avf: may crash if failed to allocate buffers to ring

In avf_rxq_refill, we invoke vlib_buffer_alloc_to_ring which may fill buffers from the
end of the ring and continue to the beginning of the ring. If we fill some in the end and
continue to fill some in the beginning, but does not have enough buffers to fill the
whole request, n_alloc returns a value which is not equal to n_refill to indicate partial
refill. We don't like partial refill and invoke vlib_buffer_free to get rid of
the buffers that just got refilled. However, vlib_buffer_free API is to free the buffers
from the slot continuously. It does not know how to free some from rxq->bufs[slot], and then
continue to free the rest when it reaches the end of the ring.

The fix is to use vlib_buffer_free_from_ring which is smart enough to figure that stuff
out.

Change-Id: I93c28e0b0d8d8f22c321d1a5912e00c27b4e2e8d
Signed-off-by: Steven <sluong@cisco.com>

diff --git a/src/plugins/avf/input.c b/src/plugins/avf/input.c
index 27c3683..0b1ac74 100644 (file)
--- a/src/plugins/avf/input.c
+++ b/src/plugins/avf/input.c
@@ -70,7 +70,7 @@ avf_rxq_refill (vlib_main_t * vm, vlib_node_runtime_t * node, avf_rxq_t * rxq,
       vlib_error_count (vm, node->node_index,
                        AVF_INPUT_ERROR_BUFFER_ALLOC, 1);
       if (n_alloc)
-       vlib_buffer_free (vm, rxq->bufs + slot, n_alloc);
+       vlib_buffer_free_from_ring (vm, rxq->bufs, slot, rxq->size, n_alloc);
       return;
     }