static uint16_t pmd_tx_burst(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) . . tap_write_mbufs(txq, num_mbufs, mbuf, &num_packets, &num_tx_bytes); num_tx++; /* free original mbuf */ rte_pktmbuf_free(mbuf_in); . . If tap_write_mbufs fails to send packets ( i.e. num_packets < num_mbufs ) In my situation I'm sending exactly one packet and it fails to send, num_packets is passed out as zero, pmd_tx_burst frees the original buffer and returns 1 back. I then free the buffer because tx_burst returned zero, and this returns in a double free.
I agree with the problem, it seems coming from commit: 9396ad334672 ("net/tap: fix reported number of Tx packets") Reverting above commit can solve the problem, but the error packet calculation still seems wrong, may be good to fix it too. Assigning to Raslan, author of above commit.
Fixed by commit 24cb500c17c6914fce4c8df278b06966d70b897d Author: Yunjian Wang <wangyunjian@huawei.com> Date: Thu Apr 16 11:04:07 2020 +0800 net/tap: fix mbuf double free when writev fails When the tap_write_mbufs() function return with break, mbuf was freed without increasing num_packets, which could cause applications to free the mbuf again. And the pmd_tx_burst() function should returns the number of original packets it actually sent excluding tso mbufs. Fixes: 9396ad334672 ("net/tap: fix reported number of Tx packets") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com> Acked-by: Stephen Hemminger <stephen@networkplumber.org>