If there is any error in packet or taildrop feature is enabled,
HW can reject those packets and put them in error queue. Driver
poll this error queue to free the buffers.
DPAA driver has an issue while freeing these rejected buffers. In
case of scatter gather packets, it is preparing the mbuf SG list
by scanning the HW descriptors and once the mbuf SG list prepared,
it free only first segment of the mbuf SG list by calling the
API rte_pktmbuf_free_seg(), This will leak the memory of other
segments and mempool can be empty.
Also there is one more issue, external buffer's memory may not
belong to mempool so driver itself free the external buffer
after successfully send the packet to HW to transmit instead of
let the HW to free it. So transmit function free all the external
buffers. But driver has no check for external buffers
while freeing the rejected buffers and this can do double free the
memory which can corrupt the user pool and crashes and undefined
behaviour of system can be seen.
This patch fixes the above mentioned issue by checking each
and every segment and freeing all the segments except external.
Fixes: 9124e65dd3eb ("net/dpaa: enable Tx queue taildrop")
Cc: sta...@dpdk.org
Signed-off-by: Gagandeep Singh <g.si...@nxp.com>
Acked-by: Hemant Agrawal <hemant.agra...@nxp.com>
---
drivers/net/dpaa/dpaa_rxtx.c | 23 ++++++++---------------
1 file changed, 8 insertions(+), 15 deletions(-)
diff --git a/drivers/net/dpaa/dpaa_rxtx.c b/drivers/net/dpaa/dpaa_rxtx.c
index 4d285b4f38..ce4f3d6c85 100644
--- a/drivers/net/dpaa/dpaa_rxtx.c
+++ b/drivers/net/dpaa/dpaa_rxtx.c
@@ -455,7 +455,7 @@ dpaa_free_mbuf(const struct qm_fd *fd)
bp_info = DPAA_BPID_TO_POOL_INFO(fd->bpid);
format = (fd->opaque & DPAA_FD_FORMAT_MASK) >> DPAA_FD_FORMAT_SHIFT;
if (unlikely(format == qm_fd_sg)) {
- struct rte_mbuf *first_seg, *prev_seg, *cur_seg, *temp;
+ struct rte_mbuf *first_seg, *cur_seg;
struct qm_sg_entry *sgt, *sg_temp;
void *vaddr, *sg_vaddr;
int i = 0;
@@ -469,32 +469,25 @@ dpaa_free_mbuf(const struct qm_fd *fd)
sgt = vaddr + fd_offset;
sg_temp = &sgt[i++];
hw_sg_to_cpu(sg_temp);
- temp = (struct rte_mbuf *)
- ((char *)vaddr - bp_info->meta_data_size);
sg_vaddr = DPAA_MEMPOOL_PTOV(bp_info,
qm_sg_entry_get64(sg_temp));
-
first_seg = (struct rte_mbuf *)((char *)sg_vaddr -
bp_info->meta_data_size);
first_seg->nb_segs = 1;
- prev_seg = first_seg;
while (i < DPAA_SGT_MAX_ENTRIES) {
sg_temp = &sgt[i++];
hw_sg_to_cpu(sg_temp);
- sg_vaddr = DPAA_MEMPOOL_PTOV(bp_info,
+ if (sg_temp->bpid != 0xFF) {
+ bp_info = DPAA_BPID_TO_POOL_INFO(sg_temp->bpid);
+ sg_vaddr = DPAA_MEMPOOL_PTOV(bp_info,
qm_sg_entry_get64(sg_temp));
- cur_seg = (struct rte_mbuf *)((char *)sg_vaddr -
+ cur_seg = (struct rte_mbuf *)((char *)sg_vaddr -
bp_info->meta_data_size);
- first_seg->nb_segs += 1;
- prev_seg->next = cur_seg;
- if (sg_temp->final) {
- cur_seg->next = NULL;
- break;
+ rte_pktmbuf_free_seg(cur_seg);
}
- prev_seg = cur_seg;
+ if (sg_temp->final)
+ break;
}
-
- rte_pktmbuf_free_seg(temp);
rte_pktmbuf_free_seg(first_seg);
return 0;
}
--
2.25.1
