From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id AE38BA04AF; Fri, 1 May 2020 18:20:06 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 26E231DA7A; Fri, 1 May 2020 18:20:06 +0200 (CEST) Received: from mail-pf1-f195.google.com (mail-pf1-f195.google.com [209.85.210.195]) by dpdk.org (Postfix) with ESMTP id 2283A31FC for ; Fri, 1 May 2020 18:20:05 +0200 (CEST) Received: by mail-pf1-f195.google.com with SMTP id 145so1753091pfw.13 for ; Fri, 01 May 2020 09:20:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=DGI9uITJD6zz+JKQxEXI93f062bH+vTEwuRwJSxr7KY=; b=ysWHrEY0ZEkJbNkJt2JDio7fuyPSzP9UIQBv3Z1fiYo8/yQ9T2S+7j3YN+nOOKLI+6 TKrFaWIVTpqciy49R5sZxFylvYYGdUQ0JMF0lvmEBtJATo3WGeqQAwwmc3vVFyI5z5pX tTqh/fanQxPj3QmMs1LaC6fo1xpOufSExpGroZR+s41+AMXbqDh+MvkoM3dpiwE1JZ2W C47bJtfxVVH6xNwFxQ9qhtXwzDUO5UM474ccAlqqUC53TajeJUZV4PFucKZX9gisdAtv lhYEp7/VacNMhAm1AvAU7tZUOqrECaXlxXJJ50kBOAP+fLtHPegUJB01D6mDbbTvHhMj sHGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DGI9uITJD6zz+JKQxEXI93f062bH+vTEwuRwJSxr7KY=; b=jHmgwD8bnoevVXxwPBbVlnlGpTiyHISet1BTzxQmB0hPHWxlCNOg3ovznnAJtJELZW yuNY+lj1rh1jYIM4PQ+kMD1TsXCDcedXXc0DACkMi3vs3xjqcQnocWVzDzlpFiLFQXnN NWpeJ6bmKcF1deuEnMpOshcv755B9jVb07SKrv0G52oYEK1MkzTjqEo8BjjWXpNnV4w8 2vZGQi21bTZEi77n+71fwST5d3pWQoHi2LOwyZUHlX/RWhUbdLcUNH9c5J2mbhuageB0 G7Ubqzv7xkwTOUhnAJs9nYoeGsQJKxh/sq+yBynmeZLRRZPfjNfGgeVofXa0U7ncfq2s Rx+w== X-Gm-Message-State: AGi0PuZE2/szVI56yyBefYSHsV3KiDnDulgRzE+8kv61aHyXyiVSWSWN CqSGYBKUbSJsKsDw0YbcImj6HQ== X-Google-Smtp-Source: APiQypLUwSqkG/uk1qyODSPTWy4+4ahmKmXiuVpruM71WrlqJP1yEmRqZN8d6WU301a72A49est7hQ== X-Received: by 2002:a63:e843:: with SMTP id a3mr473402pgk.383.1588350004195; Fri, 01 May 2020 09:20:04 -0700 (PDT) Received: from hermes.lan (204-195-22-127.wavecable.com. [204.195.22.127]) by smtp.gmail.com with ESMTPSA id n9sm65514pjt.29.2020.05.01.09.20.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2020 09:20:03 -0700 (PDT) Date: Fri, 1 May 2020 09:19:55 -0700 From: Stephen Hemminger To: Ferruh Yigit Cc: dev@dpdk.org, Anatoly Burakov , Keith Wiles , Olga Shern Message-ID: <20200501091955.3dc5fc61@hermes.lan> In-Reply-To: References: <20200427213926.12306-1-stephen@networkplumber.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH] net/tap: fix crash from unitialized memory in rte_flow_destroy X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On Fri, 1 May 2020 17:01:40 +0100 Ferruh Yigit wrote: > On 4/27/2020 10:39 PM, Stephen Hemminger wrote: > > The TAP driver does not initialize all the elements of the rte_flow > > structure. This can lead to crash in rte_flow_destroy. > > > > (gdb) where > > flow=0x100e99280, error=0x0) > > at drivers/net/tap/tap_flow.c:1514 > > > > (gdb) p remote_flow > > $1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b > > > > Which is here: > > static int > > tap_flow_destroy_pmd(struct pmd_internals *pmd, > > struct rte_flow *flow, > > struct rte_flow_error *error) > > { > > struct rte_flow *remote_flow = flow->remote_flow; > > ... > > if (remote_flow) { > > remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; > > > > Simplest fix is to use rte_zmalloc() so remote_flow and other fields > > are always set at zero. > > Both 'rte_malloc' & 'rte_zmalloc' should be zeroing the allocated memory, unless > MALLOC_DEBUG config option set [1], if this is not the case the issue can be > still valid after this change. Malloc debug poisons memory to find bugs like this.