From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B90FB45BEF; Sun, 27 Oct 2024 09:43:30 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4FE1B4026C; Sun, 27 Oct 2024 09:43:30 +0100 (CET) Received: from dkmailrelay1.smartsharesystems.com (smartserver.smartsharesystems.com [77.243.40.215]) by mails.dpdk.org (Postfix) with ESMTP id 0197A40151 for ; Sun, 27 Oct 2024 09:43:28 +0100 (CET) Received: from smartserver.smartsharesystems.com (smartserver.smartsharesys.local [192.168.4.10]) by dkmailrelay1.smartsharesystems.com (Postfix) with ESMTP id B2E3D2027D; Sun, 27 Oct 2024 09:43:28 +0100 (CET) Content-class: urn:content-classes:message Subject: RE: [PATCH] net/vmxnet3: Fix vmxnet3 NULL pointer deref after configuration failure MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sun, 27 Oct 2024 09:43:27 +0100 Message-ID: <98CBD80474FA8B44BF855DF32C47DC35E9F82B@smartserver.smartshare.dk> X-MimeOLE: Produced By Microsoft Exchange V6.5 In-Reply-To: <20241026143336.2099168-1-rmelton@cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [PATCH] net/vmxnet3: Fix vmxnet3 NULL pointer deref after configuration failure Thread-Index: AdsntDIAREiUa8SEQ0SPzigLIkQzmgAly52Q References: <20241026143336.2099168-1-rmelton@cisco.com> From: =?iso-8859-1?Q?Morten_Br=F8rup?= To: "Roger B Melton" , "Jochen Behrens" Cc: , "Ronak Doshi" X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org > From: Roger B Melton [mailto:rmelton@cisco.com] > Sent: Saturday, 26 October 2024 16.34 >=20 > Problem: >=20 > If vxmnet3_dev_configure() fails, applications may call > vmxnet3_dev_close(). If the failure occurs before the vmxnet3 > hw->shared structure is allocated the close will lead to a segv. >=20 > Root Cause: >=20 > This crash is due to incorrect adapter_stopped state in the > vmxnet3 dev_private structure. When dev_private is allocated, > adapter_stopped will be 0 (FALSE). eth_vmxnet3_dev_init() does not > set it to TRUE, so it will remain FALSE until a successful > vmxnet3_dev_start() followed by a vmxnet3_dev_stop(). When > vmxnet3_dev_close() is called, it will invoke vmxnet3_dev_stop(). > vmxnet3_dev_stop() will check the adapter_stopped state in the > vmxnet3 shared data, find it is FALSE and will proceed to stop the > device, calling vmxnet3_disable_all_intrs(). > vmxnet3_disable_all_intrs() attempts to access the vmxnet3 shared data > resulting in the segv. >=20 > Solution: >=20 > Set adapter_stopped to TRUE in eth_vmxnet3_dev_init(), to prevent stop > processing. >=20 > Signed-off-by: Roger B Melton > --- > drivers/net/vmxnet3/vmxnet3_ethdev.c | 1 + > 1 file changed, 1 insertion(+) >=20 > diff --git a/drivers/net/vmxnet3/vmxnet3_ethdev.c > b/drivers/net/vmxnet3/vmxnet3_ethdev.c > index 467fb61137..8d7f95a753 100644 > --- a/drivers/net/vmxnet3/vmxnet3_ethdev.c > +++ b/drivers/net/vmxnet3/vmxnet3_ethdev.c > @@ -403,6 +403,7 @@ eth_vmxnet3_dev_init(struct rte_eth_dev *eth_dev) > /* Vendor and Device ID need to be set before init of shared code > */ > hw->device_id =3D pci_dev->id.device_id; > hw->vendor_id =3D pci_dev->id.vendor_id; > + hw->adapter_stopped =3D TRUE; > hw->hw_addr0 =3D (void *)pci_dev->mem_resource[0].addr; > hw->hw_addr1 =3D (void *)pci_dev->mem_resource[1].addr; >=20 > -- > 2.47.0 Acked-by: Morten Br=F8rup