From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 65DC242A6B; Fri, 5 May 2023 08:48:43 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id E76A941144; Fri, 5 May 2023 08:48:42 +0200 (CEST) Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by mails.dpdk.org (Postfix) with ESMTP id 3DC3D410EA; Fri, 5 May 2023 08:48:41 +0200 (CEST) Received: from dggpemm500008.china.huawei.com (unknown [172.30.72.57]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4QCLpV4G2yzpW6P; Fri, 5 May 2023 14:47:30 +0800 (CST) Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com (7.185.36.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 5 May 2023 14:48:38 +0800 From: Yunjian Wang To: CC: , , , Yunjian Wang , Subject: [dpdk-dev] [PATCH v3] ring: fix use after free in ring release Date: Fri, 5 May 2023 14:48:34 +0800 Message-ID: <21867862766caee191228a5fe438fde899e6fd7f.1683268586.git.wangyunjian@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.174.242.157] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpemm500008.china.huawei.com (7.185.36.136) X-CFilter-Loop: Reflected X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org After the memzone is freed, it is not removed from the 'rte_ring_tailq'. If rte_ring_lookup is called at this time, it will cause a use-after-free problem. This change prevents that from happening. Fixes: 4e32101f9b01 ("ring: support freeing") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang Acked-by: Konstantin Ananyev Reviewed-by: Honnappa Nagarahalli --- v3: move memzone free outside the lock --- lib/ring/rte_ring.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index 8ed455043d..057d25ff6f 100644 --- a/lib/ring/rte_ring.c +++ b/lib/ring/rte_ring.c @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r) return; } - if (rte_memzone_free(r->memzone) != 0) { - RTE_LOG(ERR, RING, "Cannot free memory\n"); - return; - } - ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list); rte_mcfg_tailq_write_lock(); @@ -356,6 +351,9 @@ rte_ring_free(struct rte_ring *r) rte_mcfg_tailq_write_unlock(); + if (rte_memzone_free(r->memzone) != 0) + RTE_LOG(ERR, RING, "Cannot free memory\n"); + rte_free(te); } -- 2.33.0