From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id E7205454E3; Mon, 1 Jul 2024 17:20:06 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id A82B94014F; Mon, 1 Jul 2024 17:20:06 +0200 (CEST) Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2050.outbound.protection.outlook.com [40.107.244.50]) by mails.dpdk.org (Postfix) with ESMTP id EB11A400EF; Mon, 1 Jul 2024 17:20:04 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WpLlrugNmDWeskOC4U48pisSoDoMCxk8cVDSgrAlE/72HP4nVfvZiCRt2jsOGMHXLPU2uMTJEf+TwAn0u5QQySut+pSZBwdj/KSgDM9G9bn3C3cpvALoDne5YY7NZcQcrkQZu4PCNCOBC5VkNPnejsgDW0kclaleG7dM9oYubJkJBp7HMnKYxzaL4Ig80VwWROE6f1tFAhWD8NZZICk16VHq84Go6FPj1RJUEoffBi6idjlblyHf8gOV0nKC5lDdkaGBmK7zUOPlsSyU65RbHqxpaGi1sHBmH4Bc6xtZ97oiaGJraOOh8ohbk3xMODYgIE+/wmGq17v0m727yNGAOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=65yjM+kHKVJQko9Z+1EOYtiWsKKPgE+U5qoVtiTKSvU=; b=Aq2JqGBFIC5DKdrXXVy7pXjN1JIhHjSpiJLscEu3/y94xa0stR4gMNcR0/HYiKZ+EpU5KmvubFrALb4WMWEhpcHfMATiOt2Emus0QI52dxjOlxJR8sZrVk0x0TRr/UeAcFRMTRLZQ1c21gOu00UxvWVAI/lvJmDNO/I3CUDDLuqp6rEhEn3ojU1IYn5Ffp5u4Q0ty9dSNWGZYwz0hnKgRGQtd6Gg/LPhWCSEm2LScrrvaWJa2l+d7Ny/J/CFWNrKfbezxD/VXNyDKfeCQFRpYFNrwmit6r7FSJ0SoEfa1yI5U/874Hi/j1u/8GIZtheJX5vQ9IKHykN63iW6mGcRiQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=dpdk.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=65yjM+kHKVJQko9Z+1EOYtiWsKKPgE+U5qoVtiTKSvU=; b=bdARfiIY7/epTvqjQSIaUAGqSikK331YVF+caaSrdHtSO1XrGn8DcMbqOjkRrw65iMr5CSuQq9ovaiRKdTn307nov91dWdhssAbMubLfu9xpjFEZ0tQTavaUGyhXwPn5ZVSESqz+f+V9fW01lxQ163YWY0Dpyxq/XUvTG75vEjo= Received: from SJ0PR03CA0052.namprd03.prod.outlook.com (2603:10b6:a03:33e::27) by IA1PR12MB6164.namprd12.prod.outlook.com (2603:10b6:208:3e8::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7719.33; Mon, 1 Jul 2024 15:20:01 +0000 Received: from MWH0EPF000971E4.namprd02.prod.outlook.com (2603:10b6:a03:33e:cafe::d) by SJ0PR03CA0052.outlook.office365.com (2603:10b6:a03:33e::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7719.33 via Frontend Transport; Mon, 1 Jul 2024 15:20:00 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by MWH0EPF000971E4.mail.protection.outlook.com (10.167.243.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7741.18 via Frontend Transport; Mon, 1 Jul 2024 15:20:00 +0000 Received: from driver-dev1.pensando.io (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 1 Jul 2024 10:19:57 -0500 From: Andrew Boyer To: CC: Andrew Boyer , Subject: [PATCH] net/ionic: fix double-free of mbufs when emptying array Date: Mon, 1 Jul 2024 08:19:43 -0700 Message-ID: <20240701151943.43121-1-andrew.boyer@amd.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MWH0EPF000971E4:EE_|IA1PR12MB6164:EE_ X-MS-Office365-Filtering-Correlation-Id: 89bc2b75-996d-4ec9-5210-08dc99e14664 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|82310400026|376014|1800799024|36860700013; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?a2N7ERGFUPO1qo4c0GGCSoOrZLLiph4Tmiqj7/opTYJ3NxMyT5zwj/II34U2?= =?us-ascii?Q?bkJAljIG9GcvEoFZYHSkwVoEYnm3/nvZOKQe33Stu3G+skeE0MpgMQQcidKf?= =?us-ascii?Q?JMysFbUx3x8a1kEW4FW0hEjLKqg5Ke8OxYhelAJ4efhBcgm+jrjt74gEufQS?= =?us-ascii?Q?lx/sNBpG46HZQrQ4bUXjxD1oZTBQbL2Vu78M2yTHW2vJtmYbZP+r21COtraI?= =?us-ascii?Q?VWDChLAZ/+hkO1sMthtHDW6ZxHIwtFtNsR5+33aPOp/FSQgvBvzroap7TMPu?= =?us-ascii?Q?EJxRF+o1dUYKOSdBgQx34e5Zck2U2TOYRFKESpRL9ok5GeJOiiWJz7Vay2vJ?= =?us-ascii?Q?LGIivkjAqFZFU83QE6P0kX3U/3Jxu80/kv85/g6rEyO6ksW6GPFSjrkcBiQ3?= =?us-ascii?Q?XXHpMRl6lHSmK6ireT4p4bhIVbI4nmKvMrNC3fZguap7FcVqegsFhuGNvqQW?= =?us-ascii?Q?3/AocKASOJp6ZwasE3Z0rDblch8MISEcCTikvHQx2luYoml0ocYy9pQEuJY0?= =?us-ascii?Q?nFdSkYRiWb51d0iOtu8XePGdPxoWxZeOOAsN42Z412uEBroVpJDemUp7q612?= =?us-ascii?Q?pWfOvG2lsg5Y6sjGrILkgLLh4eSs0dYDITnfLjnBRbPLbWtpgg108EwzrJf3?= =?us-ascii?Q?Ywc6P/GXHY3bxzmopmt9bo8HwlZsMmpaLPZENzGRRv7eLDecNeJLUGzrWYZE?= =?us-ascii?Q?mJnbUGAVgUUioCr9IlkF8aZRO4Y6mT334rQ2gLdQyymQPtnAfv+3eRBuK1Z6?= =?us-ascii?Q?dxBEzfXV0Fuyf5doBfI+2emoWJohL6vaVaARjs1R4liXRLlsapMHuilFdLgy?= =?us-ascii?Q?PeWQFHGj1VE5GruPW0VvwOf0JyMAuhK3qKJs2XsgXmt/eqml6q2h7i8WS3qi?= =?us-ascii?Q?fQG8CNeQLllA2bZKULOJL0zNF2VAE6mgZ+r51sOsL0hJvo76EScnWU+eFHjr?= =?us-ascii?Q?rySqRxfmtGnNNcsBoo/Z4N8YeCgdhrkQgIBkkED5b1Q89MStd8nRhK3UUUCh?= =?us-ascii?Q?3Ca+L5mZTZqnLqOWsPM0dnX9TeHwh1KsE9ksAEvh0Lp+z2CA/kZcLIclfVDL?= =?us-ascii?Q?F8w8ltEL1692FVnJHgLQSBcAOLHp3NJVZt8sWCjHo8sywT+YvL9XecCWZgGz?= =?us-ascii?Q?I/9YD1HE2J3YK2cPt462KNQehkTJQnpI1RHSfaNqjqP6rDn6oAKP+JeSjTAU?= =?us-ascii?Q?p+axnzQtrYpMefRx+SBZsFSvtXNWytISXMQnMkpcDK2bBTH/9txspfTNZJdX?= =?us-ascii?Q?YgGGZaoUfE29PGmG8GVjD+9DDL9TcTtb1UwXc3fLP+/DS/VMCC0TQcL42Cuj?= =?us-ascii?Q?G7mbD5HGxPmqgVb5HeaiKovUi8drAICxRA0LCmiwJuTaSFfBEnrRiEt1dq7D?= =?us-ascii?Q?w+epFqPTuvBDbT9j93PJWll9OSX6i02lwkIlmF8te2mIc3ixlWqto5u4J+5o?= =?us-ascii?Q?aTsWq7KlPMMSIEwCthmAwzxovmlGa4p/?= X-Forefront-Antispam-Report: CIP:165.204.84.17; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:SATLEXMB04.amd.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230040)(82310400026)(376014)(1800799024)(36860700013); DIR:OUT; SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jul 2024 15:20:00.4470 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 89bc2b75-996d-4ec9-5210-08dc99e14664 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d; Ip=[165.204.84.17]; Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: MWH0EPF000971E4.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB6164 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org The bulk-allocation array is used back to front, so we need to free everything before the marker, not after it. Flip ionic_empty_array() so that it frees from 0 to the provided index. Adjust the callers as needed. Fixes: 218afd825bca ("net/ionic: do bulk allocations of Rx mbufs") CC: stable@dpdk.org Signed-off-by: Andrew Boyer --- drivers/net/ionic/ionic_rxtx.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/net/ionic/ionic_rxtx.c b/drivers/net/ionic/ionic_rxtx.c index 923f517661..339b20f113 100644 --- a/drivers/net/ionic/ionic_rxtx.c +++ b/drivers/net/ionic/ionic_rxtx.c @@ -26,38 +26,40 @@ #include "ionic_logs.h" static void -ionic_empty_array(void **array, uint32_t cnt, uint16_t idx) +ionic_empty_array(void **array, uint32_t free_idx, uint32_t zero_idx) { uint32_t i; - for (i = idx; i < cnt; i++) + for (i = 0; i < free_idx; i++) if (array[i]) rte_pktmbuf_free_seg(array[i]); - memset(array, 0, sizeof(void *) * cnt); + memset(array, 0, sizeof(void *) * zero_idx); } static void __rte_cold ionic_tx_empty(struct ionic_tx_qcq *txq) { struct ionic_queue *q = &txq->qcq.q; + uint32_t info_len = q->num_descs * q->num_segs; - ionic_empty_array(q->info, q->num_descs * q->num_segs, 0); + ionic_empty_array(q->info, info_len, info_len); } static void __rte_cold ionic_rx_empty(struct ionic_rx_qcq *rxq) { struct ionic_queue *q = &rxq->qcq.q; + uint32_t info_len = q->num_descs * q->num_segs; /* * Walk the full info array so that the clean up includes any * fragments that were left dangling for later reuse */ - ionic_empty_array(q->info, q->num_descs * q->num_segs, 0); + ionic_empty_array(q->info, info_len, info_len); - ionic_empty_array((void **)rxq->mbs, - IONIC_MBUF_BULK_ALLOC, rxq->mb_idx); + ionic_empty_array((void **)rxq->mbs, rxq->mb_idx, + IONIC_MBUF_BULK_ALLOC); rxq->mb_idx = 0; } -- 2.17.1