>>>>> (gdb) b nfp_flower_repr_dev_close
>>>>> Breakpoint 1 at 0x7f839a4ad37f:
>>>> file ../drivers/net/nfp/flower/nfp_flower_representor.c, line 356.
>>>>> (gdb) c
>>>>> Continuing.
>>>>>
>>>>> Thread 1 "dpdk-testpmd" hit Breakpoint 1, nfp_flower_repr_dev_close
>>>> (dev=0x7f839aed2340 <rte_eth_devices>)
>>>>>     at ../drivers/net/nfp/flower/nfp_flower_representor.c:356
>>>>> 356             if (rte_eal_process_type() != RTE_PROC_PRIMARY)
>>>>> (gdb) n
>>>>> 359             repr = dev->data->dev_private;
>>>>> (gdb)
>>>>> 360             app_fw_flower = repr->app_fw_flower;
>>>>> (gdb)
>>>>> 361             hw = app_fw_flower->pf_hw;
>>>>> (gdb)
>>>>> 362             pf_dev = hw->pf_dev;
>>>>> (gdb)
>>>>> 368             nfp_net_disable_queues(dev);
>>>>> (gdb) p repr
>>>>> $1 = (struct nfp_flower_representor *) 0x17c49c800
>>>>> (gdb) p dev->data->dev_private
>>>>> $2 = (void *) 0x17c49c800
>>>>> (gdb) p repr->app_fw_flower->pf_repr
>>>>> $3 = (struct nfp_flower_representor *) 0x17c49c800
>>>>>
>>>>> As we can see, these three pointers point the same block of memory.
>>>>>
>>>>
>>>> Ahh, I missed that 'repr->app_fw_flower->pf_repr' points to
>>>> 'dev_private', so your code makes sense.
>>>>
>>>> But if it is 'dev_private', why free it in 'nfp_pf_uninit()' as it
>>>> will be freed by 'rte_eth_dev_release_port()'?
>>>
>>> Sorry, I'm not understanding this.
>>> The 'dev_private' is a 'struct nfp_flower_representor *', and it will be freed in
>> 'rte_eth_dev_release_port()'.
>>> What I freed in 'nfp_pf_uninit()' is a 'struct nfp_pf_dev *', so I'm not catch
>> your point about this.
>>>
>>>> Won't removing 'rte_free(pf_dev);' from 'nfp_pf_uninit()' will have
>>>> the same effect, instead of setting it NULL in advance?
>>>>
>>>
>>> If I remove the 'rte_free(pf_dev);' from 'nfp_pf_uninit()', there will be a
>> memory leak as no one will free it, and actually I'm not 'setting it NULL in
>> advance'.
>>>
>>> 359             repr = dev->data->dev_private;
>>> 360             app_fw_flower = repr->app_fw_flower;
>>> 361             hw = app_fw_flower->pf_hw;
>>> 362             pf_dev = hw->pf_dev;
>>>
>>> Maybe you just confuse the 'pf_repr' and 'pf_dev'? Just a guess.
>>>
>>
>> Yes I did confuse those two, sorry about that.
>>
>> 'repr->app_fw_flower->pf_repr' is 'dev_private', and I assumed you are setting
>> it NULL to escape from double free (and was checking where that double free
>> happens), but I guess that is not the case.
>>
>> 'rte_eth_dev_destroy()' calls 'rte_eth_dev_release_port()' and frees
>> 'dev_private' but 'repr->app_fw_flower->pf_repr' remains as dangling pointer
>> and perhaps prevents 'nfp_flower_repr_dev_close()' move forward (because
>> of "if (app_fw_flower->pf_repr != NULL)" check), and you are fixing it, is it the
>> case?
> 
> Correct, that's what we want to do by this patch and where the problem is, your description is very clear and brief.
> 
Got it, I will proceed with the set.
More details in the commit log helps reviewing the patches.
next prev parent reply	other threads:[~2024-01-12 10:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20231214102431.2091608-1-chaoyong.he@corigine.com>
2023-12-14 10:24 ` [PATCH 1/3] net/nfp: fix close representor problem Chaoyong He
2023-12-14 10:24 ` [PATCH 2/3] net/nfp: fix free resource problem Chaoyong He
2023-12-15 12:54   ` Ferruh Yigit
2023-12-18  1:50     ` Chaoyong He
2024-01-08 15:42       ` Ferruh Yigit
2024-01-09  7:56         ` Chaoyong He
2024-01-09 17:48           ` Ferruh Yigit
2024-01-11  2:02             ` Chaoyong He
2024-01-11 12:32               ` Ferruh Yigit
2024-01-12  1:19                 ` Chaoyong He
2024-01-12 10:06                   ` Ferruh Yigit [this message]
2023-12-14 10:24 ` [PATCH 3/3] net/nfp: free domain ID in close interface Chaoyong He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox
  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):
  git send-email \
    --in-reply-to=a5527209-8b54-48a0-8ed2-d8a6d2048bcf@amd.com \
    --to=ferruh.yigit@amd.com \
    --cc=Long.Wu@nephogine.com \
    --cc=chaoyong.he@corigine.com \
    --cc=dev@dpdk.org \
    --cc=oss-drivers@corigine.com \
    --cc=peng.zhang@corigine.com \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY
  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
  Be sure your reply has a Subject: header at the top and a blank line
  before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).