From: "Harris, James R" <james.r.harris@intel.com>
To: David Marchand <david.marchand@redhat.com>
Cc: dev <dev@dpdk.org>, "Burakov, Anatoly" <anatoly.burakov@intel.com>
Subject: Re: [dpdk-dev] [PATCH] vfio: free mp_reply msgs in failure cases
Date: Mon, 14 Oct 2019 13:49:00 +0000 [thread overview]
Message-ID: <54B140F8-B8E4-450B-908F-55DC7D7ED753@intel.com> (raw)
In-Reply-To: <CAJFAV8zxri3vCqbsJAirfEJ5U8tigah-N2cbs7U4b9qy83L=jA@mail.gmail.com>
On 10/14/19, 4:18 AM, "David Marchand" <david.marchand@redhat.com> wrote:
On Fri, Aug 16, 2019 at 9:19 PM Jim Harris <james.r.harris@intel.com> wrote:
>
> The code checks both rte_mp_request_sync() return
> code and that the number of messages in the reply
> equals 1. If rte_mp_request_sync() succeeds but
> there was more than one message, those messages
> would get leaked.
>
> Found via code review by Anatoly Burakov of patches
> that used the vhost code as a template for using
> rte_mp_request_sync().
The patch looks fine, I just want to make sure its title reflect what it fixes.
Can you give some insights of how common this issue is? If there are
known cases where it happens?
Hi David,
I don't think this issue is common at all. I don't have any known cases in mind - it was only found via code inspection.
I might have spotted another issue (could be worth a followup patch
later if confirmed), please see below.
>
> Signed-off-by: Jim Harris <james.r.harris@intel.com>
> ---
> lib/librte_eal/linux/eal/eal_vfio.c | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/lib/librte_eal/linux/eal/eal_vfio.c b/lib/librte_eal/linux/eal/eal_vfio.c
> index 501c74f23..d9541b122 100644
> --- a/lib/librte_eal/linux/eal/eal_vfio.c
> +++ b/lib/librte_eal/linux/eal/eal_vfio.c
[snip]
> @@ -1021,7 +1021,7 @@ int
> vfio_get_default_container_fd(void)
> {
> struct rte_mp_msg mp_req, *mp_rep;
> - struct rte_mp_reply mp_reply;
> + struct rte_mp_reply mp_reply = {0};
> struct timespec ts = {.tv_sec = 5, .tv_nsec = 0};
> struct vfio_mp_param *p = (struct vfio_mp_param *)mp_req.param;
>
> @@ -1049,9 +1049,9 @@ vfio_get_default_container_fd(void)
> free(mp_reply.msgs);
> return mp_rep->fds[0];
Do we have a use after free on mp_rep which points to &mp_reply.msgs[0] ?
You're right. It needs to save mp_rep->fds[0] into a local variable before we free that array. That would be a good follow-up patch!
-Jim
> }
> - free(mp_reply.msgs);
> }
>
> + free(mp_reply.msgs);
> RTE_LOG(ERR, EAL, " cannot request default container fd\n");
> return -1;
> }
--
David Marchand
next prev parent reply other threads:[~2019-10-14 13:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-16 12:13 Jim Harris
2019-08-20 13:13 ` Burakov, Anatoly
2019-08-20 13:16 ` Harris, James R
2019-08-20 13:22 ` Burakov, Anatoly
2019-10-14 11:17 ` David Marchand
2019-10-14 13:49 ` Harris, James R [this message]
2019-10-14 14:47 ` David Marchand
2019-10-14 14:50 ` Harris, James R
2019-10-15 18:38 ` David Marchand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54B140F8-B8E4-450B-908F-55DC7D7ED753@intel.com \
--to=james.r.harris@intel.com \
--cc=anatoly.burakov@intel.com \
--cc=david.marchand@redhat.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).