From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 687E44257B; Tue, 12 Sep 2023 11:05:40 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id EC377402AC; Tue, 12 Sep 2023 11:05:39 +0200 (CEST) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mails.dpdk.org (Postfix) with ESMTP id 86F6940293 for ; Tue, 12 Sep 2023 11:05:38 +0200 (CEST) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-273c6658712so1057334a91.0 for ; Tue, 12 Sep 2023 02:05:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1694509537; x=1695114337; darn=dpdk.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=OQcZiUC3K5CRCZJ1cvv1DiC4EL6UotjNVpRQdz5uft4=; b=ScCy/Dli6e+ynAlvzV2fmNrdfxEgV8vviIux1zvFjaeSpBrWU9jLhsrM4RgJ0jg90K cdHsPYAITGx3OWWspv4bvSPIlnKHkYcQTih9GTfEfTKVs+H016X19l9nNHBHd2wBrhSW QXr5s/xtZq94ZgYcIYqrp9hEiEoiYtq/eHYTuWkA20SpEWBYlGYUhAyFwcHokj0GDpgW b8Kycts+D+7IsDCipQKJ2f6XFXnuJludh3sdymXZsNZL2puWRQD89cnKsQZZPUPne+7h Tlzfi1sNZNCzXaqSofMzhJxOYkVQ+vjiMyZ4/nml95qMtgktOWNM+UowUG92rMwFFK2V iTIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694509537; x=1695114337; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OQcZiUC3K5CRCZJ1cvv1DiC4EL6UotjNVpRQdz5uft4=; b=RUvoBkSNMvQAPJrug3/AkymcSbX7iZqviJeEGVr81Ycfa2wMQcx/6XLPnmfcR6Jnzj XXd/lrupJWGAjsTa6iUihQ1IUk/xCoyfIRxX1mF10fTCsn4OViGxoBqwCKubJQS/w+H9 /bQLCvXK5qiu5va5aDc57PIM0pSVYtoL1OLKwwHegwd//eT7PMbBherj1EjrSEdpH5ur eAP4f7s3djRIf0K3sg8VklCcaTfkO1dgpMsB9v/3GC7x4WT8ikLDSL+8XOsGQpleZLKp rWw8gthZJD9HRkYClpLwop7cvsfpHqhYvTVLbUatDIPulEQsD4wTwG9XjjLbubqEHxR/ 5/rw== X-Gm-Message-State: AOJu0YwPCiSh0cYbTO3Vy3Y7mpVBcGE2uIFCIlUcI3F/a4ZRjuhOOWZv FuGLdd7kxuBLpHVxRb/6jMHAUQ== X-Google-Smtp-Source: AGHT+IEzsrMI9KBLAnCT3QHJjQ/MK8VkN72VgPjbKjeO/mtNlhtDLpNTVoB1gAnfcfuCCk2xvTx2uw== X-Received: by 2002:a17:90a:207:b0:26d:40ec:3cf3 with SMTP id c7-20020a17090a020700b0026d40ec3cf3mr11067343pjc.0.1694509537601; Tue, 12 Sep 2023 02:05:37 -0700 (PDT) Received: from HTW5T2C6VL.bytedance.net ([203.208.167.146]) by smtp.gmail.com with ESMTPSA id rm10-20020a17090b3eca00b00265c742a262sm6883232pjb.4.2023.09.12.02.05.35 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Tue, 12 Sep 2023 02:05:37 -0700 (PDT) From: Fengnan Chang To: anatoly.burakov@intel.com, dev@dpdk.org, xuemingl@mellanox.com Cc: Fengnan Chang Subject: [PATCH] eal: fix modify data area after memset Date: Tue, 12 Sep 2023 17:04:15 +0800 Message-Id: <20230912090415.48709-1-changfengnan@bytedance.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Let's look at this path: malloc_elem_free ->malloc_elem_join_adjacent_free ->join_elem(elem, elem->next) 0. cur elem's pad > 0 1. data area memset in malloc_elem_free first. 2. next elem is free, try to join cur elem and next. 3. in join_elem, try to modify inner->size, this address had memset in step 1, it casue the content of addrees become non-zero. If user call rte_zmalloc, and pick this elem, it can't get all zero'd memory. Fixes: 2808a12cc053 (malloc: fix memory element size in case of padding) Signed-off-by: Fengnan Chang --- lib/eal/common/malloc_elem.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/eal/common/malloc_elem.c b/lib/eal/common/malloc_elem.c index 619c040aa3..93a23fa8d4 100644 --- a/lib/eal/common/malloc_elem.c +++ b/lib/eal/common/malloc_elem.c @@ -492,7 +492,7 @@ malloc_elem_alloc(struct malloc_elem *elem, size_t size, unsigned align, * be contiguous in memory. */ static inline void -join_elem(struct malloc_elem *elem1, struct malloc_elem *elem2) +join_elem(struct malloc_elem *elem1, struct malloc_elem *elem2, bool update_inner) { struct malloc_elem *next = elem2->next; elem1->size += elem2->size; @@ -502,7 +502,7 @@ join_elem(struct malloc_elem *elem1, struct malloc_elem *elem2) elem1->heap->last = elem1; elem1->next = next; elem1->dirty |= elem2->dirty; - if (elem1->pad) { + if (elem1->pad && update_inner) { struct malloc_elem *inner = RTE_PTR_ADD(elem1, elem1->pad); inner->size = elem1->size - elem1->pad; } @@ -526,7 +526,7 @@ malloc_elem_join_adjacent_free(struct malloc_elem *elem) /* remove from free list, join to this one */ malloc_elem_free_list_remove(elem->next); - join_elem(elem, elem->next); + join_elem(elem, elem->next, false); /* erase header, trailer and pad */ memset(erase, MALLOC_POISON, erase_len); @@ -550,7 +550,7 @@ malloc_elem_join_adjacent_free(struct malloc_elem *elem) malloc_elem_free_list_remove(elem->prev); new_elem = elem->prev; - join_elem(new_elem, elem); + join_elem(new_elem, elem, false); /* erase header, trailer and pad */ memset(erase, MALLOC_POISON, erase_len); @@ -683,7 +683,7 @@ malloc_elem_resize(struct malloc_elem *elem, size_t size) * join the two */ malloc_elem_free_list_remove(elem->next); - join_elem(elem, elem->next); + join_elem(elem, elem->next, true); if (elem->size - new_size >= MIN_DATA_SIZE + MALLOC_ELEM_OVERHEAD) { /* now we have a big block together. Lets cut it down a bit, by splitting */ -- 2.20.1