From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id B6D73A00BE; Mon, 27 Apr 2020 23:39:43 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id CB7841D444; Mon, 27 Apr 2020 23:39:42 +0200 (CEST) Received: from mail-pj1-f68.google.com (mail-pj1-f68.google.com [209.85.216.68]) by dpdk.org (Postfix) with ESMTP id 4B57D1D410 for ; Mon, 27 Apr 2020 23:39:41 +0200 (CEST) Received: by mail-pj1-f68.google.com with SMTP id t9so197685pjw.0 for ; Mon, 27 Apr 2020 14:39:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=54161OfyHn911Q+yIZtlqRvlHgE24gSJVd+RMVjBoFQ=; b=OWHTM09CaBkUlarYkwDMU8KCdi4FMuRY8mEjcAgDVYo1pIJplmQKeZ/gRI6Y6ONOuO kqTEqA8XtypBwF98JP5SVQhT9NCsqht1TyiV+1NpXV3/uu/dSQO//4fXCQOl2jpR2Eve XPZ1PYgZbu7LEQDahUEy+b5XTYdQu2FxzMyWrNHKWTXxnUjoTQVkvNtmWTvrVjUsV4I7 PDeQYG+rz3KDNxHjvuPIBgCSzHcZl5kH2oCnphgz5D2/Iq55PJTPEIXUv3YkIKyqL5dP egBSafqtUub9mwGWVQsZYVgZtgUP7uLR2j1QGIMeXwWQ5O5phxeQ3Ah0b9q+r/laZsIv UPEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=54161OfyHn911Q+yIZtlqRvlHgE24gSJVd+RMVjBoFQ=; b=mJaYYKzZ6HOpXX5paJbA4+7gndIPKxrNAnmD5k8zhLOnljZfa8ETScVbk/3vU5wPGp 2STenbbWnHkEmbmM7WQeaiXw0hWLKn10ddSwldLWZIgGuMQiV5qQO2szToZe/93fYczi yjsgJkbm9LbxAyGV9x1rzYiA0En0Cs7vfnru7smNKT2chgcao41tHKFQYLS7pzUwnByO P0/CgSYhL166RG3GQY92/70NWIwdJmXEkKCO3oO+rbOkUOfH2BOB9mUIBwjdH/oykEg7 ZM6FMBEtCZmmvXMDHSr6zpBDpMviaQabJcE+YvX3Y4w9tM5A1/pz6ZwYy54OjzdsyFsL EOtQ== X-Gm-Message-State: AGi0PuYKkT4ALSvDaJc5HwRgRmfx+pQdohvFQfprVQZRAqt0vZO5gQUe g+qgO6H3Us90a5+h+gIauUkwJrF0IYY= X-Google-Smtp-Source: APiQypJ8WrLF8PtbUCBSS7puGhneU4HxySzVgnZA3jzkHViXC37a/q22Mb0GqmzEwbqh/kpQE06dIA== X-Received: by 2002:a17:90a:f404:: with SMTP id ch4mr836631pjb.123.1588023579674; Mon, 27 Apr 2020 14:39:39 -0700 (PDT) Received: from hermes.corp.microsoft.com (204-195-22-127.wavecable.com. [204.195.22.127]) by smtp.gmail.com with ESMTPSA id o99sm225685pjo.8.2020.04.27.14.39.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2020 14:39:38 -0700 (PDT) From: Stephen Hemminger To: dev@dpdk.org Cc: Stephen Hemminger , pascal.mazon@6wind.com, Keith Wiles , Olga Shern Date: Mon, 27 Apr 2020 14:39:26 -0700 Message-Id: <20200427213926.12306-1-stephen@networkplumber.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The TAP driver does not initialize all the elements of the rte_flow structure. This can lead to crash in rte_flow_destroy. (gdb) where flow=0x100e99280, error=0x0) at drivers/net/tap/tap_flow.c:1514 (gdb) p remote_flow $1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b Which is here: static int tap_flow_destroy_pmd(struct pmd_internals *pmd, struct rte_flow *flow, struct rte_flow_error *error) { struct rte_flow *remote_flow = flow->remote_flow; ... if (remote_flow) { remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; Simplest fix is to use rte_zmalloc() so remote_flow and other fields are always set at zero. Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture") Cc: pascal.mazon@6wind.com Signed-off-by: Stephen Hemminger --- drivers/net/tap/tap_flow.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/tap/tap_flow.c b/drivers/net/tap/tap_flow.c index 9d90361d9924..1538349e9c92 100644 --- a/drivers/net/tap/tap_flow.c +++ b/drivers/net/tap/tap_flow.c @@ -1380,7 +1380,7 @@ tap_flow_create(struct rte_eth_dev *dev, NULL, "priority value too big"); goto fail; } - flow = rte_malloc(__func__, sizeof(struct rte_flow), 0); + flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0); if (!flow) { rte_flow_error_set(error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE, NULL, "cannot allocate memory for rte_flow"); @@ -1416,7 +1416,7 @@ tap_flow_create(struct rte_eth_dev *dev, * to the local pmd->if_index. */ if (pmd->remote_if_index) { - remote_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0); + remote_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0); if (!remote_flow) { rte_flow_error_set( error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE, NULL, @@ -1693,7 +1693,7 @@ int tap_flow_implicit_create(struct pmd_internals *pmd, } }; - remote_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0); + remote_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0); if (!remote_flow) { TAP_LOG(ERR, "Cannot allocate memory for rte_flow"); goto fail; @@ -1896,7 +1896,7 @@ static int rss_enable(struct pmd_internals *pmd, return -ENOTSUP; } - rss_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0); + rss_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0); if (!rss_flow) { TAP_LOG(ERR, "Cannot allocate memory for rte_flow"); -- 2.20.1