From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 9D3D743B61;
	Wed, 21 Feb 2024 11:24:42 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id DA425406BA;
	Wed, 21 Feb 2024 11:24:41 +0100 (CET)
Received: from wfhigh6-smtp.messagingengine.com
 (wfhigh6-smtp.messagingengine.com [64.147.123.157])
 by mails.dpdk.org (Postfix) with ESMTP id 35B51402CE;
 Wed, 21 Feb 2024 11:24:41 +0100 (CET)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47])
 by mailfhigh.west.internal (Postfix) with ESMTP id D3F5218000BC;
 Wed, 21 Feb 2024 05:24:38 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute6.internal (MEProxy); Wed, 21 Feb 2024 05:24:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h=
 cc:cc:content-transfer-encoding:content-type:content-type:date
 :date:from:from:in-reply-to:in-reply-to:message-id:mime-version
 :references:reply-to:subject:subject:to:to; s=fm1; t=1708511078;
 x=1708597478; bh=QBM5D/mbJXSYmKKyUMM1a093r5lb6AwxoFpbzcDz7NM=; b=
 dkuj6/MsNH0IqtTb1slzX3ZaKbuT3n5Qyz4FKI6EoFPrPa+He9NJg3Fxw5zg4O3x
 DjUYTaF2SOtU+pgtOdyF5+/Ao4B78NfGh3TJxwWfyTRmuLs1hrp7RxPGEX0oxToX
 Vyeztz3ykxgGWgTRXqsQaO4PXvKFw9fXSRpv89/n7tiKuLbMg0CB2ZxGFiCL9Sym
 Wamosugy8oRoq2PDiJbnNNjGPn5zNM/ndfCV8RT6l4/urWf47YFBelF5Tt2vMO60
 0upUm0JjMY899CU5TC36le8CtdWyXNfqpjv6mQ2Z7J8Y2/widS5Mp4w6YxeJX+bp
 JPtWuycTBls2WanMkrTYVw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:content-type:date:date:feedback-id:feedback-id
 :from:from:in-reply-to:in-reply-to:message-id:mime-version
 :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1708511078; x=
 1708597478; bh=QBM5D/mbJXSYmKKyUMM1a093r5lb6AwxoFpbzcDz7NM=; b=N
 s0WWeFwBB/IgcGCERu3dgJx7CWJz9gpfkuBdn5QdboDVvVJocTPwm4tXPLqb2vCB
 jx7UfEB1WjWqIukCcZiArjrf3UahOcTcU1Ax8Vfe1BHN1nv905hr6pbLGl+wTK8t
 Y0/pdAMwIXOEIEiIe7rSzEaNHxDnX8cQaUTwxaceLe81pvw/QLQiT+qTHyv6f4Ay
 wLjesOA+U7rFl9hK1dZBh+5jv5KtLxYRBAgzHF4aHIRDI0HgTYRZX0DrB+YefuUW
 73Nj8+janX6wG4b1oLDRJm4z0v8jBk3CXplkP38AtbH7dlpTtthWiXWSidtUIzS+
 S4W/QKN7sft+qVHkajLQA==
X-ME-Sender: <xms:Zc_VZY-Z5m19bPPEwcTD78CPRLh6wAw-rpauXKjYHQ5iJneAlOaY7Q>
 <xme:Zc_VZQv479IUlUdeBZ-UtFHxFGjAcv5543aeOypcEN6pEcj8Lk1sqaPP1GFqWTcHb
 h21CZRpPFs3t0RVeA>
X-ME-Received: <xmr:Zc_VZeDWipSU_fzJ4bZOi_I7W4MfXveeOuzfNQANftwinsQQkEX0VZtQqV0w2wFQzJJzmLjylkNTRQ3HNjOSn0orjQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfedvgdduhecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc
 fjughrpefhvfevufffkfgjfhgggfgtsehtufertddttddvnecuhfhrohhmpefvhhhomhgr
 shcuofhonhhjrghlohhnuceothhhohhmrghssehmohhnjhgrlhhonhdrnhgvtheqnecugg
 ftrfgrthhtvghrnheptefhleejgeelieeiudehveffudefieekudejkeegffeludekteeh
 udfgjeefheehnecuffhomhgrihhnpehnuhhllhdrsghuihhlugenucevlhhushhtvghruf
 hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehthhhomhgrshesmhhonhhjrghl
 ohhnrdhnvght
X-ME-Proxy: <xmx:Zc_VZYcpjpdoRjz7MNCVCL2ujxc77tkw6v4pxOm0_YDBMaBaJSTbKQ>
 <xmx:Zc_VZdO8jteh8gaQdsTNCJLOTUxuZplQabkY91-P4bdSLtyEIBsw7A>
 <xmx:Zc_VZSmU1pKpJ10iV1Zcy-v8BJUdO7cBEXjCm_9ErS7-XcSGx8KH6g>
 <xmx:Zs_VZRmyJE0zwLDsGB8Fn_chLV5Em98E4bpnNYEDjPW-TsUSt86lv_JXHr4>
Feedback-ID: i47234305:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 21 Feb 2024 05:24:36 -0500 (EST)
From: Thomas Monjalon <thomas@monjalon.net>
To: Dariusz Sosnowski <dsosnowski@nvidia.com>
Cc: Yunjian Wang <wangyunjian@huawei.com>, "dev@dpdk.org" <dev@dpdk.org>,
 Ferruh Yigit <ferruh.yigit@amd.com>,
 Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>, Ori Kam <orika@nvidia.com>, 
 Matan Azrad <matan@nvidia.com>, Slava Ovsiienko <viacheslavo@nvidia.com>,
 Suanming Mou <suanmingm@nvidia.com>,
 "luyicai@huawei.com" <luyicai@huawei.com>,
 Pengfei Sun <sunpengfei16@huawei.com>, "stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [PATCH] net/mlx5: fix use after free when releasing tx queues
Date: Wed, 21 Feb 2024 11:24:34 +0100
Message-ID: <14318151.iMDcRRXYNz@thomas>
In-Reply-To: <IA1PR12MB83115A749AF6CAA13C5888C0A4502@IA1PR12MB8311.namprd12.prod.outlook.com>
References: <1708421499-42236-1-git-send-email-wangyunjian@huawei.com>
 <IA1PR12MB83115A749AF6CAA13C5888C0A4502@IA1PR12MB8311.namprd12.prod.outlook.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

20/02/2024 14:55, Dariusz Sosnowski:
> Hi,
> 
> > -----Original Message-----
> > From: Yunjian Wang <wangyunjian@huawei.com>
> > Sent: Tuesday, February 20, 2024 10:32
> > To: dev@dpdk.org
> > Cc: Dariusz Sosnowski <dsosnowski@nvidia.com>; Ori Kam
> > <orika@nvidia.com>; Matan Azrad <matan@nvidia.com>; Slava Ovsiienko
> > <viacheslavo@nvidia.com>; Suanming Mou <suanmingm@nvidia.com>;
> > luyicai@huawei.com; Pengfei Sun <sunpengfei16@huawei.com>;
> > stable@dpdk.org
> > Subject: [PATCH] net/mlx5: fix use after free when releasing tx queues
> > 
> > From: Pengfei Sun <sunpengfei16@huawei.com>
> > 
> > In function mlx5_dev_configure, dev->data->tx_queues is assigned to priv-
> > >txqs. When a member is removed from a bond, the function
> > eth_dev_tx_queue_config is called to release dev->data->tx_queues.
> > However, function mlx5_dev_close will access priv->txqs again and cause the
> > use after free problem.
> > 
> > In function mlx5_dev_close, before free priv->txqs, we add a check that dev-
> > >data->tx_queues is not NULL.
> > 
> > build/app/dpdk-testpmd -c7 -a 0000:08:00.2 --  -i --nb-cores=2
> > --total-num-mbufs=2048
> > 
> > testpmd> port stop 0
> > testpmd> create bonding device 4 0
> > testpmd> add bonding member 0 1
> > testpmd> remove bonding member 0 1
> > testpmd> quit
> > 
> > ASan reports:
> > ==2571911==ERROR: AddressSanitizer: heap-use-after-free on address
> > 0x000174529880 at pc 0x0000113c8440 bp 0xffffefae0ea0 sp 0xffffefae0eb0
> > READ of size 8 at 0x000174529880 thread T0
> >     #0 0x113c843c in mlx5_txq_release ../drivers/net/mlx5/mlx5_txq.c:
> > 1203
> >     #1 0xffdb53c in mlx5_dev_close ../drivers/net/mlx5/mlx5.c:2286
> >     #2 0xe12dc0 in rte_eth_dev_close ../lib/ethdev/rte_ethdev.c:1877
> >     #3 0x6bac1c in close_port ../app/test-pmd/testpmd.c:3540
> >     #4 0x6bc320 in pmd_test_exit ../app/test-pmd/testpmd.c:3808
> >     #5 0x6c1a94 in main ../app/test-pmd/testpmd.c:4759
> >     #6 0xffff9328f038  (/usr/lib64/libc.so.6+0x2b038)
> >     #7 0xffff9328f110 in __libc_start_main (/usr/lib64/libc.so.6+
> > 0x2b110)
> > 
> > Fixes: 6e78005 ("net/mlx5: add reference counter on DPDK Tx queues")
> > Cc: stable@dpdk.org
> > 
> > Reported-by: Yunjian Wang <wangyunjian@huawei.com>
> > Signed-off-by: Pengfei Sun <sunpengfei16@huawei.com>
> Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
> 
> Thank you for the patch.
> 
> Question to ethdev maintainers:
> 
> While reviewing this patch, I took a look at rte_eth_dev_internal_reset() which is called by bonding PMD for removed members.
> This resets Rx and Tx queue configuration, and dev->data->dev_conf,
> but not dev->data->dev_configured flag.
> So theoretically, after this call, a port can be started without port configuration, which seems invalid.
> What do you think? Should it be fixed?

Probably yes