DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy
@ 2020-04-27 21:39 Stephen Hemminger
  2020-04-28  7:40 ` David Marchand
  2020-05-01 16:01 ` Ferruh Yigit
  0 siblings, 2 replies; 6+ messages in thread
From: Stephen Hemminger @ 2020-04-27 21:39 UTC (permalink / raw)
  To: dev; +Cc: Stephen Hemminger, pascal.mazon, Keith Wiles, Olga Shern

The TAP driver does not initialize all the elements of the rte_flow
structure. This can lead to crash in rte_flow_destroy.

(gdb) where
    flow=0x100e99280, error=0x0)
    at drivers/net/tap/tap_flow.c:1514

(gdb) p remote_flow
$1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b

Which is here:
static int
tap_flow_destroy_pmd(struct pmd_internals *pmd,
		     struct rte_flow *flow,
		     struct rte_flow_error *error)
{
	struct rte_flow *remote_flow = flow->remote_flow;
...
	if (remote_flow) {
		remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;

Simplest fix is to use rte_zmalloc() so remote_flow and other fields
are always set at zero.

Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture")
Cc: pascal.mazon@6wind.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 drivers/net/tap/tap_flow.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/tap/tap_flow.c b/drivers/net/tap/tap_flow.c
index 9d90361d9924..1538349e9c92 100644
--- a/drivers/net/tap/tap_flow.c
+++ b/drivers/net/tap/tap_flow.c
@@ -1380,7 +1380,7 @@ tap_flow_create(struct rte_eth_dev *dev,
 			NULL, "priority value too big");
 		goto fail;
 	}
-	flow = rte_malloc(__func__, sizeof(struct rte_flow), 0);
+	flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0);
 	if (!flow) {
 		rte_flow_error_set(error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE,
 				   NULL, "cannot allocate memory for rte_flow");
@@ -1416,7 +1416,7 @@ tap_flow_create(struct rte_eth_dev *dev,
 	 * to the local pmd->if_index.
 	 */
 	if (pmd->remote_if_index) {
-		remote_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0);
+		remote_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0);
 		if (!remote_flow) {
 			rte_flow_error_set(
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE, NULL,
@@ -1693,7 +1693,7 @@ int tap_flow_implicit_create(struct pmd_internals *pmd,
 		}
 	};
 
-	remote_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0);
+	remote_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0);
 	if (!remote_flow) {
 		TAP_LOG(ERR, "Cannot allocate memory for rte_flow");
 		goto fail;
@@ -1896,7 +1896,7 @@ static int rss_enable(struct pmd_internals *pmd,
 			return -ENOTSUP;
 		}
 
-		rss_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0);
+		rss_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0);
 		if (!rss_flow) {
 			TAP_LOG(ERR,
 				"Cannot allocate memory for rte_flow");
-- 
2.20.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy
  2020-04-27 21:39 [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy Stephen Hemminger
@ 2020-04-28  7:40 ` David Marchand
  2020-05-01 16:01 ` Ferruh Yigit
  1 sibling, 0 replies; 6+ messages in thread
From: David Marchand @ 2020-04-28  7:40 UTC (permalink / raw)
  To: Stephen Hemminger; +Cc: dev, pascal.mazon, Keith Wiles, Olga Shern

On Mon, Apr 27, 2020 at 11:39 PM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> The TAP driver does not initialize all the elements of the rte_flow
> structure. This can lead to crash in rte_flow_destroy.
>
> (gdb) where
>     flow=0x100e99280, error=0x0)
>     at drivers/net/tap/tap_flow.c:1514
>
> (gdb) p remote_flow
> $1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b
>
> Which is here:
> static int
> tap_flow_destroy_pmd(struct pmd_internals *pmd,
>                      struct rte_flow *flow,
>                      struct rte_flow_error *error)
> {
>         struct rte_flow *remote_flow = flow->remote_flow;
> ...
>         if (remote_flow) {
>                 remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
>
> Simplest fix is to use rte_zmalloc() so remote_flow and other fields
> are always set at zero.
>
> Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture")
> Cc: pascal.mazon@6wind.com

Not sure why you copied Pascal (I'd say he stopped working on dpdk 2 years ago).
Please use the devtools/get-maintainer.sh script.
Thanks.


-- 
David Marchand


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy
  2020-04-27 21:39 [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy Stephen Hemminger
  2020-04-28  7:40 ` David Marchand
@ 2020-05-01 16:01 ` Ferruh Yigit
  2020-05-01 16:19   ` Stephen Hemminger
  1 sibling, 1 reply; 6+ messages in thread
From: Ferruh Yigit @ 2020-05-01 16:01 UTC (permalink / raw)
  To: Stephen Hemminger, dev; +Cc: Anatoly Burakov, Keith Wiles, Olga Shern

On 4/27/2020 10:39 PM, Stephen Hemminger wrote:
> The TAP driver does not initialize all the elements of the rte_flow
> structure. This can lead to crash in rte_flow_destroy.
> 
> (gdb) where
>     flow=0x100e99280, error=0x0)
>     at drivers/net/tap/tap_flow.c:1514
> 
> (gdb) p remote_flow
> $1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b
> 
> Which is here:
> static int
> tap_flow_destroy_pmd(struct pmd_internals *pmd,
> 		     struct rte_flow *flow,
> 		     struct rte_flow_error *error)
> {
> 	struct rte_flow *remote_flow = flow->remote_flow;
> ...
> 	if (remote_flow) {
> 		remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
> 
> Simplest fix is to use rte_zmalloc() so remote_flow and other fields
> are always set at zero.

Both 'rte_malloc' & 'rte_zmalloc' should be zeroing the allocated memory, unless
MALLOC_DEBUG config option set [1], if this is not the case the issue can be
still valid after this change.


[1]
http://lxr.dpdk.org/dpdk/v20.02/source/lib/librte_eal/common/rte_malloc.c#L83

> 
> Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture")
> Cc: pascal.mazon@6wind.com
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

<...>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy
  2020-05-01 16:01 ` Ferruh Yigit
@ 2020-05-01 16:19   ` Stephen Hemminger
  2020-05-05  8:09     ` Ferruh Yigit
  0 siblings, 1 reply; 6+ messages in thread
From: Stephen Hemminger @ 2020-05-01 16:19 UTC (permalink / raw)
  To: Ferruh Yigit; +Cc: dev, Anatoly Burakov, Keith Wiles, Olga Shern

On Fri, 1 May 2020 17:01:40 +0100
Ferruh Yigit <ferruh.yigit@intel.com> wrote:

> On 4/27/2020 10:39 PM, Stephen Hemminger wrote:
> > The TAP driver does not initialize all the elements of the rte_flow
> > structure. This can lead to crash in rte_flow_destroy.
> > 
> > (gdb) where
> >     flow=0x100e99280, error=0x0)
> >     at drivers/net/tap/tap_flow.c:1514
> > 
> > (gdb) p remote_flow
> > $1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b
> > 
> > Which is here:
> > static int
> > tap_flow_destroy_pmd(struct pmd_internals *pmd,
> > 		     struct rte_flow *flow,
> > 		     struct rte_flow_error *error)
> > {
> > 	struct rte_flow *remote_flow = flow->remote_flow;
> > ...
> > 	if (remote_flow) {
> > 		remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
> > 
> > Simplest fix is to use rte_zmalloc() so remote_flow and other fields
> > are always set at zero.  
> 
> Both 'rte_malloc' & 'rte_zmalloc' should be zeroing the allocated memory, unless
> MALLOC_DEBUG config option set [1], if this is not the case the issue can be
> still valid after this change.

Malloc debug poisons memory to find bugs like this.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy
  2020-05-01 16:19   ` Stephen Hemminger
@ 2020-05-05  8:09     ` Ferruh Yigit
  2020-05-06 17:51       ` Ferruh Yigit
  0 siblings, 1 reply; 6+ messages in thread
From: Ferruh Yigit @ 2020-05-05  8:09 UTC (permalink / raw)
  To: Stephen Hemminger; +Cc: dev, Anatoly Burakov, Keith Wiles, Olga Shern

On 5/1/2020 5:19 PM, Stephen Hemminger wrote:
> On Fri, 1 May 2020 17:01:40 +0100
> Ferruh Yigit <ferruh.yigit@intel.com> wrote:
> 
>> On 4/27/2020 10:39 PM, Stephen Hemminger wrote:
>>> The TAP driver does not initialize all the elements of the rte_flow
>>> structure. This can lead to crash in rte_flow_destroy.
>>>
>>> (gdb) where
>>>     flow=0x100e99280, error=0x0)
>>>     at drivers/net/tap/tap_flow.c:1514
>>>
>>> (gdb) p remote_flow
>>> $1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b
>>>
>>> Which is here:
>>> static int
>>> tap_flow_destroy_pmd(struct pmd_internals *pmd,
>>> 		     struct rte_flow *flow,
>>> 		     struct rte_flow_error *error)
>>> {
>>> 	struct rte_flow *remote_flow = flow->remote_flow;
>>> ...
>>> 	if (remote_flow) {
>>> 		remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
>>>
>>> Simplest fix is to use rte_zmalloc() so remote_flow and other fields
>>> are always set at zero.  
>>
>> Both 'rte_malloc' & 'rte_zmalloc' should be zeroing the allocated memory, unless
>> MALLOC_DEBUG config option set [1], if this is not the case the issue can be
>> still valid after this change.
> 
> Malloc debug poisons memory to find bugs like this.
> 

Fair enough, if that is the intention use 'rte_zmalloc' to clarify it.

Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy
  2020-05-05  8:09     ` Ferruh Yigit
@ 2020-05-06 17:51       ` Ferruh Yigit
  0 siblings, 0 replies; 6+ messages in thread
From: Ferruh Yigit @ 2020-05-06 17:51 UTC (permalink / raw)
  To: Stephen Hemminger; +Cc: dev, Anatoly Burakov, Keith Wiles, Olga Shern

On 5/5/2020 9:09 AM, Ferruh Yigit wrote:
> On 5/1/2020 5:19 PM, Stephen Hemminger wrote:
>> On Fri, 1 May 2020 17:01:40 +0100
>> Ferruh Yigit <ferruh.yigit@intel.com> wrote:
>>
>>> On 4/27/2020 10:39 PM, Stephen Hemminger wrote:
>>>> The TAP driver does not initialize all the elements of the rte_flow
>>>> structure. This can lead to crash in rte_flow_destroy.
>>>>
>>>> (gdb) where
>>>>     flow=0x100e99280, error=0x0)
>>>>     at drivers/net/tap/tap_flow.c:1514
>>>>
>>>> (gdb) p remote_flow
>>>> $1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b
>>>>
>>>> Which is here:
>>>> static int
>>>> tap_flow_destroy_pmd(struct pmd_internals *pmd,
>>>> 		     struct rte_flow *flow,
>>>> 		     struct rte_flow_error *error)
>>>> {
>>>> 	struct rte_flow *remote_flow = flow->remote_flow;
>>>> ...
>>>> 	if (remote_flow) {
>>>> 		remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
>>>>
>>>> Simplest fix is to use rte_zmalloc() so remote_flow and other fields
>>>> are always set at zero.  
>>>
>>> Both 'rte_malloc' & 'rte_zmalloc' should be zeroing the allocated memory, unless
>>> MALLOC_DEBUG config option set [1], if this is not the case the issue can be
>>> still valid after this change.
>>
>> Malloc debug poisons memory to find bugs like this.
>>
> 
> Fair enough, if that is the intention use 'rte_zmalloc' to clarify it.
> 
> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
> 

Applied to dpdk-next-net/master, thanks.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-05-06 17:51 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-27 21:39 [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy Stephen Hemminger
2020-04-28  7:40 ` David Marchand
2020-05-01 16:01 ` Ferruh Yigit
2020-05-01 16:19   ` Stephen Hemminger
2020-05-05  8:09     ` Ferruh Yigit
2020-05-06 17:51       ` Ferruh Yigit

DPDK patches and discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ http://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git