[dpdk-dev] [PATCH] net/softnic: fix illegal memory access

[dpdk-dev] [PATCH] net/softnic: fix illegal memory access

[Jasvinder Singh]

Fix pointer dereferencing and read after free (USE_AFTER_FREE).

Coverity issue: 302867
Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")

Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
---
 drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c b/drivers/net/softnic/rte_eth_softnic_swq.c
index 1944fbb..604a2cc 100644
--- a/drivers/net/softnic/rte_eth_softnic_swq.c
+++ b/drivers/net/softnic/rte_eth_softnic_swq.c
@@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p)
 void
 softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
 {
-	struct softnic_swq *swq;
+	for ( ; ; ) {
+		struct softnic_swq *swq;
+
+		swq = TAILQ_FIRST(&p->swq_list);
+		if (swq == NULL)
+			break;
 
-	TAILQ_FOREACH(swq, &p->swq_list, node) {
 		if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
 			(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
 			continue;
-- 
2.9.3

Re: [dpdk-dev] [PATCH] net/softnic: fix illegal memory access

[Dumitrescu, Cristian]

> -----Original Message-----
> From: Singh, Jasvinder
> Sent: Monday, July 16, 2018 1:42 PM
> To: dev@dpdk.org
> Cc: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> Subject: [PATCH] net/softnic: fix illegal memory access
> 
> Fix pointer dereferencing and read after free (USE_AFTER_FREE).
> 
> Coverity issue: 302867
> Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
> 
> Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
> ---
>  drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c
> b/drivers/net/softnic/rte_eth_softnic_swq.c
> index 1944fbb..604a2cc 100644
> --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> @@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p)
>  void
>  softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
>  {
> -	struct softnic_swq *swq;
> +	for ( ; ; ) {
> +		struct softnic_swq *swq;
> +
> +		swq = TAILQ_FIRST(&p->swq_list);
> +		if (swq == NULL)
> +			break;
> 
> -	TAILQ_FOREACH(swq, &p->swq_list, node) {
>  		if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
>  			(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
>  			continue;
> --
> 2.9.3

Where is the bug? We simply parse a linked list to free each element.

Re: [dpdk-dev] [PATCH] net/softnic: fix illegal memory access

[Singh, Jasvinder]

> -----Original Message-----
> From: Dumitrescu, Cristian
> Sent: Monday, July 16, 2018 5:04 PM
> To: Singh, Jasvinder <jasvinder.singh@intel.com>; dev@dpdk.org
> Subject: RE: [PATCH] net/softnic: fix illegal memory access
> 
> 
> 
> > -----Original Message-----
> > From: Singh, Jasvinder
> > Sent: Monday, July 16, 2018 1:42 PM
> > To: dev@dpdk.org
> > Cc: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> > Subject: [PATCH] net/softnic: fix illegal memory access
> >
> > Fix pointer dereferencing and read after free (USE_AFTER_FREE).
> >
> > Coverity issue: 302867
> > Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
> >
> > Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
> > ---
> >  drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c
> > b/drivers/net/softnic/rte_eth_softnic_swq.c
> > index 1944fbb..604a2cc 100644
> > --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> > +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> > @@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p)  void
> > softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)  {
> > -	struct softnic_swq *swq;
> > +	for ( ; ; ) {
> > +		struct softnic_swq *swq;
> > +
> > +		swq = TAILQ_FIRST(&p->swq_list);
> > +		if (swq == NULL)
> > +			break;
> >
> > -	TAILQ_FOREACH(swq, &p->swq_list, node) {
> >  		if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
> >  			(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
> >  			continue;
> > --
> > 2.9.3
> 
> Where is the bug? We simply parse a linked list to free each element.

Below is coverity log on the issue;   
 
void
 softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
 {
         struct softnic_swq *swq;
    	1. Condition swq, taking true branch.
   	4. Condition swq, taking true branch.
   	7. alias: Assigning: swq = swq->node.tqe_next. Now both point to the same storage.
   	8. Condition swq, taking true branch.
   	
CID 302867 (#1-2 of 2): Read from pointer after free (USE_AFTER_FREE)
15. deref_after_free: Dereferencing freed pointer swq.
         TAILQ_FOREACH(swq, &p->swq_list, node) {
   	2. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking true branch.
   	5. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking true branch.
   	9. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking false branch.
   	10. Condition strncmp(swq->name, "TXQ", strlen("TXQ")) == 0, taking false branch.
                 if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
                         (strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
   	3. Continuing loop.
   	6. Continuing loop.
                         continue;
 
   	11. Condition swq->node.tqe_next != NULL, taking true branch.
   	12. Falling through to end of if statement.
                 TAILQ_REMOVE(&p->swq_list, swq, node);
                rte_ring_free(swq->r);
   	13. freed_arg: free frees swq.
                 free(swq);
   	14. Jumping back to the beginning of the loop.
         }
 }
 

Re: [dpdk-dev] [PATCH] net/softnic: fix illegal memory access

[Singh, Jasvinder]

> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Singh, Jasvinder
> Sent: Monday, July 16, 2018 6:26 PM
> To: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>; dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH] net/softnic: fix illegal memory access
> 
> 
> 
> > -----Original Message-----
> > From: Dumitrescu, Cristian
> > Sent: Monday, July 16, 2018 5:04 PM
> > To: Singh, Jasvinder <jasvinder.singh@intel.com>; dev@dpdk.org
> > Subject: RE: [PATCH] net/softnic: fix illegal memory access
> >
> >
> >
> > > -----Original Message-----
> > > From: Singh, Jasvinder
> > > Sent: Monday, July 16, 2018 1:42 PM
> > > To: dev@dpdk.org
> > > Cc: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> > > Subject: [PATCH] net/softnic: fix illegal memory access
> > >
> > > Fix pointer dereferencing and read after free (USE_AFTER_FREE).
> > >
> > > Coverity issue: 302867
> > > Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
> > >
> > > Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
> > > ---
> > >  drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
> > >  1 file changed, 6 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c
> > > b/drivers/net/softnic/rte_eth_softnic_swq.c
> > > index 1944fbb..604a2cc 100644
> > > --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> > > +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> > > @@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p)  void
> > > softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)  {
> > > -	struct softnic_swq *swq;
> > > +	for ( ; ; ) {
> > > +		struct softnic_swq *swq;
> > > +
> > > +		swq = TAILQ_FIRST(&p->swq_list);
> > > +		if (swq == NULL)
> > > +			break;
> > >
> > > -	TAILQ_FOREACH(swq, &p->swq_list, node) {
> > >  		if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
> > >  			(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
> > >  			continue;
> > > --
 <snip>

Self NACK. Fix is incorrect. The infinite loop will never break due to non-empty swq_list.