Olivier, thank you so much for your reply, your patch post for vhost help me
understand your concern better, I totally agree. For GSO case, let me show you
a simple code to explain my issue.
struct rte_mbuf *pkt = rte_pktmbuf_alloc(mp);
virtio_dev_extbuf_alloc(pkt, data_len)
struct rte_mbuf * pkt_seg1 = rte_pktmbuf_alloc(indirect_pool);
rte_pktmbuf_attach(pkt_seg1, pkt);
rte_mbuf_ext_refcnt_update(pkt, -1);
struct rte_mbuf * pkt_seg2 = rte_pktmbuf_alloc(indirect_pool);
rte_pktmbuf_attach(pkt_seg2, pkt);
rte_mbuf_ext_refcnt_update(pkt, -1);
struct rte_mbuf *pkt_segs[2] = {pkt_seg1, pkt_seg2};
rte_eth_tx_burst(dev->port_id, qid, pkt_segs, 2);
Is it a simple test you expect? The issue here is nobody explicitly calls
rte_pktmbuf_free(pkt), rte_pktmbuf_free(pkt_segX) in PMD driver won't free
"pkt", Is it clear to you now?
At 2020-10-07 17:48:21, "Olivier Matz" <olivier.m...@6wind.com> wrote:
>Hi,
>
>On Sun, Sep 27, 2020 at 01:55:21PM +0800, yang_y_yi wrote:
>> Per GSO requirement, this is a must-have change, Jiayu, can you help review
>> this series?
>
>I can't ack this patch until I have a simple and clear test case (only
>with mbuf functions, without GSO or vhost) showing the issue we have
>today with current.
>
>> Olivier, if you used the old interface, maybe you need to change your code to
>> adapt this, I don't think we can have a better way to handle GSO case.
>
>Sorry, I don't get your point. What do I need to change in which code?
>
>(some more comments below)
>
>> At 2020-08-04 09:31:19, "yang_y_yi" <yang_y...@163.com> wrote:
>>
>> At 2020-08-03 20:34:25, "Olivier Matz" <olivier.m...@6wind.com> wrote:
>> >On Mon, Aug 03, 2020 at 05:42:13PM +0800, yang_y_yi wrote:
>> >> At 2020-08-03 16:11:39, "Olivier Matz" <olivier.m...@6wind.com> wrote:
>> >> >On Mon, Aug 03, 2020 at 09:26:40AM +0800, yang_y_yi wrote:
>> >> >> At 2020-08-03 04:29:07, "Olivier Matz" <olivier.m...@6wind.com> wrote:
>> >> >> >Hi,
>> >> >> >
>> >> >> >On Sun, Aug 02, 2020 at 07:12:36AM +0800, yang_y_yi wrote:
>> >> >> >>
>> >> >> >>
>> >> >> >> At 2020-07-31 23:15:43, "Olivier Matz" <olivier.m...@6wind.com>
>> >> >> >> wrote:
>> >> >> >> >Hi,
>> >> >> >> >
>> >> >> >> >On Thu, Jul 30, 2020 at 08:08:59PM +0800, yang_y...@163.com wrote:
>> >> >> >> >> From: Yi Yang <yangy...@inspur.com>
>> >> >> >> >>
>> >> >> >> >> In GSO case, segmented mbufs are attached to original
>> >> >> >> >> mbuf which can't be freed when it is external. The issue
>> >> >> >> >> is free_cb doesn't know original mbuf and doesn't free
>> >> >> >> >> it when refcnt of shinfo is 0.
>> >> >> >> >>
>> >> >> >> >> Original mbuf can be freed by rte_pktmbuf_free segmented
>> >> >> >> >> mbufs or by rte_pktmbuf_free original mbuf. Two kind of
>> >> >> >> >> cases should have different behaviors. free_cb won't
>> >> >> >> >> explicitly call rte_pktmbuf_free to free original mbuf
>> >> >> >> >> if it is freed by rte_pktmbuf_free original mbuf, but it
>> >> >> >> >> has to call rte_pktmbuf_free to free original mbuf if it
>> >> >> >> >> is freed by rte_pktmbuf_free segmented mbufs.
>> >> >> >> >>
>> >> >> >> >> In order to fix this issue, free_cb interface has to been
>> >> >> >> >> changed, __rte_pktmbuf_free_extbuf must deliver called
>> >> >> >> >> mbuf pointer to free_cb, argument opaque can be defined
>> >> >> >> >> as a custom struct by user, it can includes original mbuf
>> >> >> >> >> pointer, user-defined free_cb can compare caller mbuf with
>> >> >> >> >> mbuf in opaque struct, free_cb should free original mbuf
>> >> >> >> >> if they are not same, this corresponds to rte_pktmbuf_free
>> >> >> >> >> segmented mbufs case, otherwise, free_cb won't free original
>> >> >> >> >> mbuf because the caller explicitly called rte_pktmbuf_free
>> >> >> >> >> to free it.
>> >> >> >> >>
>> >> >> >> >> Here is pseduo code to show two kind of cases.
>> >> >> >> >>
>> >> >> >> >> case 1. rte_pktmbuf_free segmented mbufs
>> >> >> >> >>
>> >> >> >> >> nb_tx = rte_gso_segment(original_mbuf, /* original mbuf */
>> >> >> >> >> &gso_ctx,
>> >> >> >> >> /* segmented mbuf */
>> >> >> >> >> (struct rte_mbuf **)&gso_mbufs,
>> >> >> >> >> MAX_GSO_MBUFS);
>> >> >> >> >
>> >> >> >> >I'm sorry but it is not very clear to me what operations are done
>> >> >> >> >by
>> >> >> >> >rte_gso_segment().
>> >> >> >> >
>> >> >> >> >In the current code, I only see calls to rte_pktmbuf_attach(),
>> >> >> >> >which do not deal with external buffers. Am I missing something?
>> >> >> >> >
>> >> >> >> >Are you able to show the issue only with mbuf functions? It would
>> >> >> >> >be helpful to understand what does not work.
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >Thanks,
>> >> >> >> >Olivier
>> >> >> >> >
>> >> >> >> Oliver, thank you for comment, let me show you why it doesn't work
>> >> >> >> for my use case. In OVS DPDK, VM uses vhostuserclient to send
>> >> >> >> large packets whose size is about 64K because we enabled TSO & UFO,
>> >> >> >> these large packets use rte_mbufs allocated by DPDK virtio_net
>> >> >> >> function
>> >> >> >> virtio_dev_pktmbuf_alloc() (in file lib/librte_vhost/virtio_net.c.
>> >> >> >> Please refer to [PATCH V1 3/3], I changed free_cb as below, these
>> >> >> >> packets use the same allocate function and the same free_cb no
>> >> >> >> matter they are TCP packet or UDP packets, in case of VXLAN TSO,
>> >> >> >> most NICs can't support inner UDP fragment offload, so OVS DPDK has
>> >> >> >> to do it by software, for UDP case, the original rte_mbuf only can
>> >> >> >> be freed by segmented rte_mbufs which are output packets of
>> >> >> >> rte_gso_segment, i.e. the original rte_mbuf only can freed by
>> >> >> >> free_cb, you can see, it explicitly called
>> >> >> >> rte_pktmbuf_free(arg->mbuf), the condition statement "if (caller_m
>> >> >> >> != arg->mbuf)" is true for this case, this has no problem, but for
>> >> >> >> TCP case, the original mbuf is delivered to rte_eth_tx_burst() but
>> >> >> >> not segmented rte_mbufs output by rte_gso_segment, PMD driver will
>> >> >> >> call rte_pktmbuf_free(original_rte_mbuf) but not
>> >> >> >> rte_pktmbuf_free(segmented_rte_mbufs), the same free_cb will be
>> >> >> >> called, that means original_rte_mbuf will be freed twice, you know
>> >> >> >> what will happen, this is just the issue I'm fixing. I bring in
>> >> >> >> caller_m argument, it can help work around this because caller_m is
>> >> >> >> arg->mbuf and the condition statement "if (caller_m != arg->mbuf)"
>> >> >> >> is false, you can't fix it without the change this patch series did.
>> >> >> >
>> >> >> >I'm sill not sure to get your issue. Please, if you have a simple test
>> >> >> >case using only mbufs functions (without virtio, gso, ...), it would
>> >> >> >be
>> >> >> >very helpful because we will be sure that we are talking about the
>> >> >> >same
>> >> >> >thing. In case there is an issue, it can easily become a unit test.
>> >> >>
>> >> >> Oliver, I think you don't get the point, free operation can't be
>> >> >> controlled by the application itself,
>> >> >> it is done by PMD driver and triggered by rte_eth_tx_burst, I have
>> >> >> shown pseudo code,
>> >> >> rte_gso_segment just segments a large mbuf to multiple mbufs, it won't
>> >> >> send them, the application
>> >> >> will call rte_eth_tx_burst to send them finally.
>> >> >>
>> >> >> >
>> >> >> >That said, I looked at vhost mbuf allocation and gso segmentation, and
>> >> >> >I found some strange things:
>> >> >> >
>> >> >> >1/ In virtio_dev_extbuf_alloc(), and I there are 2 paths to create the
>> >> >> > ext mbuf.
>> >> >> >
>> >> >> > a/ The first one stores the shinfo struct in the mbuf, basically
>> >> >> > like this:
>> >> >> >
>> >> >> > pkt = rte_pktmbuf_alloc(mp);
>> >> >> > shinfo = rte_pktmbuf_mtod(pkt, struct rte_mbuf_ext_shared_info
>> >> >> > *);
>> >> >> > buf = rte_malloc(NULL, buf_len, RTE_CACHE_LINE_SIZE);
>> >> >> > shinfo->free_cb = virtio_dev_extbuf_free;
>> >> >> > shinfo->fcb_opaque = buf;
>> >> >> > rte_mbuf_ext_refcnt_set(shinfo, 1);
>> >> >> >
>> >> >> > I don't think it is a good idea, because there is no guarantee
>> >> >> > that
>> >> >> > the mbuf won't be freed before the buffer. For instance, doing
>> >> >> > this will probably fail:
>> >> >> >
>> >> >> > pkt2 = rte_pktmbuf_alloc(mp);
>> >> >> > rte_pktmbuf_attach(pkt2, pkt);
>> >> >> > rte_pktmbuf_free(pkt); /* pkt is freed, but it contains shinfo
>> >> >> > ! */
>> >> >>
>> >> >> pkt is created by the application I can control, so I can control it
>> >> >> where it will be freed, right?
>> >> >
>> >> >This example shows that mbufs allocated like this by the vhost
>> >> >driver are not constructed correctly. If an application attach a new
>> >> >packet (pkt2) to it and frees the original one (pkt), it may result in a
>> >> >memory corruption.
>> >> >
>> >> >Of course, to be tested and confirmed.
>> >>
>> >> No, attach will increase refcnt of shinfo, free_cb only is called when
>> >> refcnt of shinfo is decreased to
>> >> 0, isn't it?
>> >
>> >When pkt will be freed, it will decrement the shinfo refcnt, and
>> >after it will be 1. So the buffer won't be freed. After that, the
>> >mbuf pkt will be detached, and will return to the mbuf pool. It means
>> >it can be reallocated, and the next user can overwrite shinfo which
>> >is still stored in the mbuf data.
>>
>> I think this is an issue of DPDK itself, if external buffer in shinfo is
>> freed, shinfo should be set to NULL, if user will
>> overwrite it, he/she should use the same way as a new external buffer is
>> attached.
>
>No, there is no issue in DPDK. The lifetime of shinfo should be at least
>the same the lifetime of the buffer. If shinfo is stored in initial mbuf
>(called "pkt" in the example above), the mbuf and shinfo can be freed while
>the buffer is still in use by another packet.
>
>> >I did a test to show it, see:
>> >http://git.droids-corp.org/?p=dpdk.git;a=commitdiff;h=a617494eeb01ff
>> >
>> >If you run the mbuf autotest, it segfaults.
>>
>> I think your test is wrong, you're changing shinfo (which is being used) in
>> wrong way, if free_bc is NULL, it will be invalid.
>
>I'm changing the data of a newly allocated mbuf, it is perfectly legal.
>I happens that it points the the shinfo that is still in use.
>
>
>>
>> static inline void
>> rte_pktmbuf_attach_extbuf(struct rte_mbuf *m, void *buf_addr,
>> rte_iova_t buf_iova, uint16_t buf_len,
>> struct rte_mbuf_ext_shared_info *shinfo)
>> {
>> /* mbuf should not be read-only */
>> RTE_ASSERT(RTE_MBUF_DIRECT(m) && rte_mbuf_refcnt_read(m) == 1);
>> RTE_ASSERT(shinfo->free_cb != NULL);
>>
>> For any shinfo operation, you should do it by rte_pktmbuf_attach_extbuf, you
>> can't change it at will after that.
>>
>> >
>> >
>> >>
>> >> >
>> >> >>
>> >> >> >
>> >> >> > To do this properly, the mbuf refcnt should be increased, and
>> >> >> > the mbuf should be freed in the callback. But I don't think it's
>> >> >> > worth doing it, given the second path (b/) looks good to me.
>> >> >> >
>> >> >> > b/ The second path stores the shinfo struct at the end of the
>> >> >> > allocated buffer, like this:
>> >> >> >
>> >> >> > pkt = rte_pktmbuf_alloc(mp);
>> >> >> > buf_len += sizeof(*shinfo) + sizeof(uintptr_t);
>> >> >> > buf_len = RTE_ALIGN_CEIL(total_len, sizeof(uintptr_t));
>> >> >> > buf = rte_malloc(NULL, buf_len, RTE_CACHE_LINE_SIZE);
>> >> >> > shinfo = rte_pktmbuf_ext_shinfo_init_helper(buf, &buf_len,
>> >> >> > virtio_dev_extbuf_free,
>> >> >> > buf);
>> >> >> >
>> >> >> > I think this is correct, because we have the guarantee that
>> >> >> > shinfo
>> >> >> > exists as long as the buffer exists.
>> >> >>
>> >> >> What buffer does the allocated buffer you're saying here? The issue
>> >> >> we're discussing how we can
>> >> >> free original mbuf which owns shinfo buffer.
>> >> >
>> >> >I don't get your question.
>> >> >
>> >> >I'm just saying that this code path looks correct, compared to
>> >> >the previous one.
>> >>
>> >> I think you're challenging principle of external mbuf, that isn't the
>> >> thing I address.
>> >
>> >I'm not challenging anything, I'm saying there is a bug in this code,
>> >and the unit test above tends to confirm it.
>>
>> If it is bug, you can post a patch to fix it, it isn't related with my
>> patches. But in my opinion, you don't
>> use it in correct way, I don't think it is a bug.
>
>I'll submit a patch for this.
>
>The point is you are testing GSO on top of wrongly-constructed mbufs, so
>it would be safer for you to fix this before doing more tests.
>
>
>> >> >> >2/ in rte_gso_segment(), there is a loop like this:
>> >> >> >
>> >> >> > while (pkt_seg) {
>> >> >> > rte_mbuf_refcnt_update(pkt_seg, -1);
>> >> >> > pkt_seg = pkt_seg->next;
>> >> >> > }
>> >> >> >
>> >> >> > You change it to take in account the refcnt for ext mbufs.
>> >> >> >
>> >> >> > I may have missed something but I wonder why it is not simply:
>> >> >> >
>> >> >> > rte_pktmbuf_free(pkt_seg);
>> >> >> >
>> >> >> > It will decrease the proper refcnt, and free the mbufs if they
>> >> >> > are not used.
>> >> >>
>> >> >> Again, rte_gso_segment just decreases refcnt by one, this will ensure
>> >> >> the last segmented
>> >> >> mbuf free will trigger freeing original mbuf (only free_cb can do
>> >> >> this).
>> >> >
>> >> >rte_pktmbuf_free() will also decerase the refcnt, and free the resources
>> >> >when the refcnt reaches 0.
>> >> >
>> >> >It has some advantages compared to decrease the reference counter of all
>> >> >segments:
>> >> >
>> >> >- no need to iterate the segments, there is only one function call
>> >> >- no need to have a special case for ext mbufs like you did in your patch
>> >> >- it may be safer, in case some segments have a refcnt == 1, because
>> >> > resources will be freed.
>> >>
>> >> For external mbuf, attach only increases refcnt of shinfo, refcnt of mbuf
>> >> won't be touched. For normal
>> >> mbuf, attach only increase refcnt of mbuf, no shinfo there, no refcnt of
>> >> shinfo increased.
>> >
>> >I suppose rte_gso_segment() can take any mbuf type as input: standard
>> >mbuf, indirect mbuf, ext mbuf, or even a mbuf chaing containing segments of
>> >different types.
>> >
>> >For instance, if you pass a chain of 2 mbufs:
>> >- the first one is a direct mbuf containing the IP/TCP headers (orig_hdr)
>> >- the second on is a mbuf pointing to an ext buffer (orig_payload)
>> >
>> >I expect that the resulting mbuf after calling gso contains a list of mbufs
>> >like this:
>> >- a first segment containing the IP/TCP headers (new_hdr)
>> >- a payload segment pointing on the same ext buffer
>> >
>> >In theory, there is no reason that orig_hdr should be referenced by
>> >another new mbuf, because it only contains headers (no data). If that's
>> >the case, its refcnt is 1, and decreasing it to 0 without freeing it
>> >is a bug.
>>
>> For this user scenario, orig_m is owner of external buffer, small segmented
>> mbufs reference
>> it, you shouldn't free orig_m before all attached segmented mbufs are freed,
>> isn't it?
>
>In this case, orig_hdr has to be freed because it is a direct mbuf (not
>shared).
>The buffer pointed by orig_payload will be freed when all newly created
>segments are freed.
>
>
>> >
>> >Anyway, there is maybe no issue in that case, but I was just suggesting
>> >that using rte_pktmbuf_free() is easier to read, and safer than manually
>> >decreasing the refcnt of each segment.
>> >
>> >
>> >> >> >Again, sorry if this is not the issue your are referring to, but
>> >> >> >in this case I really think that having a simple example code that
>> >> >> >shows the issue would help.
>> >> >>
>> >> >> Oliver, my statement in the patch I sent out has pseudo code to show
>> >> >> this. I don't think a simple
>> >> >> unit test can show it.
>> >> >
>> >> >I don't see why. The PMDs and the libraries use the mbuf functions, why
>> >> >a unit test couldn't call the same functions?
>> >> >
>> >> >> Let me summarize it here again. For original mbuf, there are two cases
>> >> >> freeing
>> >> >> it, case one is PMD driver calls free against segmented mbufs, last
>> >> >> segmented mbuf free will trigger
>> >> >> free_cb call which will free original large & extended mbuf.
>> >> >
>> >> >OK
>> >> >
>> >> >> Case two is PMD driver will call free against
>> >> >> original mbuf, that also will call free_cb to free attached extended
>> >> >> buffer.
>> >> >
>> >> >OK
>> >> >
>> >> >And what makes that case 1 or case 2 is executed?
>> >> >
>> >> >> In case one free_cb must call
>> >> >> rte_pktmbuf_free otherwise nobody will free original large & extended
>> >> >> mbuf, in case two free_cb can't
>> >> >> call rte_pktmbuf_free because the caller calling it is just
>> >> >> rte_pktmbuf_free we need. That is to say, you
>> >> >> must use the same free_cb to handle these two cases, this is my issue
>> >> >> and the point you don't get.
>> >> >
>> >> >I think there is no need to change the free_cb API. It should work like
>> >> >this:
>> >> >
>> >> >- virtio creates the original external mbuf (orig_m)
>> >> >- gso will create a new mbuf referencing the external buffer (new_m)
>> >> >
>> >> >At this point, the shinfo has a refcnt of 2. The large buffer will be
>> >> >freed as soon as rte_pktmbuf_free() is called on orig_m and new_m,
>> >> >whatever the order.
>> >> >
>> >> >Regards,
>> >> >Olivier
>> >>
>> >> Oliver, the reason it works is I changed free_cb API, case 1 doesn't know
>> >> orig_m, how you make it free orig_m in free_cb.
>> >> The intention I change free_cb is to let it know orig_m, I saw OVS DPDK
>> >> ran out out buffers and orig_m isn't freed, that is why
>> >> I want to bring in this to fix the issue. Again, in case 1, nobody
>> >> explicitly calls ret_pktmbuf_free(orig_m) except free_cb I changed.
>> >
>> >If nobody calls ret_pktmbuf_free(orig_m), it is a problem.
>> >The free_cb is to free the buffer, not the mbuf.
>> >
>> >To me, it should work like this:
>> >
>> >1- virtio creates a mbuf attached to the ext buffer (the shinfo placement
>> > bug should be fixed)
>> >2- gso create mbufs that reference the the same ext buf (by attaching the
>> > new mbuf)
>> >3- gso must free the original mbuf
>>
>> This is impossible, segmented mbufs are referencing external buffer in
>> original mbuf,
>> how do you free it? As I said rte_gso_segment has no way to free it, please
>> tell me a way if
>> you know how to do this.
>
>As I said above, calling rte_mbuf_free(orig_m) will decrement the reference
>counters on all segments. The segments will be returned to the pool if the
>refcnt reaches 0.
>
>>
>> >4- the PMD transmits the new mbufs, and frees them
>> >
>> >Whatever 3- or 4- is executed first, at the end we are sure that:
>> >- all mbufs will be returned to the pool
>> >- the linear buffer will be freed when the refcnt reaches 0.
>> >
>> >If this is still unclear, please, write a unit test like I did
>> >above to show your issue.
>> >
>> >Regards,
>> >Olivier
>> >
>>
>> The issue is in "3- gso must free the original mbuf",
>> rte_pktmbuf_free(segmented_mbus) can't do it,
>> rte_gso_segment is impossible to do it, only feasible point is free_cb,
>> please let me know if you have
>> a better way to free original mbuf and don't impact on segmented mbufs in
>> PMD. My point is you must
>> have a place to call rte_pktmbuf_free(rogin_m) explicitly, otherwise it is
>> impossible to return it to memory
>> pool, please point out where it can be called in my user scenario. I don't
>> care how it is done, I just care it can
>> fix my issue, please don't hesitate and send me a patch if you can, thanks a
>> lot.
>
>Sorry, but I don't see how I can be clearer to what I explained
>in my previous answer.
>
>Please, *provide a simple test example* without gso/vhost, and I can help
>to make it work.
>
>
>Regards,
>Olivier
>
>
>> >
>> >
>> >> free_cb must handle case 1 and case 2 in the same code, for case 1,
>> >> caller_m is segmented new_m, for case 2, caller_m is orig_m.
>> >>
>> >> loop in rte_gso_segement is handling original mbuf (this mbuf is
>> >> multi-mbuf and includes multiple mbufs which are linked by next
>> >> pointer), it isn't a problem at all.
>> >>
>> >> Please show me code how you can fix my issue if you don't change free_cb,
>> >> thank you.
>> >>
>> >> struct shinfo_arg {
>> >> void *buf;
>> >> struct rte_mbuf *mbuf;
>> >> };
>> >>
>> >> virtio_dev_extbuf_free(struct rte_mbuf *caller_m, void *opaque)
>> >> {
>> >> struct shinfo_arg *arg = (struct shinfo_arg *)opaque;
>> >>
>> >> rte_free(arg->buf);
>> >> if (caller_m != arg->mbuf)
>> >> rte_pktmbuf_free(arg->mbuf);
>> >> rte_free(arg);
>> >> }
