From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9D3D743B61; Wed, 21 Feb 2024 11:24:42 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id DA425406BA; Wed, 21 Feb 2024 11:24:41 +0100 (CET) Received: from wfhigh6-smtp.messagingengine.com (wfhigh6-smtp.messagingengine.com [64.147.123.157]) by mails.dpdk.org (Postfix) with ESMTP id 35B51402CE; Wed, 21 Feb 2024 11:24:41 +0100 (CET) Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfhigh.west.internal (Postfix) with ESMTP id D3F5218000BC; Wed, 21 Feb 2024 05:24:38 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Wed, 21 Feb 2024 05:24:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1708511078; x=1708597478; bh=QBM5D/mbJXSYmKKyUMM1a093r5lb6AwxoFpbzcDz7NM=; b= dkuj6/MsNH0IqtTb1slzX3ZaKbuT3n5Qyz4FKI6EoFPrPa+He9NJg3Fxw5zg4O3x DjUYTaF2SOtU+pgtOdyF5+/Ao4B78NfGh3TJxwWfyTRmuLs1hrp7RxPGEX0oxToX Vyeztz3ykxgGWgTRXqsQaO4PXvKFw9fXSRpv89/n7tiKuLbMg0CB2ZxGFiCL9Sym Wamosugy8oRoq2PDiJbnNNjGPn5zNM/ndfCV8RT6l4/urWf47YFBelF5Tt2vMO60 0upUm0JjMY899CU5TC36le8CtdWyXNfqpjv6mQ2Z7J8Y2/widS5Mp4w6YxeJX+bp JPtWuycTBls2WanMkrTYVw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1708511078; x= 1708597478; bh=QBM5D/mbJXSYmKKyUMM1a093r5lb6AwxoFpbzcDz7NM=; b=N s0WWeFwBB/IgcGCERu3dgJx7CWJz9gpfkuBdn5QdboDVvVJocTPwm4tXPLqb2vCB jx7UfEB1WjWqIukCcZiArjrf3UahOcTcU1Ax8Vfe1BHN1nv905hr6pbLGl+wTK8t Y0/pdAMwIXOEIEiIe7rSzEaNHxDnX8cQaUTwxaceLe81pvw/QLQiT+qTHyv6f4Ay wLjesOA+U7rFl9hK1dZBh+5jv5KtLxYRBAgzHF4aHIRDI0HgTYRZX0DrB+YefuUW 73Nj8+janX6wG4b1oLDRJm4z0v8jBk3CXplkP38AtbH7dlpTtthWiXWSidtUIzS+ S4W/QKN7sft+qVHkajLQA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfedvgdduhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkfgjfhgggfgtsehtufertddttddvnecuhfhrohhmpefvhhhomhgr shcuofhonhhjrghlohhnuceothhhohhmrghssehmohhnjhgrlhhonhdrnhgvtheqnecugg ftrfgrthhtvghrnheptefhleejgeelieeiudehveffudefieekudejkeegffeludekteeh udfgjeefheehnecuffhomhgrihhnpehnuhhllhdrsghuihhlugenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehthhhomhgrshesmhhonhhjrghl ohhnrdhnvght X-ME-Proxy: Feedback-ID: i47234305:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 21 Feb 2024 05:24:36 -0500 (EST) From: Thomas Monjalon To: Dariusz Sosnowski Cc: Yunjian Wang , "dev@dpdk.org" , Ferruh Yigit , Andrew Rybchenko , Ori Kam , Matan Azrad , Slava Ovsiienko , Suanming Mou , "luyicai@huawei.com" , Pengfei Sun , "stable@dpdk.org" Subject: Re: [PATCH] net/mlx5: fix use after free when releasing tx queues Date: Wed, 21 Feb 2024 11:24:34 +0100 Message-ID: <14318151.iMDcRRXYNz@thomas> In-Reply-To: References: <1708421499-42236-1-git-send-email-wangyunjian@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org 20/02/2024 14:55, Dariusz Sosnowski: > Hi, > > > -----Original Message----- > > From: Yunjian Wang > > Sent: Tuesday, February 20, 2024 10:32 > > To: dev@dpdk.org > > Cc: Dariusz Sosnowski ; Ori Kam > > ; Matan Azrad ; Slava Ovsiienko > > ; Suanming Mou ; > > luyicai@huawei.com; Pengfei Sun ; > > stable@dpdk.org > > Subject: [PATCH] net/mlx5: fix use after free when releasing tx queues > > > > From: Pengfei Sun > > > > In function mlx5_dev_configure, dev->data->tx_queues is assigned to priv- > > >txqs. When a member is removed from a bond, the function > > eth_dev_tx_queue_config is called to release dev->data->tx_queues. > > However, function mlx5_dev_close will access priv->txqs again and cause the > > use after free problem. > > > > In function mlx5_dev_close, before free priv->txqs, we add a check that dev- > > >data->tx_queues is not NULL. > > > > build/app/dpdk-testpmd -c7 -a 0000:08:00.2 -- -i --nb-cores=2 > > --total-num-mbufs=2048 > > > > testpmd> port stop 0 > > testpmd> create bonding device 4 0 > > testpmd> add bonding member 0 1 > > testpmd> remove bonding member 0 1 > > testpmd> quit > > > > ASan reports: > > ==2571911==ERROR: AddressSanitizer: heap-use-after-free on address > > 0x000174529880 at pc 0x0000113c8440 bp 0xffffefae0ea0 sp 0xffffefae0eb0 > > READ of size 8 at 0x000174529880 thread T0 > > #0 0x113c843c in mlx5_txq_release ../drivers/net/mlx5/mlx5_txq.c: > > 1203 > > #1 0xffdb53c in mlx5_dev_close ../drivers/net/mlx5/mlx5.c:2286 > > #2 0xe12dc0 in rte_eth_dev_close ../lib/ethdev/rte_ethdev.c:1877 > > #3 0x6bac1c in close_port ../app/test-pmd/testpmd.c:3540 > > #4 0x6bc320 in pmd_test_exit ../app/test-pmd/testpmd.c:3808 > > #5 0x6c1a94 in main ../app/test-pmd/testpmd.c:4759 > > #6 0xffff9328f038 (/usr/lib64/libc.so.6+0x2b038) > > #7 0xffff9328f110 in __libc_start_main (/usr/lib64/libc.so.6+ > > 0x2b110) > > > > Fixes: 6e78005 ("net/mlx5: add reference counter on DPDK Tx queues") > > Cc: stable@dpdk.org > > > > Reported-by: Yunjian Wang > > Signed-off-by: Pengfei Sun > Acked-by: Dariusz Sosnowski > > Thank you for the patch. > > Question to ethdev maintainers: > > While reviewing this patch, I took a look at rte_eth_dev_internal_reset() which is called by bonding PMD for removed members. > This resets Rx and Tx queue configuration, and dev->data->dev_conf, > but not dev->data->dev_configured flag. > So theoretically, after this call, a port can be started without port configuration, which seems invalid. > What do you think? Should it be fixed? Probably yes