Re: [dpdk-dev] [PATCH] net/softnic: fix illegal memory access

DPDK patches and discussions
 help / color / mirror / Atom feed

From: "Singh, Jasvinder" <jasvinder.singh@intel.com>
To: "Dumitrescu, Cristian" <cristian.dumitrescu@intel.com>,
	"dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH] net/softnic: fix illegal memory access
Date: Mon, 16 Jul 2018 17:25:45 +0000	[thread overview]
Message-ID: <54CBAA185211B4429112C315DA58FF6D335D8B6F@IRSMSX103.ger.corp.intel.com> (raw)
In-Reply-To: <3EB4FA525960D640B5BDFFD6A3D891268E77452D@IRSMSX107.ger.corp.intel.com>



> -----Original Message-----
> From: Dumitrescu, Cristian
> Sent: Monday, July 16, 2018 5:04 PM
> To: Singh, Jasvinder <jasvinder.singh@intel.com>; dev@dpdk.org
> Subject: RE: [PATCH] net/softnic: fix illegal memory access
> 
> 
> 
> > -----Original Message-----
> > From: Singh, Jasvinder
> > Sent: Monday, July 16, 2018 1:42 PM
> > To: dev@dpdk.org
> > Cc: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> > Subject: [PATCH] net/softnic: fix illegal memory access
> >
> > Fix pointer dereferencing and read after free (USE_AFTER_FREE).
> >
> > Coverity issue: 302867
> > Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
> >
> > Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
> > ---
> >  drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c
> > b/drivers/net/softnic/rte_eth_softnic_swq.c
> > index 1944fbb..604a2cc 100644
> > --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> > +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> > @@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p)  void
> > softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)  {
> > -	struct softnic_swq *swq;
> > +	for ( ; ; ) {
> > +		struct softnic_swq *swq;
> > +
> > +		swq = TAILQ_FIRST(&p->swq_list);
> > +		if (swq == NULL)
> > +			break;
> >
> > -	TAILQ_FOREACH(swq, &p->swq_list, node) {
> >  		if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
> >  			(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
> >  			continue;
> > --
> > 2.9.3
> 
> Where is the bug? We simply parse a linked list to free each element.

Below is coverity log on the issue;   
 
void
 softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
 {
         struct softnic_swq *swq;
    	1. Condition swq, taking true branch.
   	4. Condition swq, taking true branch.
   	7. alias: Assigning: swq = swq->node.tqe_next. Now both point to the same storage.
   	8. Condition swq, taking true branch.
   	
CID 302867 (#1-2 of 2): Read from pointer after free (USE_AFTER_FREE)
15. deref_after_free: Dereferencing freed pointer swq.
         TAILQ_FOREACH(swq, &p->swq_list, node) {
   	2. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking true branch.
   	5. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking true branch.
   	9. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking false branch.
   	10. Condition strncmp(swq->name, "TXQ", strlen("TXQ")) == 0, taking false branch.
                 if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
                         (strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
   	3. Continuing loop.
   	6. Continuing loop.
                         continue;
 
   	11. Condition swq->node.tqe_next != NULL, taking true branch.
   	12. Falling through to end of if statement.
                 TAILQ_REMOVE(&p->swq_list, swq, node);
                rte_ring_free(swq->r);
   	13. freed_arg: free frees swq.
                 free(swq);
   	14. Jumping back to the beginning of the loop.
         }
 }

next prev parent reply	other threads:[~2018-07-16 17:25 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-16 12:41 Jasvinder Singh
2018-07-16 16:04 ` Dumitrescu, Cristian
2018-07-16 17:25   ` Singh, Jasvinder [this message]
2018-07-16 20:28     ` Singh, Jasvinder

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54CBAA185211B4429112C315DA58FF6D335D8B6F@IRSMSX103.ger.corp.intel.com \
    --to=jasvinder.singh@intel.com \
    --cc=cristian.dumitrescu@intel.com \
    --cc=dev@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).