diff mbox series

net/ena: fix mbuf double free in fast free mode

Message ID	20240320145232.535-1-shaibran@amazon.com (mailing list archive)
State	Accepted, archived
Delegated to:	Ferruh Yigit
Headers	From: <shaibran@amazon.com> To: <ferruh.yigit@amd.com> CC: <dev@dpdk.org>, Shai Brandes <shaibran@amazon.com>, <stable@dpdk.org> Subject: [PATCH] net/ena: fix mbuf double free in fast free mode Date: Wed, 20 Mar 2024 16:52:32 +0200 Message-ID: <20240320145232.535-1-shaibran@amazon.com> MIME-Version: 1.0 Content-Type: text/plain Precedence: list Errors-To: dev-bounces@dpdk.org
Series	net/ena: fix mbuf double free in fast free mode \| net/ena: fix mbuf double free in fast free mode

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/loongarch-compilation	success	Compilation OK
ci/loongarch-unit-testing	success	Unit Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/github-robot: build	fail	github build: failed
ci/iol-intel-Performance	success	Performance Testing PASS
ci/intel-Functional	success	Functional PASS
ci/iol-compile-amd64-testing	success	Testing PASS
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-abi-testing	success	Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS
ci/iol-unit-amd64-testing	success	Testing PASS
ci/iol-unit-arm64-testing	success	Testing PASS
ci/iol-compile-arm64-testing	success	Testing PASS
ci/iol-sample-apps-testing	success	Testing PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/iol-broadcom-Functional	success	Functional Testing PASS

Commit Message

Brandes, Shai March 20, 2024, 2:52 p.m. UTC

  From: Shai Brandes <shaibran@amazon.com>

Fixed an issue of double free of mbufs which is exposed
in mbuf fast free mode when handling multi-mbuf packets.

The faulty patch mishandled free of non-head mbufs as it
iterated over linked mbufs and collected them into an array,
which was then passed to rte_pktmbuf_free_bulk.
However, rte_pktmbuf_free_bulk already performs an internal iteration
over mbufs that are linked together which led to double free.

Fixes: 89b081e154c5 ("net/ena: fix fast mbuf free")
Cc: stable@dpdk.org

Signed-off-by: Shai Brandes <shaibran@amazon.com>
---
 drivers/net/ena/ena_ethdev.c | 39 +++++++++++-------------------------
 1 file changed, 12 insertions(+), 27 deletions(-)

Comments

Ferruh Yigit March 20, 2024, 5:14 p.m. UTC | #1

On 3/20/2024 2:52 PM, shaibran@amazon.com wrote:
> From: Shai Brandes <shaibran@amazon.com>
> 
> Fixed an issue of double free of mbufs which is exposed
> in mbuf fast free mode when handling multi-mbuf packets.
> 
> The faulty patch mishandled free of non-head mbufs as it
> iterated over linked mbufs and collected them into an array,
> which was then passed to rte_pktmbuf_free_bulk.
> However, rte_pktmbuf_free_bulk already performs an internal iteration
> over mbufs that are linked together which led to double free.
> 
> Fixes: 89b081e154c5 ("net/ena: fix fast mbuf free")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Shai Brandes <shaibran@amazon.com>
>

Acked-by: Ferruh Yigit <ferruh.yigit@amd.com>

Applied to dpdk-next-net/main, thanks.

diff mbox series

Patch

diff --git a/drivers/net/ena/ena_ethdev.c b/drivers/net/ena/ena_ethdev.c
index 7b697c150a..66fc287faf 100644
--- a/drivers/net/ena/ena_ethdev.c
+++ b/drivers/net/ena/ena_ethdev.c
@@ -48,10 +48,10 @@ 
 #define MAX_WIDE_LLQ_DEPTH_UNSUPPORTED 0
 
 /*
- * We should try to keep ENA_CLEANUP_BUF_SIZE lower than
+ * We should try to keep ENA_CLEANUP_BUF_THRESH lower than
  * RTE_MEMPOOL_CACHE_MAX_SIZE, so we can fit this in mempool local cache.
  */
-#define ENA_CLEANUP_BUF_SIZE	256
+#define ENA_CLEANUP_BUF_THRESH	256
 
 #define ENA_PTYPE_HAS_HASH	(RTE_PTYPE_L4_TCP | RTE_PTYPE_L4_UDP)
 
@@ -3180,32 +3180,12 @@  static int ena_xmit_mbuf(struct ena_ring *tx_ring, struct rte_mbuf *mbuf)
 	return 0;
 }
 
-static __rte_always_inline size_t
-ena_tx_cleanup_mbuf_fast(struct rte_mbuf **mbufs_to_clean,
-			 struct rte_mbuf *mbuf,
-			 size_t mbuf_cnt,
-			 size_t buf_size)
-{
-	struct rte_mbuf *m_next;
-
-	while (mbuf != NULL) {
-		m_next = mbuf->next;
-		mbufs_to_clean[mbuf_cnt++] = mbuf;
-		if (mbuf_cnt == buf_size) {
-			rte_pktmbuf_free_bulk(mbufs_to_clean, mbuf_cnt);
-			mbuf_cnt = 0;
-		}
-		mbuf = m_next;
-	}
-
-	return mbuf_cnt;
-}
-
 static int ena_tx_cleanup(void *txp, uint32_t free_pkt_cnt)
 {
-	struct rte_mbuf *mbufs_to_clean[ENA_CLEANUP_BUF_SIZE];
+	struct rte_mbuf *pkts_to_clean[ENA_CLEANUP_BUF_THRESH];
 	struct ena_ring *tx_ring = (struct ena_ring *)txp;
 	size_t mbuf_cnt = 0;
+	size_t pkt_cnt = 0;
 	unsigned int total_tx_descs = 0;
 	unsigned int total_tx_pkts = 0;
 	uint16_t cleanup_budget;
@@ -3236,8 +3216,13 @@  static int ena_tx_cleanup(void *txp, uint32_t free_pkt_cnt)
 
 		mbuf = tx_info->mbuf;
 		if (fast_free) {
-			mbuf_cnt = ena_tx_cleanup_mbuf_fast(mbufs_to_clean, mbuf, mbuf_cnt,
-				ENA_CLEANUP_BUF_SIZE);
+			pkts_to_clean[pkt_cnt++] = mbuf;
+			mbuf_cnt += mbuf->nb_segs;
+			if (mbuf_cnt >= ENA_CLEANUP_BUF_THRESH) {
+				rte_pktmbuf_free_bulk(pkts_to_clean, pkt_cnt);
+				mbuf_cnt = 0;
+				pkt_cnt = 0;
+			}
 		} else {
 			rte_pktmbuf_free(mbuf);
 		}
@@ -3260,7 +3245,7 @@  static int ena_tx_cleanup(void *txp, uint32_t free_pkt_cnt)
 	}
 
 	if (mbuf_cnt != 0)
-		rte_pktmbuf_free_bulk(mbufs_to_clean, mbuf_cnt);
+		rte_pktmbuf_free_bulk(pkts_to_clean, pkt_cnt);
 
 	/* Notify completion handler that full cleanup was performed */
 	if (free_pkt_cnt == 0 || total_tx_pkts < cleanup_budget)