From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yuanhan Liu Subject: Re: [PATCH] vhost: fix dequeue zero copy Date: Wed, 19 Apr 2017 16:43:10 +0800 Message-ID: <20170419084310.GD31523@yliu-dev.sh.intel.com> References: <1492579561-19619-1-git-send-email-yuanhan.liu@linux.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Maxime Coquelin , stable@dpdk.org To: dev@dpdk.org Return-path: Content-Disposition: inline In-Reply-To: <1492579561-19619-1-git-send-email-yuanhan.liu@linux.intel.com> List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On Wed, Apr 19, 2017 at 01:26:01PM +0800, Yuanhan Liu wrote: > For zero copy mode, we need pin the mbuf to not let the underlaying PMD > driver (or the app) free the mbuf. Currently, only the heading mbuf is > pinned. However, the mbuf free function would try to free all mbufs > in the mbuf chain (-1 to the refcnt). This may lead the head mbuf being > still pinned, while the other subsequent mbufs are actually freed. Which > is wrong. > > It becomes more fatal after the mbuf refactor, more specificly, after > the commit 8f094a9ac5d7 ("mbuf: set mbuf fields while in pool"). The > refcnt resets to 1 after the last real reference. OTOH, it leads to a > situtation that we never know one mbuf is actually freed or not. This > would result the mbuf __just__ after the heading mbuf being freed twice: > it's firstly freed (and put back to mempool) when the underlaying PMD > finishes the DMA. Later, it will then be freed again when vhost unpins > it. Meaning, one mbuf may be returned to the mempool twice, while in > turn, being allocated twice later. Something uncertain may happen then. > For example, the VM2VM case becomes broken. > > Fixes: b0a985d1f340 ("vhost: add dequeue zero copy") > > Cc: stable@dpdk.org > Signed-off-by: Yuanhan Liu Applied to dpdk-next-virtio. --yliu