[PATCH] examples/qos_sched: fix buffer overflow on mbuf free

[Bruce Richardson]

When running the qos_sched app with separated worker and Tx threads, the
app would seg-fault after a short time of handling packets. The root
cause of this turns out to be an incorrect array index when freeing
unsent packets post-Tx. Rather than freeing packets using the "nb_tx"
value i.e. where transmission failed, the function was freeing packets
using the "nb_pkts" value, i.e. going beyond the number of packets
previously received into the buffer.

Fixes: 39b25117c40b ("examples/qos_sched: remove Tx buffering")

Reported-by: Megha Ajmera <megha.ajmera at intel.com>
Signed-off-by: Bruce Richardson <bruce.richardson at intel.com>
---
 examples/qos_sched/app_thread.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/qos_sched/app_thread.c b/examples/qos_sched/app_thread.c
index 1ea732aa91..059c470afb 100644
--- a/examples/qos_sched/app_thread.c
+++ b/examples/qos_sched/app_thread.c
@@ -118,7 +118,7 @@ app_tx_thread(struct thread_conf **confs)
 		if (likely(nb_pkts != 0)) {
 			uint16_t nb_tx = rte_eth_tx_burst(conf->tx_port, 0, mbufs, nb_pkts);
 			if (nb_pkts != nb_tx)
-				rte_pktmbuf_free_bulk(&mbufs[nb_pkts], nb_pkts - nb_tx);
+				rte_pktmbuf_free_bulk(&mbufs[nb_tx], nb_pkts - nb_tx);
 		}
 
 		conf_idx++;
-- 
2.37.2