[v2] mbuf: fix reset on mbuf free
Checks
Commit Message
m->nb_seg must be reset on mbuf free whatever the value of m->next,
because it can happen that m->nb_seg is != 1. For instance in this
case:
m1 = rte_pktmbuf_alloc(mp);
rte_pktmbuf_append(m1, 500);
m2 = rte_pktmbuf_alloc(mp);
rte_pktmbuf_append(m2, 500);
rte_pktmbuf_chain(m1, m2);
m0 = rte_pktmbuf_alloc(mp);
rte_pktmbuf_append(m0, 500);
rte_pktmbuf_chain(m0, m1);
As rte_pktmbuf_chain() does not reset nb_seg in the initial m1
segment (this is not required), after this code the mbuf chain
have 3 segments:
- m0: next=m1, nb_seg=3
- m1: next=m2, nb_seg=2
- m2: next=NULL, nb_seg=1
Then split this chain between m1 and m2, it would result in 2 packets:
- first packet
- m0: next=m1, nb_seg=3
- m1: next=m2, nb_seg=2
- second packet
- m2: next=NULL, nb_seg=1
Freeing the first packet will not restore nb_seg=1 in the second
segment. This is an issue because it is expected that mbufs stored
in pool have their nb_seg field set to 1.
Fixes: 8f094a9ac5d7 ("mbuf: set mbuf fields while in pool")
Cc: stable@dpdk.org
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
---
lib/librte_mbuf/rte_mbuf.c | 4 ++--
lib/librte_mbuf/rte_mbuf.h | 8 ++++----
lib/librte_mbuf/rte_mbuf_core.h | 13 +++++++++++--
3 files changed, 17 insertions(+), 8 deletions(-)
Comments
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Olivier Matz
>
> m->nb_seg must be reset on mbuf free whatever the value of m->next,
> because it can happen that m->nb_seg is != 1. For instance in this
> case:
>
> m1 = rte_pktmbuf_alloc(mp);
> rte_pktmbuf_append(m1, 500);
> m2 = rte_pktmbuf_alloc(mp);
> rte_pktmbuf_append(m2, 500);
> rte_pktmbuf_chain(m1, m2);
> m0 = rte_pktmbuf_alloc(mp);
> rte_pktmbuf_append(m0, 500);
> rte_pktmbuf_chain(m0, m1);
>
> As rte_pktmbuf_chain() does not reset nb_seg in the initial m1
> segment (this is not required), after this code the mbuf chain
> have 3 segments:
> - m0: next=m1, nb_seg=3
> - m1: next=m2, nb_seg=2
> - m2: next=NULL, nb_seg=1
>
> Then split this chain between m1 and m2, it would result in 2 packets:
> - first packet
> - m0: next=m1, nb_seg=3
> - m1: next=m2, nb_seg=2
I think you mean:
- m0: next=m1, nb_seg=2 //< nb_seg corrected
- m1: next=NULL, nb_seg=2 //< next corrected
> - second packet
> - m2: next=NULL, nb_seg=1
>
> Freeing the first packet will not restore nb_seg=1 in the second
> segment. This is an issue because it is expected that mbufs stored
> in pool have their nb_seg field set to 1.
>
> Fixes: 8f094a9ac5d7 ("mbuf: set mbuf fields while in pool")
> Cc: stable@dpdk.org
>
> Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
The code looks good, so:
Acked-by: Morten Brørup <mb@smartsharesystems.com>
On Fri, Dec 18, 2020 at 5:18 AM Morten Brørup <mb@smartsharesystems.com> wrote:
>
> > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Olivier Matz
> >
> > m->nb_seg must be reset on mbuf free whatever the value of m->next,
> > because it can happen that m->nb_seg is != 1. For instance in this
> > case:
> >
> > m1 = rte_pktmbuf_alloc(mp);
> > rte_pktmbuf_append(m1, 500);
> > m2 = rte_pktmbuf_alloc(mp);
> > rte_pktmbuf_append(m2, 500);
> > rte_pktmbuf_chain(m1, m2);
> > m0 = rte_pktmbuf_alloc(mp);
> > rte_pktmbuf_append(m0, 500);
> > rte_pktmbuf_chain(m0, m1);
> >
> > As rte_pktmbuf_chain() does not reset nb_seg in the initial m1
> > segment (this is not required), after this code the mbuf chain
> > have 3 segments:
> > - m0: next=m1, nb_seg=3
> > - m1: next=m2, nb_seg=2
> > - m2: next=NULL, nb_seg=1
> >
> > Then split this chain between m1 and m2, it would result in 2 packets:
> > - first packet
> > - m0: next=m1, nb_seg=3
> > - m1: next=m2, nb_seg=2
>
> I think you mean:
>
> - m0: next=m1, nb_seg=2 //< nb_seg corrected
> - m1: next=NULL, nb_seg=2 //< next corrected
>
> > - second packet
> > - m2: next=NULL, nb_seg=1
> >
> > Freeing the first packet will not restore nb_seg=1 in the second
> > segment. This is an issue because it is expected that mbufs stored
> > in pool have their nb_seg field set to 1.
> >
> > Fixes: 8f094a9ac5d7 ("mbuf: set mbuf fields while in pool")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
>
> The code looks good, so:
> Acked-by: Morten Brørup <mb@smartsharesystems.com>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
@@ -129,10 +129,10 @@ rte_pktmbuf_free_pinned_extmem(void *addr, void *opaque)
rte_mbuf_ext_refcnt_set(m->shinfo, 1);
m->ol_flags = EXT_ATTACHED_MBUF;
- if (m->next != NULL) {
+ if (m->next != NULL)
m->next = NULL;
+ if (m->nb_segs != 1)
m->nb_segs = 1;
- }
rte_mbuf_raw_free(m);
}
@@ -1340,10 +1340,10 @@ rte_pktmbuf_prefree_seg(struct rte_mbuf *m)
return NULL;
}
- if (m->next != NULL) {
+ if (m->next != NULL)
m->next = NULL;
+ if (m->nb_segs != 1)
m->nb_segs = 1;
- }
return m;
@@ -1357,10 +1357,10 @@ rte_pktmbuf_prefree_seg(struct rte_mbuf *m)
return NULL;
}
- if (m->next != NULL) {
+ if (m->next != NULL)
m->next = NULL;
+ if (m->nb_segs != 1)
m->nb_segs = 1;
- }
rte_mbuf_refcnt_set(m, 1);
return m;
@@ -495,7 +495,12 @@ struct rte_mbuf {
* or non-atomic) is controlled by the RTE_MBUF_REFCNT_ATOMIC flag.
*/
uint16_t refcnt;
- uint16_t nb_segs; /**< Number of segments. */
+
+ /**
+ * Number of segments. Only valid for the first segment of an mbuf
+ * chain.
+ */
+ uint16_t nb_segs;
/** Input port (16 bits to support more than 256 virtual ports).
* The event eth Tx adapter uses this field to specify the output port.
@@ -591,7 +596,11 @@ struct rte_mbuf {
/* second cache line - fields only used in slow path or on TX */
RTE_MARKER cacheline1 __rte_cache_min_aligned;
- struct rte_mbuf *next; /**< Next segment of scattered packet. */
+ /**
+ * Next segment of scattered packet. Must be NULL in the last segment or
+ * in case of non-segmented packet.
+ */
+ struct rte_mbuf *next;
/* fields to support TX offloads */
RTE_STD_C11