* Re: [dpdk-stable] [PATCH 18.11] net/tap: fix mbuf double free when writev fails
[not found] <20200620145944.150A81261F4@zmta02.collab.prod.int.phx2.redhat.com>
@ 2020-06-26 12:55 ` Kevin Traynor
0 siblings, 0 replies; 2+ messages in thread
From: Kevin Traynor @ 2020-06-26 12:55 UTC (permalink / raw)
To: Yunjian Wang, stable; +Cc: Ferruh Yigit, Stephen Hemminger
On 20/06/2020 15:59, Yunjian Wang wrote:
> [ upstream commit 710aa4279097e9ee5a131b7e0732e5a8ef8bcfc1 ]
>
> When the tap_write_mbufs() function return with break, mbuf was freed
> without increasing num_packets, which could cause applications to free
> the mbuf again. And the pmd_tx_burst() function should returns the
> number of original packets it actually sent excluding tso mbufs.
>
> Fixes: 9396ad334672 ("net/tap: fix reported number of Tx packets")
>
> Signed-off-by: Yunjian Wang <yunjian.wang@foxmail.com>
> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
> Acked-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
Applied, thanks. This is included in 18.11.9-rc2.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [dpdk-stable] [PATCH 18.11] net/tap: fix mbuf double free when writev fails
@ 2020-06-20 14:59 Yunjian Wang
0 siblings, 0 replies; 2+ messages in thread
From: Yunjian Wang @ 2020-06-20 14:59 UTC (permalink / raw)
To: stable; +Cc: ktraynor, Yunjian Wang, Ferruh Yigit, Stephen Hemminger
[ upstream commit 710aa4279097e9ee5a131b7e0732e5a8ef8bcfc1 ]
When the tap_write_mbufs() function return with break, mbuf was freed
without increasing num_packets, which could cause applications to free
the mbuf again. And the pmd_tx_burst() function should returns the
number of original packets it actually sent excluding tso mbufs.
Fixes: 9396ad334672 ("net/tap: fix reported number of Tx packets")
Signed-off-by: Yunjian Wang <yunjian.wang@foxmail.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/tap/rte_eth_tap.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c
index b0c3c8c70..62fb54286 100644
--- a/drivers/net/tap/rte_eth_tap.c
+++ b/drivers/net/tap/rte_eth_tap.c
@@ -540,7 +540,7 @@ tap_tx_l3_cksum(char *packet, uint64_t ol_flags, unsigned int l2_len,
}
}
-static inline void
+static inline int
tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs,
struct rte_mbuf **pmbufs,
uint16_t *num_packets, unsigned long *num_tx_bytes)
@@ -607,7 +607,7 @@ tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs,
seg_len = rte_pktmbuf_data_len(mbuf);
l234_hlen = mbuf->l2_len + mbuf->l3_len + mbuf->l4_len;
if (seg_len < l234_hlen)
- break;
+ return -1;
/* To change checksums, work on a * copy of l2, l3
* headers + l4 pseudo header
@@ -653,10 +653,12 @@ tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs,
/* copy the tx frame data */
n = writev(process_private->txq_fds[txq->queue_id], iovecs, j);
if (n <= 0)
- break;
+ return -1;
+
(*num_packets)++;
(*num_tx_bytes) += rte_pktmbuf_pkt_len(mbuf);
}
+ return 0;
}
/* Callback to handle sending packets from the tap interface
@@ -682,6 +684,7 @@ pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
uint16_t num_mbufs = 0;
uint16_t tso_segsz = 0;
int ret;
+ int num_tso_mbufs;
uint16_t hdrs_len;
int j;
uint64_t tso;
@@ -703,35 +706,43 @@ pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
break;
}
gso_ctx->gso_size = tso_segsz;
- ret = rte_gso_segment(mbuf_in, /* packet to segment */
+ /* 'mbuf_in' packet to segment */
+ num_tso_mbufs = rte_gso_segment(mbuf_in,
gso_ctx, /* gso control block */
(struct rte_mbuf **)&gso_mbufs, /* out mbufs */
RTE_DIM(gso_mbufs)); /* max tso mbufs */
/* ret contains the number of new created mbufs */
- if (ret < 0)
+ if (num_tso_mbufs < 0)
break;
mbuf = gso_mbufs;
- num_mbufs = ret;
+ num_mbufs = num_tso_mbufs;
} else {
/* stats.errs will be incremented */
if (rte_pktmbuf_pkt_len(mbuf_in) > max_size)
break;
/* ret 0 indicates no new mbufs were created */
- ret = 0;
+ num_tso_mbufs = 0;
mbuf = &mbuf_in;
num_mbufs = 1;
}
- tap_write_mbufs(txq, num_mbufs, mbuf,
+ ret = tap_write_mbufs(txq, num_mbufs, mbuf,
&num_packets, &num_tx_bytes);
+ if (ret == -1) {
+ txq->stats.errs++;
+ /* free tso mbufs */
+ for (j = 0; j < num_tso_mbufs; j++)
+ rte_pktmbuf_free(mbuf[j]);
+ break;
+ }
num_tx++;
/* free original mbuf */
rte_pktmbuf_free(mbuf_in);
/* free tso mbufs */
- for (j = 0; j < ret; j++)
+ for (j = 0; j < num_tso_mbufs; j++)
rte_pktmbuf_free(mbuf[j]);
}
@@ -739,7 +750,7 @@ pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
txq->stats.errs += nb_pkts - num_tx;
txq->stats.obytes += num_tx_bytes;
- return num_packets;
+ return num_tx;
}
static const char *
--
2.18.1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-06-26 12:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200620145944.150A81261F4@zmta02.collab.prod.int.phx2.redhat.com>
2020-06-26 12:55 ` [dpdk-stable] [PATCH 18.11] net/tap: fix mbuf double free when writev fails Kevin Traynor
2020-06-20 14:59 Yunjian Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).