From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id E28A3A051A for ; Sat, 20 Jun 2020 16:59:38 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 9FD971BFA3; Sat, 20 Jun 2020 16:59:38 +0200 (CEST) Received: from qq.com (out203-205-221-192.mail.qq.com [203.205.221.192]) by dpdk.org (Postfix) with ESMTP id E48391BFA3 for ; Sat, 20 Jun 2020 16:59:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1592665171; bh=wDqrWlWV8ty7Cy67WBhR310DSLmkoDCBrb1S6vAEr3E=; h=From:To:Cc:Subject:Date; b=vhYbcvC8i4ehdzzxShvg7Msv0SibKPlK5R9Vx4o4cKp5Ay8HQ9EjHof+thkfaV5/D i9T6XFnWMeeIq+LMO36rjgsAF+9WeMJUyjLqHZng3zh0p5Ybw9kIDFTKQbESn7omEN bupVLuQqfOlG6nmW1U/MACiw8/c24EsDABy2oiAc= Received: from localhost.localdomain ([117.147.70.170]) by newxmesmtplogicsvrszb6.qq.com (NewEsmtp) with SMTP id EDB3EA35; Sat, 20 Jun 2020 22:59:27 +0800 X-QQ-mid: xmsmtpt1592665167t0wpxgvnn Messag-ID: X-QQ-XMAILINFO: OQSsnJQMHHxNF3NdnnTldLiwG+AM1t09IZxpoGDcwgfsP20I5yOc7WgFKnRRt0 PDq0LCqRaLaEhYDBqsDlmW+7StvnJ5v8uEIKtIre9d/tlex/TytarnzNIHdPW3NRC46dwGU8RhM7 1I6X/co9P83NpmrEACmTi0BDGaztLvAyenmxgKdRwyjkZMjUdrnQCSgQ/9auzbzezGn5/4Tg1aoo uwPSPsXq27V+1XABfKn3Ao7iN0zba8VDpA9DtU/pwOZ3ue19c1UYPoNiNawpR1OhynNVVN2Uzr5K aiG7+xtad8FXSmvljv4riOzh4fOdwEZZvZxUU2C9+X7yZJhlEUZV6BvsAuYBBxCxmmft/S1MJ5MO iwFubyOKF7YI7ZdswjS070ygSceXPgPxKeBzW/0Cdqtn5/W8j/MyXLatrtJXWRgGfKS/4hgeQRqg Sn0lXuZF5S25vPkt8HbSYXatQmDzp9Il9/rcgSdpb8rqbaGRH+CV0lcEFwzKeY2OJQLgZVuZneVh 0IdwCvyhuVg39RZiyiZ6pMlHnVv3snnKRfcTT4GMr64oFO/LHyTkna2pTVNNhrtqZ6xpH4P54AF5 QhtG9+GvTaQdv1rkRNIeQJvAFZHV66hMV7cUiBLjtBmmY0i87r+0TCDLTUmZw03hIysCvrpTduhi oUolqdZkg3a5YOWCSXlxwOa2C6hfdjMx4q2UJtZZgFMeCHl6iQWyI38CZBXCmh+LxBH5ke8jOXZL uANa3hlFJ4N1jQdWMmYIfrYQ== From: Yunjian Wang To: stable@dpdk.org Cc: ktraynor@redhat.com, Yunjian Wang , Ferruh Yigit , Stephen Hemminger Date: Sat, 20 Jun 2020 22:59:16 +0800 X-OQ-MSGID: X-Mailer: git-send-email 2.20.1.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] [PATCH 18.11] net/tap: fix mbuf double free when writev fails X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Message-Id: <20200620145938.9FD971BFA3@dpdk.org> [ upstream commit 710aa4279097e9ee5a131b7e0732e5a8ef8bcfc1 ] When the tap_write_mbufs() function return with break, mbuf was freed without increasing num_packets, which could cause applications to free the mbuf again. And the pmd_tx_burst() function should returns the number of original packets it actually sent excluding tso mbufs. Fixes: 9396ad334672 ("net/tap: fix reported number of Tx packets") Signed-off-by: Yunjian Wang Reviewed-by: Ferruh Yigit Acked-by: Stephen Hemminger --- drivers/net/tap/rte_eth_tap.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c index b0c3c8c70..62fb54286 100644 --- a/drivers/net/tap/rte_eth_tap.c +++ b/drivers/net/tap/rte_eth_tap.c @@ -540,7 +540,7 @@ tap_tx_l3_cksum(char *packet, uint64_t ol_flags, unsigned int l2_len, } } -static inline void +static inline int tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs, struct rte_mbuf **pmbufs, uint16_t *num_packets, unsigned long *num_tx_bytes) @@ -607,7 +607,7 @@ tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs, seg_len = rte_pktmbuf_data_len(mbuf); l234_hlen = mbuf->l2_len + mbuf->l3_len + mbuf->l4_len; if (seg_len < l234_hlen) - break; + return -1; /* To change checksums, work on a * copy of l2, l3 * headers + l4 pseudo header @@ -653,10 +653,12 @@ tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs, /* copy the tx frame data */ n = writev(process_private->txq_fds[txq->queue_id], iovecs, j); if (n <= 0) - break; + return -1; + (*num_packets)++; (*num_tx_bytes) += rte_pktmbuf_pkt_len(mbuf); } + return 0; } /* Callback to handle sending packets from the tap interface @@ -682,6 +684,7 @@ pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) uint16_t num_mbufs = 0; uint16_t tso_segsz = 0; int ret; + int num_tso_mbufs; uint16_t hdrs_len; int j; uint64_t tso; @@ -703,35 +706,43 @@ pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) break; } gso_ctx->gso_size = tso_segsz; - ret = rte_gso_segment(mbuf_in, /* packet to segment */ + /* 'mbuf_in' packet to segment */ + num_tso_mbufs = rte_gso_segment(mbuf_in, gso_ctx, /* gso control block */ (struct rte_mbuf **)&gso_mbufs, /* out mbufs */ RTE_DIM(gso_mbufs)); /* max tso mbufs */ /* ret contains the number of new created mbufs */ - if (ret < 0) + if (num_tso_mbufs < 0) break; mbuf = gso_mbufs; - num_mbufs = ret; + num_mbufs = num_tso_mbufs; } else { /* stats.errs will be incremented */ if (rte_pktmbuf_pkt_len(mbuf_in) > max_size) break; /* ret 0 indicates no new mbufs were created */ - ret = 0; + num_tso_mbufs = 0; mbuf = &mbuf_in; num_mbufs = 1; } - tap_write_mbufs(txq, num_mbufs, mbuf, + ret = tap_write_mbufs(txq, num_mbufs, mbuf, &num_packets, &num_tx_bytes); + if (ret == -1) { + txq->stats.errs++; + /* free tso mbufs */ + for (j = 0; j < num_tso_mbufs; j++) + rte_pktmbuf_free(mbuf[j]); + break; + } num_tx++; /* free original mbuf */ rte_pktmbuf_free(mbuf_in); /* free tso mbufs */ - for (j = 0; j < ret; j++) + for (j = 0; j < num_tso_mbufs; j++) rte_pktmbuf_free(mbuf[j]); } @@ -739,7 +750,7 @@ pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) txq->stats.errs += nb_pkts - num_tx; txq->stats.obytes += num_tx_bytes; - return num_packets; + return num_tx; } static const char * -- 2.18.1