Currently, it is possible for mbufs to be uncleared in the sw_ring after
being returned to the application. This causes an erroneous
dual-ownership over the buffer until GVE cleans the buffer queue and
posts new mbufs, overwriting the older pointers. It is possible in such
a case for a double free to occur while tearing down rings, as both
the application and the driver could attempt to free the same mbuf.
Release ownership of the mbuf from the sw_ring as soon as appropriate to
avoid such a scenario.
Fixes: a46583cf43c8 ("net/gve: support Rx/Tx")
Fixes: 45da16b5b181 ("net/gve: support basic Rx data path for DQO")
Cc: [email protected]
Signed-off-by: Joshua Washington <[email protected]>
Reviewed-by: Jasper Tran O'Leary <[email protected]>
---
drivers/net/gve/gve_rx.c | 1 +
drivers/net/gve/gve_rx_dqo.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/net/gve/gve_rx.c b/drivers/net/gve/gve_rx.c
index 625649cdcf..cda87af294 100644
--- a/drivers/net/gve/gve_rx.c
+++ b/drivers/net/gve/gve_rx.c
@@ -152,6 +152,7 @@ gve_rx(struct gve_rx_queue *rxq, volatile struct
gve_rx_desc *rxd, uint16_t rx_i
rxe = rxq->sw_ring[rx_id];
gve_rx_mbuf(rxq, rxe, frag_size, rx_id);
+ rxq->sw_ring[rx_id] = NULL;
rxq->stats.bytes += frag_size;
if (is_first_frag) {
diff --git a/drivers/net/gve/gve_rx_dqo.c b/drivers/net/gve/gve_rx_dqo.c
index c4e2d32067..3665d9e4cd 100644
--- a/drivers/net/gve/gve_rx_dqo.c
+++ b/drivers/net/gve/gve_rx_dqo.c
@@ -207,6 +207,7 @@ gve_rx_burst_dqo(void *rx_queue, struct rte_mbuf **rx_pkts,
uint16_t nb_pkts)
rxm = rxq->sw_ring[rx_buf_id];
gve_completed_buf_list_push(rxq, rx_buf_id);
+ rxq->sw_ring[rx_buf_id] = NULL;
/* Free buffer and report error. */
if (unlikely(rx_desc->rx_error)) {
--
2.55.0.rc0.799.gd6f94ed593-goog