* [dpdk-dev] [PATCH 0/3] lpm allocation fixes - v2 @ 2016-03-16 12:33 Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 1/3] lpm6: fix use after free of lpm in rte_lpm6_create Christian Ehrhardt ` (3 more replies) 0 siblings, 4 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-16 12:33 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev Poking a bit on autotest revealed a few shortcomings in the lpm allocation path. Thanks to the feedback to the first revision of the patches here v2: *updates in v2* - lpm/lpm6 patches split - following dpdk coding guidelines regarding single line if's - adding singed-off and acked-bys gathered so far - combine all three related patches in one series [PATCH 1/3] lpm6: fix use after free of lpm in rte_lpm6_create [PATCH 2/3] lpm6: fix missing free of rules_tbl and lpm [PATCH 3/3] lpm: fix missing free of lpm rte_lpm.c | 8 ++------ rte_lpm6.c | 11 +++++------ 2 files changed, 7 insertions(+), 12 deletions(-) ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH 1/3] lpm6: fix use after free of lpm in rte_lpm6_create 2016-03-16 12:33 [dpdk-dev] [PATCH 0/3] lpm allocation fixes - v2 Christian Ehrhardt @ 2016-03-16 12:33 ` Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 2/3] lpm6: fix missing free of rules_tbl and lpm Christian Ehrhardt ` (2 subsequent siblings) 3 siblings, 0 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-16 12:33 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev In certain autotests lpm->max_rules turned out to be non initialized. That was caused by a failing allocation for lpm->rules_tbl in rte_lpm6_create. It then left the function via goto exit with lpm freed, but still a pointer value being set. In case of an allocation failure it resets lpm to NULL now, to avoid the upper layers operate on that already freed memory. Along that is also makes the RTE_LOG message of the failed allocation unique. Acked-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm6.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c index 6c2b293..48931cc 100644 --- a/lib/librte_lpm/rte_lpm6.c +++ b/lib/librte_lpm/rte_lpm6.c @@ -206,8 +206,9 @@ rte_lpm6_create(const char *name, int socket_id, (size_t)rules_size, RTE_CACHE_LINE_SIZE, socket_id); if (lpm->rules_tbl == NULL) { - RTE_LOG(ERR, LPM, "LPM memory allocation failed\n"); + RTE_LOG(ERR, LPM, "LPM rules_tbl allocation failed\n"); rte_free(lpm); + lpm = NULL; rte_free(te); goto exit; } -- 2.7.0 ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH 2/3] lpm6: fix missing free of rules_tbl and lpm 2016-03-16 12:33 [dpdk-dev] [PATCH 0/3] lpm allocation fixes - v2 Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 1/3] lpm6: fix use after free of lpm in rte_lpm6_create Christian Ehrhardt @ 2016-03-16 12:33 ` Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt 3 siblings, 0 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-16 12:33 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev lpm6 autotests failed with the default alloc of 512M Memory. While >=2500M was a workaround it became clear while debugging that it had a leak. One could see a lot of output like: LPM Test tests6[i]: FAIL LPM: LPM memory allocation failed It turned out that in rte_lpm6_free - lpm might not be freed if it didn't find a te (early return) - lpm->rules_tbl was not freed ever Acked-by: Bruce Richardson <bruce.richardson@intel.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm6.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c index 48931cc..4c44cd7 100644 --- a/lib/librte_lpm/rte_lpm6.c +++ b/lib/librte_lpm/rte_lpm6.c @@ -278,15 +278,13 @@ rte_lpm6_free(struct rte_lpm6 *lpm) if (te->data == (void *) lpm) break; } - if (te == NULL) { - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); - return; - } - TAILQ_REMOVE(lpm_list, te, next); + if (te != NULL) + TAILQ_REMOVE(lpm_list, te, next); rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); + rte_free(lpm->rules_tbl); rte_free(lpm); rte_free(te); } -- 2.7.0 ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm 2016-03-16 12:33 [dpdk-dev] [PATCH 0/3] lpm allocation fixes - v2 Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 1/3] lpm6: fix use after free of lpm in rte_lpm6_create Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 2/3] lpm6: fix missing free of rules_tbl and lpm Christian Ehrhardt @ 2016-03-16 12:33 ` Christian Ehrhardt 2016-03-16 13:14 ` Olivier MATZ 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt 3 siblings, 1 reply; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-16 12:33 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm might not be freed if it didn't find a te (early return) Acked-by: Bruce Richardson <bruce.richardson@intel.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c index ccaaa2a..d5fa1f8 100644 --- a/lib/librte_lpm/rte_lpm.c +++ b/lib/librte_lpm/rte_lpm.c @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm) if (te->data == (void *) lpm) break; } - if (te == NULL) { - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); - return; - } - - TAILQ_REMOVE(lpm_list, te, next); + if (te != NULL) + TAILQ_REMOVE(lpm_list, te, next); rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); -- 2.7.0 ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm 2016-03-16 12:33 ` [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm Christian Ehrhardt @ 2016-03-16 13:14 ` Olivier MATZ 2016-03-16 13:34 ` Christian Ehrhardt 0 siblings, 1 reply; 13+ messages in thread From: Olivier MATZ @ 2016-03-16 13:14 UTC (permalink / raw) To: Christian Ehrhardt, bruce.richardson, dev Hi Christian, On 03/16/2016 01:33 PM, Christian Ehrhardt wrote: > Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm > might not be freed if it didn't find a te (early return) > > Acked-by: Bruce Richardson <bruce.richardson@intel.com> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > --- > lib/librte_lpm/rte_lpm.c | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c > index ccaaa2a..d5fa1f8 100644 > --- a/lib/librte_lpm/rte_lpm.c > +++ b/lib/librte_lpm/rte_lpm.c > @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm) > if (te->data == (void *) lpm) > break; > } > - if (te == NULL) { > - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); > - return; > - } > - > - TAILQ_REMOVE(lpm_list, te, next); > + if (te != NULL) > + TAILQ_REMOVE(lpm_list, te, next); > > rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); > > I've just seen you had already posted a series on this topic. It looks that some free() are missing in lpm.c: Could you please check my version of the patch (which was not as complete as your series)? http://dpdk.org/dev/patchwork/patch/11526/ Regards, Olivier ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm 2016-03-16 13:14 ` Olivier MATZ @ 2016-03-16 13:34 ` Christian Ehrhardt 0 siblings, 0 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-16 13:34 UTC (permalink / raw) To: Olivier MATZ; +Cc: Bruce Richardson, dev Hi, looking at it I think we have intersections but also parts of yours that I missed. More than that while applying your changes I found other potential use-after free cases. I'll wrap that all up together in a v3 of my series. Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd On Wed, Mar 16, 2016 at 2:14 PM, Olivier MATZ <olivier.matz@6wind.com> wrote: > Hi Christian, > > On 03/16/2016 01:33 PM, Christian Ehrhardt wrote: > >> Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm >> might not be freed if it didn't find a te (early return) >> >> Acked-by: Bruce Richardson <bruce.richardson@intel.com> >> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> >> --- >> lib/librte_lpm/rte_lpm.c | 8 ++------ >> 1 file changed, 2 insertions(+), 6 deletions(-) >> >> diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c >> index ccaaa2a..d5fa1f8 100644 >> --- a/lib/librte_lpm/rte_lpm.c >> +++ b/lib/librte_lpm/rte_lpm.c >> @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm) >> if (te->data == (void *) lpm) >> break; >> } >> - if (te == NULL) { >> - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); >> - return; >> - } >> - >> - TAILQ_REMOVE(lpm_list, te, next); >> + if (te != NULL) >> + TAILQ_REMOVE(lpm_list, te, next); >> >> rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); >> >> >> > I've just seen you had already posted a series on this topic. > It looks that some free() are missing in lpm.c: > > Could you please check my version of the patch (which was not as > complete as your series)? > http://dpdk.org/dev/patchwork/patch/11526/ > > Regards, > Olivier > ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes 2016-03-16 12:33 [dpdk-dev] [PATCH 0/3] lpm allocation fixes - v2 Christian Ehrhardt ` (2 preceding siblings ...) 2016-03-16 12:33 ` [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm Christian Ehrhardt @ 2016-03-21 14:06 ` Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 1/5] lpm6: fix use after free of lpm in rte_lpm6_create Christian Ehrhardt ` (5 more replies) 3 siblings, 6 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-21 14:06 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev, olivier.matz Poking a bit on autotest revealed a few shortcomings in the lpm allocation path. Thanks to the feedback to the first revision of the patches here v2. Also Oliver Matz spotted similar issues and made me aware - thanks! Integrating them revealed even more use after free / leak issues. *updates in v4* - re-removing the { } on single line ifs accidentially droped in v3 - adding the ack of Oliver Matz *updates in v3* - lpm create/free path for v20 and v1604 got the same fixes that were already identified for lpm6 before *updates in v2* - lpm/lpm6 patches split - following dpdk coding guidelines regarding single line if's - adding singed-off and acked-bys gathered so far - combine all three related patches in one series Christian Ehrhardt (5): lpm6: fix use after free of lpm in rte_lpm6_create lpm6: fix missing free of rules_tbl and lpm lpm: fix missing free of lpm lpm: fix use after free of lpm in rte_lpm_create* lpm: fix missing free of rules_tbl and lpm in rte_lpm_free* lib/librte_lpm/rte_lpm.c | 24 ++++++++++-------------- lib/librte_lpm/rte_lpm6.c | 11 +++++------ 2 files changed, 15 insertions(+), 20 deletions(-) -- 2.7.3 ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v4 1/5] lpm6: fix use after free of lpm in rte_lpm6_create 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt @ 2016-03-21 14:06 ` Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 2/5] lpm6: fix missing free of rules_tbl and lpm Christian Ehrhardt ` (4 subsequent siblings) 5 siblings, 0 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-21 14:06 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev, olivier.matz In certain autotests lpm->max_rules turned out to be non initialized. That was caused by a failing allocation for lpm->rules_tbl in rte_lpm6_create. It then left the function via goto exit with lpm freed, but still a pointer value being set. In case of an allocation failure it resets lpm to NULL now, to avoid the upper layers operate on that already freed memory. Along that is also makes the RTE_LOG message of the failed allocation unique. Acked-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Olivier Matz <olivier.matz@6wind.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm6.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c index 6c2b293..48931cc 100644 --- a/lib/librte_lpm/rte_lpm6.c +++ b/lib/librte_lpm/rte_lpm6.c @@ -206,8 +206,9 @@ rte_lpm6_create(const char *name, int socket_id, (size_t)rules_size, RTE_CACHE_LINE_SIZE, socket_id); if (lpm->rules_tbl == NULL) { - RTE_LOG(ERR, LPM, "LPM memory allocation failed\n"); + RTE_LOG(ERR, LPM, "LPM rules_tbl allocation failed\n"); rte_free(lpm); + lpm = NULL; rte_free(te); goto exit; } -- 2.7.3 ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v4 2/5] lpm6: fix missing free of rules_tbl and lpm 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 1/5] lpm6: fix use after free of lpm in rte_lpm6_create Christian Ehrhardt @ 2016-03-21 14:06 ` Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 3/5] lpm: fix missing free of lpm Christian Ehrhardt ` (3 subsequent siblings) 5 siblings, 0 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-21 14:06 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev, olivier.matz lpm6 autotests failed with the default alloc of 512M Memory. While >=2500M was a workaround it became clear while debugging that it had a leak. One could see a lot of output like: LPM Test tests6[i]: FAIL LPM: LPM memory allocation failed It turned out that in rte_lpm6_free - lpm might not be freed if it didn't find a te (early return) - lpm->rules_tbl was not freed ever Acked-by: Bruce Richardson <bruce.richardson@intel.com> Acked-by: Olivier Matz <olivier.matz@6wind.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm6.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c index 48931cc..4c44cd7 100644 --- a/lib/librte_lpm/rte_lpm6.c +++ b/lib/librte_lpm/rte_lpm6.c @@ -278,15 +278,13 @@ rte_lpm6_free(struct rte_lpm6 *lpm) if (te->data == (void *) lpm) break; } - if (te == NULL) { - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); - return; - } - TAILQ_REMOVE(lpm_list, te, next); + if (te != NULL) + TAILQ_REMOVE(lpm_list, te, next); rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); + rte_free(lpm->rules_tbl); rte_free(lpm); rte_free(te); } -- 2.7.3 ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v4 3/5] lpm: fix missing free of lpm 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 1/5] lpm6: fix use after free of lpm in rte_lpm6_create Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 2/5] lpm6: fix missing free of rules_tbl and lpm Christian Ehrhardt @ 2016-03-21 14:06 ` Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 4/5] lpm: fix use after free of lpm in rte_lpm_create* Christian Ehrhardt ` (2 subsequent siblings) 5 siblings, 0 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-21 14:06 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev, olivier.matz Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm might not be freed if it didn't find a te (early return) Acked-by: Bruce Richardson <bruce.richardson@intel.com> Acked-by: Olivier Matz <olivier.matz@6wind.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c index ccaaa2a..d5fa1f8 100644 --- a/lib/librte_lpm/rte_lpm.c +++ b/lib/librte_lpm/rte_lpm.c @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm) if (te->data == (void *) lpm) break; } - if (te == NULL) { - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); - return; - } - - TAILQ_REMOVE(lpm_list, te, next); + if (te != NULL) + TAILQ_REMOVE(lpm_list, te, next); rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); -- 2.7.3 ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v4 4/5] lpm: fix use after free of lpm in rte_lpm_create* 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt ` (2 preceding siblings ...) 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 3/5] lpm: fix missing free of lpm Christian Ehrhardt @ 2016-03-21 14:06 ` Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 5/5] lpm: fix missing free of rules_tbl and lpm in rte_lpm_free* Christian Ehrhardt 2016-03-22 16:14 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Thomas Monjalon 5 siblings, 0 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-21 14:06 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev, olivier.matz There were further chances for a use after free by returning an already freed pointer in rte_lpm_create for v20 and v1604. Along that is also makes the RTE_LOG messages of the failed allocations unique. Acked-by: Olivier Matz <olivier.matz@6wind.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c index d5fa1f8..59ce5a7 100644 --- a/lib/librte_lpm/rte_lpm.c +++ b/lib/librte_lpm/rte_lpm.c @@ -303,8 +303,9 @@ rte_lpm_create_v1604(const char *name, int socket_id, (size_t)rules_size, RTE_CACHE_LINE_SIZE, socket_id); if (lpm->rules_tbl == NULL) { - RTE_LOG(ERR, LPM, "LPM memory allocation failed\n"); + RTE_LOG(ERR, LPM, "LPM rules_tbl memory allocation failed\n"); rte_free(lpm); + lpm = NULL; rte_free(te); goto exit; } @@ -313,8 +314,9 @@ rte_lpm_create_v1604(const char *name, int socket_id, (size_t)tbl8s_size, RTE_CACHE_LINE_SIZE, socket_id); if (lpm->tbl8 == NULL) { - RTE_LOG(ERR, LPM, "LPM memory allocation failed\n"); + RTE_LOG(ERR, LPM, "LPM tbl8 memory allocation failed\n"); rte_free(lpm); + lpm = NULL; rte_free(te); goto exit; } -- 2.7.3 ^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v4 5/5] lpm: fix missing free of rules_tbl and lpm in rte_lpm_free* 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt ` (3 preceding siblings ...) 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 4/5] lpm: fix use after free of lpm in rte_lpm_create* Christian Ehrhardt @ 2016-03-21 14:06 ` Christian Ehrhardt 2016-03-22 16:14 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Thomas Monjalon 5 siblings, 0 replies; 13+ messages in thread From: Christian Ehrhardt @ 2016-03-21 14:06 UTC (permalink / raw) To: christian.ehrhardt, bruce.richardson, dev, olivier.matz As found in rte_lpm6_free the two lpm interfaces rte_lpm_free_v20 and rte_lpm_free_v1604 had a leak. rte_lpm_free_v20 might have missed to free rules_tbl rte_lpm_free_v1604 due to an early exit might have missed to free rules_tbl and lpm itself. Acked-by: Olivier Matz <olivier.matz@6wind.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c index 59ce5a7..af5811c 100644 --- a/lib/librte_lpm/rte_lpm.c +++ b/lib/librte_lpm/rte_lpm.c @@ -367,6 +367,7 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm) rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); + rte_free(lpm->rules_tbl); rte_free(lpm); rte_free(te); } @@ -391,15 +392,12 @@ rte_lpm_free_v1604(struct rte_lpm *lpm) if (te->data == (void *) lpm) break; } - if (te == NULL) { - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); - return; - } - - TAILQ_REMOVE(lpm_list, te, next); + if (te != NULL) + TAILQ_REMOVE(lpm_list, te, next); rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); + rte_free(lpm->rules_tbl); rte_free(lpm); rte_free(te); } -- 2.7.3 ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt ` (4 preceding siblings ...) 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 5/5] lpm: fix missing free of rules_tbl and lpm in rte_lpm_free* Christian Ehrhardt @ 2016-03-22 16:14 ` Thomas Monjalon 5 siblings, 0 replies; 13+ messages in thread From: Thomas Monjalon @ 2016-03-22 16:14 UTC (permalink / raw) To: Christian Ehrhardt; +Cc: dev, bruce.richardson, olivier.matz 2016-03-21 15:06, Christian Ehrhardt: > Poking a bit on autotest revealed a few shortcomings in the lpm allocation path. > Thanks to the feedback to the first revision of the patches here v2. > Also Oliver Matz spotted similar issues and made me aware - thanks! > Integrating them revealed even more use after free / leak issues. > > *updates in v4* > - re-removing the { } on single line ifs accidentially droped in v3 > - adding the ack of Oliver Matz > > *updates in v3* > - lpm create/free path for v20 and v1604 got the same fixes that were > already identified for lpm6 before > > *updates in v2* > - lpm/lpm6 patches split > - following dpdk coding guidelines regarding single line if's > - adding singed-off and acked-bys gathered so far > - combine all three related patches in one series > > Christian Ehrhardt (5): > lpm6: fix use after free of lpm in rte_lpm6_create > lpm6: fix missing free of rules_tbl and lpm > lpm: fix missing free of lpm > lpm: fix use after free of lpm in rte_lpm_create* > lpm: fix missing free of rules_tbl and lpm in rte_lpm_free* Applied, thanks ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2016-03-22 16:16 UTC | newest] Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-03-16 12:33 [dpdk-dev] [PATCH 0/3] lpm allocation fixes - v2 Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 1/3] lpm6: fix use after free of lpm in rte_lpm6_create Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 2/3] lpm6: fix missing free of rules_tbl and lpm Christian Ehrhardt 2016-03-16 12:33 ` [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm Christian Ehrhardt 2016-03-16 13:14 ` Olivier MATZ 2016-03-16 13:34 ` Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 1/5] lpm6: fix use after free of lpm in rte_lpm6_create Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 2/5] lpm6: fix missing free of rules_tbl and lpm Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 3/5] lpm: fix missing free of lpm Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 4/5] lpm: fix use after free of lpm in rte_lpm_create* Christian Ehrhardt 2016-03-21 14:06 ` [dpdk-dev] [PATCH v4 5/5] lpm: fix missing free of rules_tbl and lpm in rte_lpm_free* Christian Ehrhardt 2016-03-22 16:14 ` [dpdk-dev] [PATCH v4 0/5] lpm allocation fixes Thomas Monjalon
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).