Rename test_l4_cksum_multi_mbufs to test_l4_cksum_mbuf_chain, resolve
double-free issue.

On Fri, Jul 3, 2026 at 10:41 PM Stephen Hemminger <
[email protected]> wrote:

> On Thu, 18 Jun 2026 14:32:42 +0800
> Su Sai <[email protected]> wrote:
>
> > The rte_raw_cksum_mbuf function is used to compute
> > the raw checksum of a packet.
> > If the packet payload stored in multi mbuf, the function
> > will goto the hard case. In hard case,
> > the variable 'tmp' is a type of uint32_t,
> > so rte_bswap16 will drop high 16 bit.
> > Meanwhile, the variable 'sum' is a type of uint32_t,
> > so 'sum += tmp' will drop the carry when overflow.
> > Both drop will make cksum incorrect.
> > This commit fixes the above bug.
> >
> > Signed-off-by: Su Sai <[email protected]>
> > Acked-by: Marat Khalili <[email protected]>
> > ---
>
> Still one error in the test.
>
> Error — double-free in test_l4_cksum_multi_mbufs() (app/test/test_cksum.c)
> The segments are chained into one packet (rte_pktmbuf_chain sets
> m[0]->next = m[1], m[1]->next = m[2]), but cleanup then calls
> rte_pktmbuf_free_bulk(m, segs_len) over the array.
> rte_pktmbuf_free_bulk walks the ->next chain of each array element, so
> index 0 frees the entire chain (m[0], m[1], m[2]), and indices 1 and 2
> then free m[1]/m[2] a second time. This fires on the normal success
> path every run, and on the fail path whenever ≥2 segments were chained
> — a debug/ASAN build will abort on the sanity check, and a normal build
> corrupts pool accounting. The array-of-independent-mbufs contract that
> free_bulk expects doesn't hold here because the elements alias one
> chain. Free the chain once through its head:
>

Reply via email to