[dpdk-stable] patch 'net/tap: fix mbuf double free when writev fails' has been queued to stable release 19.11.3

[luca.boccassi at gmail.com]

Hi,

FYI, your patch has been queued to stable release 19.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/21/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From 908866e6fc81fb9cfd6e36518be56b0f6fe3f0e3 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian at huawei.com>
Date: Thu, 16 Apr 2020 11:04:07 +0800
Subject: [PATCH] net/tap: fix mbuf double free when writev fails

[ upstream commit 24cb500c17c6914fce4c8df278b06966d70b897d ]

When the tap_write_mbufs() function return with break, mbuf was freed
without increasing num_packets, which could cause applications to free
the mbuf again. And the pmd_tx_burst() function should returns the
number of original packets it actually sent excluding tso mbufs.

Fixes: 9396ad334672 ("net/tap: fix reported number of Tx packets")

Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit at intel.com>
Acked-by: Stephen Hemminger <stephen at networkplumber.org>
---
 drivers/net/tap/rte_eth_tap.c | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c
index 4b2168e440..6d54c254d7 100644
--- a/drivers/net/tap/rte_eth_tap.c
+++ b/drivers/net/tap/rte_eth_tap.c
@@ -520,7 +520,7 @@ tap_tx_l3_cksum(char *packet, uint64_t ol_flags, unsigned int l2_len,
 	}
 }
 
-static inline void
+static inline int
 tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs,
 			struct rte_mbuf **pmbufs,
 			uint16_t *num_packets, unsigned long *num_tx_bytes)
@@ -587,7 +587,7 @@ tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs,
 			seg_len = rte_pktmbuf_data_len(mbuf);
 			l234_hlen = mbuf->l2_len + mbuf->l3_len + mbuf->l4_len;
 			if (seg_len < l234_hlen)
-				break;
+				return -1;
 
 			/* To change checksums, work on a * copy of l2, l3
 			 * headers + l4 pseudo header
@@ -633,10 +633,12 @@ tap_write_mbufs(struct tx_queue *txq, uint16_t num_mbufs,
 		/* copy the tx frame data */
 		n = writev(process_private->txq_fds[txq->queue_id], iovecs, j);
 		if (n <= 0)
-			break;
+			return -1;
+
 		(*num_packets)++;
 		(*num_tx_bytes) += rte_pktmbuf_pkt_len(mbuf);
 	}
+	return 0;
 }
 
 /* Callback to handle sending packets from the tap interface
@@ -662,8 +664,8 @@ pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 		uint16_t num_mbufs = 0;
 		uint16_t tso_segsz = 0;
 		int ret;
+		int num_tso_mbufs;
 		uint16_t hdrs_len;
-		int j;
 		uint64_t tso;
 
 		tso = mbuf_in->ol_flags & PKT_TX_TCP_SEG;
@@ -683,43 +685,51 @@ pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 				break;
 			}
 			gso_ctx->gso_size = tso_segsz;
-			ret = rte_gso_segment(mbuf_in, /* packet to segment */
+			/* 'mbuf_in' packet to segment */
+			num_tso_mbufs = rte_gso_segment(mbuf_in,
 				gso_ctx, /* gso control block */
 				(struct rte_mbuf **)&gso_mbufs, /* out mbufs */
 				RTE_DIM(gso_mbufs)); /* max tso mbufs */
 
 			/* ret contains the number of new created mbufs */
-			if (ret < 0)
+			if (num_tso_mbufs < 0)
 				break;
 
 			mbuf = gso_mbufs;
-			num_mbufs = ret;
+			num_mbufs = num_tso_mbufs;
 		} else {
 			/* stats.errs will be incremented */
 			if (rte_pktmbuf_pkt_len(mbuf_in) > max_size)
 				break;
 
 			/* ret 0 indicates no new mbufs were created */
-			ret = 0;
+			num_tso_mbufs = 0;
 			mbuf = &mbuf_in;
 			num_mbufs = 1;
 		}
 
-		tap_write_mbufs(txq, num_mbufs, mbuf,
+		ret = tap_write_mbufs(txq, num_mbufs, mbuf,
 				&num_packets, &num_tx_bytes);
+		if (ret == -1) {
+			txq->stats.errs++;
+			/* free tso mbufs */
+			if (num_tso_mbufs > 0)
+				rte_pktmbuf_free_bulk(mbuf, num_tso_mbufs);
+			break;
+		}
 		num_tx++;
 		/* free original mbuf */
 		rte_pktmbuf_free(mbuf_in);
 		/* free tso mbufs */
-		for (j = 0; j < ret; j++)
-			rte_pktmbuf_free(mbuf[j]);
+		if (num_tso_mbufs > 0)
+			rte_pktmbuf_free_bulk(mbuf, num_tso_mbufs);
 	}
 
 	txq->stats.opackets += num_packets;
 	txq->stats.errs += nb_pkts - num_tx;
 	txq->stats.obytes += num_tx_bytes;
 
-	return num_packets;
+	return num_tx;
 }
 
 static const char *
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-05-19 14:04:48.269728872 +0100
+++ 0093-net-tap-fix-mbuf-double-free-when-writev-fails.patch	2020-05-19 14:04:44.304649968 +0100
@@ -1,15 +1,16 @@
-From 24cb500c17c6914fce4c8df278b06966d70b897d Mon Sep 17 00:00:00 2001
+From 908866e6fc81fb9cfd6e36518be56b0f6fe3f0e3 Mon Sep 17 00:00:00 2001
 From: Yunjian Wang <wangyunjian at huawei.com>
 Date: Thu, 16 Apr 2020 11:04:07 +0800
 Subject: [PATCH] net/tap: fix mbuf double free when writev fails
 
+[ upstream commit 24cb500c17c6914fce4c8df278b06966d70b897d ]
+
 When the tap_write_mbufs() function return with break, mbuf was freed
 without increasing num_packets, which could cause applications to free
 the mbuf again. And the pmd_tx_burst() function should returns the
 number of original packets it actually sent excluding tso mbufs.
 
 Fixes: 9396ad334672 ("net/tap: fix reported number of Tx packets")
-Cc: stable at dpdk.org
 
 Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
 Reviewed-by: Ferruh Yigit <ferruh.yigit at intel.com>