From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 708C5A0518
	for <public@inbox.dpdk.org>; Fri, 24 Jul 2020 14:11:30 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 6937B1C246;
	Fri, 24 Jul 2020 14:11:30 +0200 (CEST)
Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com
 [209.85.128.65]) by dpdk.org (Postfix) with ESMTP id 7CF311C246
 for <stable@dpdk.org>; Fri, 24 Jul 2020 14:11:29 +0200 (CEST)
Received: by mail-wm1-f65.google.com with SMTP id t142so1693719wmt.4
 for <stable@dpdk.org>; Fri, 24 Jul 2020 05:11:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=NaP1T/Xg/C++rFil1ZWZb5xXc6Q0co0h+vOTOt9ym40=;
 b=kf4lyeiIfiwX/hxWnqWlcYK/yb9ljnxCKJHmVkxuKkWyCkK5YuvEXiAWJYGIBLMKcP
 QT3U1XbGF63Ll1huXd5SC544ioQigYO38B1HTF9sDQbOKTbJLEx65hrXMel2SeDv1T9V
 ucSkYbQk7cOPqsaRMDEfUFIHT+y1SdqWsqQJluFsAU7J3AkISO+gF3+Jct4YjGf0SxvH
 jvX6ri3oEKUg1RuH+wY74CTDVR0TvjSen93U+EYfgZw4Hc80h8f8vMKOCvsAhypb3Pjy
 wthXjlmyCavYNMGR/mgXxb67XE9sT+0sbjk1FAHwhdLz8V14pn07iPHCK9y92mXCE1uZ
 vvWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=NaP1T/Xg/C++rFil1ZWZb5xXc6Q0co0h+vOTOt9ym40=;
 b=HaNFNr5kgCJdhjU0swypAMkBp172GGd5rOL5TPta8a3U0CFsPQ4QFRFv0iNLEDSUlz
 qDRAB8p4w7Li2A948qh6ZMbFruffKUh533DGOs08RMll7EHzjKko2u4nujFkhD3R+Jva
 nqvVTuuumfMVE9UxMHq4rM70NxiRxz5ErlLd6IQlbSH6KgQaFfiHtSTvTxNwfCnIrXgS
 bAGy4A8ucZnKBEXW5f1KkQQXizoVTfRT00HN/09FTsFlDP0OE8gtX8hRjH/ebpJyYXkf
 R3YckXWm+6Y47A0J3zmeBzE6YlbB3a0zxgJRj8oPiBI6MnopjytABhYoLssH0BVnUEk7
 7AtA==
X-Gm-Message-State: AOAM532Ydq9P5VZtmm35HOGb2dXw5Uakt+sIrYqv9cu+OyN/me1n7whN
 aP6JDepON9//aVrVx99z+ANn0ubSJUpCIg==
X-Google-Smtp-Source: ABdhPJx6vphPVOjmrjFo9jiPUJ7SVyB6i4tB3PSlBnAMIyz4jj9skSLefApKqleBiVx7dB9mOT/BxQ==
X-Received: by 2002:a1c:7315:: with SMTP id d21mr8187175wmb.108.1595592689205; 
 Fri, 24 Jul 2020 05:11:29 -0700 (PDT)
Received: from localhost ([88.98.246.218])
 by smtp.gmail.com with ESMTPSA id y189sm8235672wmd.27.2020.07.24.05.11.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 24 Jul 2020 05:11:28 -0700 (PDT)
From: luca.boccassi@gmail.com
To: Jeff Guo <jia.guo@intel.com>
Cc: Wei Zhao <wei.zhao1@intel.com>,
	dpdk stable <stable@dpdk.org>
Date: Fri, 24 Jul 2020 13:00:08 +0100
Message-Id: <20200724120030.1863487-170-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200724120030.1863487-1-luca.boccassi@gmail.com>
References: <20200724120030.1863487-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] patch 'net/e1000: fix crash on Tx done clean up' has
	been queued to stable release 19.11.4
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to stable release 19.11.4

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/26/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From 560396caddb52bd6ea7996a95ab3523d68e8f1dd Mon Sep 17 00:00:00 2001
From: Jeff Guo <jia.guo@intel.com>
Date: Thu, 16 Jul 2020 17:24:38 +0800
Subject: [PATCH] net/e1000: fix crash on Tx done clean up

[ upstream commit 4237be2b9e250d431d465b81a0abbe5fb559d2c8 ]

As tx mbuf is not set for some advanced descriptors, if there is no
mbuf checking before rte_pktmbuf_free_seg() function be called on
the process of tx done clean up, that will cause a segfault. So add
a NULL pointer check to fix it.

Bugzilla ID: 501
Fixes: 8d907d2b79f7 ("net/igb: free consumed Tx buffers on demand")

Signed-off-by: Jeff Guo <jia.guo@intel.com>
Reviewed-by: Wei Zhao <wei.zhao1@intel.com>
---
 drivers/net/e1000/igb_rxtx.c | 188 +++++++++++++++++------------------
 1 file changed, 91 insertions(+), 97 deletions(-)

diff --git a/drivers/net/e1000/igb_rxtx.c b/drivers/net/e1000/igb_rxtx.c
index 92576b0af..5260bbe34 100644
--- a/drivers/net/e1000/igb_rxtx.c
+++ b/drivers/net/e1000/igb_rxtx.c
@@ -1295,113 +1295,107 @@ igb_tx_done_cleanup(struct igb_tx_queue *txq, uint32_t free_cnt)
 	uint16_t tx_id;    /* Current segment being processed. */
 	uint16_t tx_last;  /* Last segment in the current packet. */
 	uint16_t tx_next;  /* First segment of the next packet. */
-	int count;
-
-	if (txq != NULL) {
-		count = 0;
-		sw_ring = txq->sw_ring;
-		txr = txq->tx_ring;
-
-		/*
-		 * tx_tail is the last sent packet on the sw_ring. Goto the end
-		 * of that packet (the last segment in the packet chain) and
-		 * then the next segment will be the start of the oldest segment
-		 * in the sw_ring. This is the first packet that will be
-		 * attempted to be freed.
-		 */
-
-		/* Get last segment in most recently added packet. */
-		tx_first = sw_ring[txq->tx_tail].last_id;
-
-		/* Get the next segment, which is the oldest segment in ring. */
-		tx_first = sw_ring[tx_first].next_id;
-
-		/* Set the current index to the first. */
-		tx_id = tx_first;
-
-		/*
-		 * Loop through each packet. For each packet, verify that an
-		 * mbuf exists and that the last segment is free. If so, free
-		 * it and move on.
-		 */
-		while (1) {
-			tx_last = sw_ring[tx_id].last_id;
-
-			if (sw_ring[tx_last].mbuf) {
-				if (txr[tx_last].wb.status &
-						E1000_TXD_STAT_DD) {
-					/*
-					 * Increment the number of packets
-					 * freed.
-					 */
-					count++;
-
-					/* Get the start of the next packet. */
-					tx_next = sw_ring[tx_last].next_id;
-
-					/*
-					 * Loop through all segments in a
-					 * packet.
-					 */
-					do {
-						rte_pktmbuf_free_seg(sw_ring[tx_id].mbuf);
+	int count = 0;
+
+	if (!txq)
+		return -ENODEV;
+
+	sw_ring = txq->sw_ring;
+	txr = txq->tx_ring;
+
+	/* tx_tail is the last sent packet on the sw_ring. Goto the end
+	 * of that packet (the last segment in the packet chain) and
+	 * then the next segment will be the start of the oldest segment
+	 * in the sw_ring. This is the first packet that will be
+	 * attempted to be freed.
+	 */
+
+	/* Get last segment in most recently added packet. */
+	tx_first = sw_ring[txq->tx_tail].last_id;
+
+	/* Get the next segment, which is the oldest segment in ring. */
+	tx_first = sw_ring[tx_first].next_id;
+
+	/* Set the current index to the first. */
+	tx_id = tx_first;
+
+	/* Loop through each packet. For each packet, verify that an
+	 * mbuf exists and that the last segment is free. If so, free
+	 * it and move on.
+	 */
+	while (1) {
+		tx_last = sw_ring[tx_id].last_id;
+
+		if (sw_ring[tx_last].mbuf) {
+			if (txr[tx_last].wb.status &
+			    E1000_TXD_STAT_DD) {
+				/* Increment the number of packets
+				 * freed.
+				 */
+				count++;
+
+				/* Get the start of the next packet. */
+				tx_next = sw_ring[tx_last].next_id;
+
+				/* Loop through all segments in a
+				 * packet.
+				 */
+				do {
+					if (sw_ring[tx_id].mbuf) {
+						rte_pktmbuf_free_seg(
+							sw_ring[tx_id].mbuf);
 						sw_ring[tx_id].mbuf = NULL;
 						sw_ring[tx_id].last_id = tx_id;
+					}
 
-						/* Move to next segemnt. */
-						tx_id = sw_ring[tx_id].next_id;
-
-					} while (tx_id != tx_next);
-
-					if (unlikely(count == (int)free_cnt))
-						break;
-				} else
-					/*
-					 * mbuf still in use, nothing left to
-					 * free.
-					 */
-					break;
-			} else {
-				/*
-				 * There are multiple reasons to be here:
-				 * 1) All the packets on the ring have been
-				 *    freed - tx_id is equal to tx_first
-				 *    and some packets have been freed.
-				 *    - Done, exit
-				 * 2) Interfaces has not sent a rings worth of
-				 *    packets yet, so the segment after tail is
-				 *    still empty. Or a previous call to this
-				 *    function freed some of the segments but
-				 *    not all so there is a hole in the list.
-				 *    Hopefully this is a rare case.
-				 *    - Walk the list and find the next mbuf. If
-				 *      there isn't one, then done.
-				 */
-				if (likely((tx_id == tx_first) && (count != 0)))
-					break;
-
-				/*
-				 * Walk the list and find the next mbuf, if any.
-				 */
-				do {
 					/* Move to next segemnt. */
 					tx_id = sw_ring[tx_id].next_id;
 
-					if (sw_ring[tx_id].mbuf)
-						break;
+				} while (tx_id != tx_next);
 
-				} while (tx_id != tx_first);
-
-				/*
-				 * Determine why previous loop bailed. If there
-				 * is not an mbuf, done.
+				if (unlikely(count == (int)free_cnt))
+					break;
+			} else {
+				/* mbuf still in use, nothing left to
+				 * free.
 				 */
-				if (sw_ring[tx_id].mbuf == NULL)
-					break;
+				break;
 			}
+		} else {
+			/* There are multiple reasons to be here:
+			 * 1) All the packets on the ring have been
+			 *    freed - tx_id is equal to tx_first
+			 *    and some packets have been freed.
+			 *    - Done, exit
+			 * 2) Interfaces has not sent a rings worth of
+			 *    packets yet, so the segment after tail is
+			 *    still empty. Or a previous call to this
+			 *    function freed some of the segments but
+			 *    not all so there is a hole in the list.
+			 *    Hopefully this is a rare case.
+			 *    - Walk the list and find the next mbuf. If
+			 *      there isn't one, then done.
+			 */
+			if (likely(tx_id == tx_first && count != 0))
+				break;
+
+			/* Walk the list and find the next mbuf, if any. */
+			do {
+				/* Move to next segemnt. */
+				tx_id = sw_ring[tx_id].next_id;
+
+				if (sw_ring[tx_id].mbuf)
+					break;
+
+			} while (tx_id != tx_first);
+
+			/* Determine why previous loop bailed. If there
+			 * is not an mbuf, done.
+			 */
+			if (!sw_ring[tx_id].mbuf)
+				break;
 		}
-	} else
-		count = -ENODEV;
+	}
 
 	return count;
 }
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-07-24 12:53:55.111535714 +0100
+++ 0170-net-e1000-fix-crash-on-Tx-done-clean-up.patch	2020-07-24 12:53:48.571011751 +0100
@@ -1,8 +1,10 @@
-From 4237be2b9e250d431d465b81a0abbe5fb559d2c8 Mon Sep 17 00:00:00 2001
+From 560396caddb52bd6ea7996a95ab3523d68e8f1dd Mon Sep 17 00:00:00 2001
 From: Jeff Guo <jia.guo@intel.com>
 Date: Thu, 16 Jul 2020 17:24:38 +0800
 Subject: [PATCH] net/e1000: fix crash on Tx done clean up
 
+[ upstream commit 4237be2b9e250d431d465b81a0abbe5fb559d2c8 ]
+
 As tx mbuf is not set for some advanced descriptors, if there is no
 mbuf checking before rte_pktmbuf_free_seg() function be called on
 the process of tx done clean up, that will cause a segfault. So add
@@ -10,7 +12,6 @@
 
 Bugzilla ID: 501
 Fixes: 8d907d2b79f7 ("net/igb: free consumed Tx buffers on demand")
-Cc: stable@dpdk.org
 
 Signed-off-by: Jeff Guo <jia.guo@intel.com>
 Reviewed-by: Wei Zhao <wei.zhao1@intel.com>
@@ -19,7 +20,7 @@
  1 file changed, 91 insertions(+), 97 deletions(-)
 
 diff --git a/drivers/net/e1000/igb_rxtx.c b/drivers/net/e1000/igb_rxtx.c
-index 6411924e0..dd520cd82 100644
+index 92576b0af..5260bbe34 100644
 --- a/drivers/net/e1000/igb_rxtx.c
 +++ b/drivers/net/e1000/igb_rxtx.c
 @@ -1295,113 +1295,107 @@ igb_tx_done_cleanup(struct igb_tx_queue *txq, uint32_t free_cnt)