From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5479743B57; Tue, 20 Feb 2024 14:55:29 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2C4454029B; Tue, 20 Feb 2024 14:55:29 +0100 (CET) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2046.outbound.protection.outlook.com [40.107.223.46]) by mails.dpdk.org (Postfix) with ESMTP id B715740289; Tue, 20 Feb 2024 14:55:27 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OaUxJkoGJzaoS0viJBynSlEZHDYRqVD+SXrLg/QutbLyKO0rEtR0NQ260TJkwby+ruD4ulq2GaL4KBsdKZkfSPdts0kyvhtbz7oSLPLGBb3O8hOEOeBc3/U+dbuA24L1mUkuDwgLMod3dwz0EdqGGGvoKCXJrtVIiEBL4AYrH1tMDMA3/sTIoPJoUXfk80Fj92P1vecf7WHjXBvCBgmV9CF55uP0Xgy4U7VXNNfApNhmuIig/gWGrxhvw3iq9mi5qJDrAU4zoQU3e2Nn4wv6fZuA1YkzzM42i5LdQX4lCozIywGT2FNfkku84JpsISsaNg9OVttP7uDLTLfrNeMvaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IRITYCN9ga+q5+gjdUMoVAPr/5PTNYUFlOJ17YjsD3Y=; b=KtOjskxUKv6tIE5xrckQnCYbF0s6qtP40NfCAcu3ehs8pgdCiun+9LZ2gEsc5IMRyN2OGPks2iXHz56nyuSLLpR4xW0EfdxA8Xhc5YvLXJWwJfzJB3ca1CDTenlY9Y9DBlS7v2vB9t6QwjT0soD8HBG6xs+wukfPyyFMb6PzekjxwTW5o1RmaH6T6z//HrVr8wuuP7+clKzue5FRo0njco0vpLonLqh+noff8v0fEVTpN/Nq2AVv734Bjks/P8LleEInql7GDAgCaPQq1eVZGsm5l1/PYyeEITqSUylGoDZrYvNlDq1bn23sEAsIjGzMEhS5osZIhqOMd5bR2uCfew== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IRITYCN9ga+q5+gjdUMoVAPr/5PTNYUFlOJ17YjsD3Y=; b=kCJgZJjGaV8ikqdG8FZ40dmqsYR+vy04U7ULburj2pIC/D5n77J/NJy2wPyoE2m5zmxqAgEnWHu86GsWycXWFJhuhNJ92ttyr7HR3K+tTqllW0YWq/kR4hq2l99Sla9t3YKaViRK2tw1qI2XV4TBxDEvGhJZcaxRXp518D9BxlXlPZNuEYwxWAh4aQJceoG0J4CAIHb0fLvm5ssx9KrUZLQMABM8cdGhwbfdQ4L+C6Zk1H9G3Vx51CgyCGhbGjhruIc8LRG/+HwKXh+C+whKUnHfl+p9KUfmht/NFE4E/3I/nrfli0DypBnuesI6KX8Md9/pw6AB5kIcp7bceD8R7A== Received: from IA1PR12MB8311.namprd12.prod.outlook.com (2603:10b6:208:3fa::12) by SA0PR12MB4368.namprd12.prod.outlook.com (2603:10b6:806:9f::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.21; Tue, 20 Feb 2024 13:55:25 +0000 Received: from IA1PR12MB8311.namprd12.prod.outlook.com ([fe80::b013:88f8:c1df:9ce1]) by IA1PR12MB8311.namprd12.prod.outlook.com ([fe80::b013:88f8:c1df:9ce1%7]) with mapi id 15.20.7316.018; Tue, 20 Feb 2024 13:55:25 +0000 From: Dariusz Sosnowski To: Yunjian Wang , "dev@dpdk.org" , "NBU-Contact-Thomas Monjalon (EXTERNAL)" , Ferruh Yigit , Andrew Rybchenko CC: Ori Kam , Matan Azrad , Slava Ovsiienko , Suanming Mou , "luyicai@huawei.com" , Pengfei Sun , "stable@dpdk.org" Subject: RE: [PATCH] net/mlx5: fix use after free when releasing tx queues Thread-Topic: [PATCH] net/mlx5: fix use after free when releasing tx queues Thread-Index: AQHaY9+gpn+Ugq1ryEaztNqVLT1v0bETNRBw Date: Tue, 20 Feb 2024 13:55:25 +0000 Message-ID: References: <1708421499-42236-1-git-send-email-wangyunjian@huawei.com> In-Reply-To: <1708421499-42236-1-git-send-email-wangyunjian@huawei.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: IA1PR12MB8311:EE_|SA0PR12MB4368:EE_ x-ms-office365-filtering-correlation-id: 0d8d3d42-d320-459a-c21b-08dc321b96b8 x-ld-processed: 43083d15-7273-40c1-b7db-39efd9ccc17a,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ZB62FyTuOkznOCjoaWkE24oyBlB9WGstAHQ0omX1hlSI/FvYUxKoa0QNw5Qay24M19Q79Nebb/KP0MPLpq+BJMfjCk/hIzNYmNe6ed2ptLMLE2Fa4yBXxGFDfdkyLYq0eQr1koQPJfCKxz0w3dLdDSjde6QqIVYrWhdD9hlJdvdR92cYEy+Pb0Zb2J+bRcJvvpizC6bZkS00iK7UTIu/1rQNlFSfk4hq5abKEypGtYUQrgEKCtvoO6TxIk3pz1g6Am8Gsg3JL7PpBNT4GbfnewGkk1LbWmzvR0z/MI8N1/PORAOdA7h4W2ndCDptn6t/b2m91qruUPrUdk1wwDnaMDukhHe6NY/w7Kqx+pIH6AqgF2tmYDehPvlCsLL9MDh4qQcnxRc8A+Gn01/6uJUZoXswKBGS8lJ9lxvW14V5zva7hek2iaQXD1EZAL79P+4LTqm26bI1qgMyfkfRiGOQ9xQznRYjub07uX61ZKNhsVIDtk/OwqRW2qbNlcOcIUi4H5QtuZ2wcoCU7pnLZGZ7LGIDyLd/k1H+1rDDHwy9MJM5wrtnJUmSVQe2qM9Y4bnSuJmBKSbW7GZ6ekTIaHhPMioR4ZvXdI5RCXAKqff8vYuXkN5M45GjYGQo5BmuBipC x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:IA1PR12MB8311.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?oSfLgYnDdslXmWIetyxOomW1QjmOwvtLOnB6BW4VuQnzYBK44PE+xO2B+OIL?= =?us-ascii?Q?I3y062emGMz7fDziwbqunOBOudRzm1Q0d63kqy910BS1WBdX2PyOqRxoZrmk?= =?us-ascii?Q?6Rqrt/fYQf+L1BMTjJHwJVVo/F1RsfhD2bg3R0gg1P9W/aK7aS3lq4s+gE+r?= =?us-ascii?Q?AtqkOYXVlVc3RXWnruGNovtUneWs99ZDX5s+kua2OCEfjeIu8YkeMyEower5?= =?us-ascii?Q?LRCSIgt2CbG3respEO2zhIYr7b2QPISsCBLFxPlhw6bQWSxW7yCwJvqSq+7q?= =?us-ascii?Q?6ksKJ7CJF2Z2avi0vkyD3D6ZZ+nKWvd0d+jvBGKynaIbw9Wj/NwcsbN5zdR2?= =?us-ascii?Q?P4+Mh2VeYTe4TYT6eLhOG4okzYeErPi8OPjz1hdkqosfu4E8oicy7Au7mqKL?= =?us-ascii?Q?l4i75TfsIRRZkrpAeWqccpuWBhsk+VgX7XKcp6a1BY9Rs5yqSNBXmQAk1fVF?= =?us-ascii?Q?W7fEYo6M8qNKrVEyHQpUxa4rjVZM95NMvEnLDA2QEuhx9b0r6rV7VGjxW6UH?= =?us-ascii?Q?K+RSOfiv/pLjZK8u8T5I6uYcFi/VZMgRPPEJVOC8sGAfNApcNVrqdfTRxacL?= =?us-ascii?Q?ClA5UR4jrx53CPRyfoHKt6I+p6XxjeR2nKydKlDWSURcd5d4OSBZlthBhpBM?= =?us-ascii?Q?g+GWjM9iosHTLklNvnzjYFbSDqeqsa+DqCMFkRWkOLRfNjvyrSIRWTHyciBs?= =?us-ascii?Q?C++frh/Le+i4YSKkNlwC/DOhpWGkkSVf5QMDY13c/wH9S2p8yKBxfTy4xzjk?= =?us-ascii?Q?Sp69yXa4/ULcRxodmqrmPuTadnLNtZjCujDVsXN7yECakdk9MltMj3FGMEZ9?= =?us-ascii?Q?LMRX6HH37egDPd2GkJ5oEYlim8g2Cq5hAWXC4NbFJpettjDliIMkGMpD7mKS?= =?us-ascii?Q?yo/XMyU3OSiLR6WXvHSQBUZxKR9SKeSGjxeQUvhTdTCDTZpqNznFuNDQ7nM7?= =?us-ascii?Q?zsnt+0pnPKQUHe7IKm+1ur5nu8rHUzArBsy+xNyAq0bqbsFYKZmMAnoZ6xVP?= =?us-ascii?Q?xeaX5+DDiHMiMkj5sDSFoZjdricqV8f8rF+Opnz1UodFuYtrD54LOX1I1/4C?= =?us-ascii?Q?WL6jrxSqYhQSZU6Znwh6OVFZEBtiRrV3aKwNBHU8jFBaC9e2+CYjeJjZLTRC?= =?us-ascii?Q?SlkXeMrpTtnHtXrgcid+J/QuiGrprrA0Kd5Kbt88Oxb8zmAd9jE3iCxjO5Ds?= =?us-ascii?Q?G2B7HRECW7rnwgn6GIkXkrhOKscZQ+fiSdVcM78WRbumQks5X7FTSq9w6IG5?= =?us-ascii?Q?MqDtq1xwtScoFOjLJGNJ7x8L2foGcM3JcccFOKCQgqevhUAcvGw8i2QF6tMS?= =?us-ascii?Q?r5DLCFdbyfk6bDKAqfxl9/gVFHPcBHjoa7GTKbuh5lna7bkPFKOWiEHQcurh?= =?us-ascii?Q?O9PDYKARGudTUxX2RvxtjSaLOFnBJ7Y8GBD8QV9b6H/LzSQA5kEcWUKczneE?= =?us-ascii?Q?Wn6Tf69VdsxkPILRgJ9fH4k/uMLwqZa8JBIBECRfGnF8T+UXh6dqMsKEC5e4?= =?us-ascii?Q?1oAI8KvdvVXN5/tD02wITWPxrjIr5uJCy61yXhnS/i0b51hk/Ff4FchbgpYR?= =?us-ascii?Q?qnQJpfEGlmfBs34H7ufsXIs6rZCEMex30pFfAXDE?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: IA1PR12MB8311.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0d8d3d42-d320-459a-c21b-08dc321b96b8 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2024 13:55:25.3700 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: BvPFH0IXM7y+N7kxl079OREfBnoHG5yfpXzKdLDOgD47h3xADJDuiU71UiEvaKIpNK7LcdawpSesahBVwq8LhA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4368 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Hi, > -----Original Message----- > From: Yunjian Wang > Sent: Tuesday, February 20, 2024 10:32 > To: dev@dpdk.org > Cc: Dariusz Sosnowski ; Ori Kam > ; Matan Azrad ; Slava Ovsiienko > ; Suanming Mou ; > luyicai@huawei.com; Pengfei Sun ; > stable@dpdk.org > Subject: [PATCH] net/mlx5: fix use after free when releasing tx queues >=20 > From: Pengfei Sun >=20 > In function mlx5_dev_configure, dev->data->tx_queues is assigned to priv- > >txqs. When a member is removed from a bond, the function > eth_dev_tx_queue_config is called to release dev->data->tx_queues. > However, function mlx5_dev_close will access priv->txqs again and cause t= he > use after free problem. >=20 > In function mlx5_dev_close, before free priv->txqs, we add a check that d= ev- > >data->tx_queues is not NULL. >=20 > build/app/dpdk-testpmd -c7 -a 0000:08:00.2 -- -i --nb-cores=3D2 > --total-num-mbufs=3D2048 >=20 > testpmd> port stop 0 > testpmd> create bonding device 4 0 > testpmd> add bonding member 0 1 > testpmd> remove bonding member 0 1 > testpmd> quit >=20 > ASan reports: > =3D=3D2571911=3D=3DERROR: AddressSanitizer: heap-use-after-free on addres= s > 0x000174529880 at pc 0x0000113c8440 bp 0xffffefae0ea0 sp 0xffffefae0eb0 > READ of size 8 at 0x000174529880 thread T0 > #0 0x113c843c in mlx5_txq_release ../drivers/net/mlx5/mlx5_txq.c: > 1203 > #1 0xffdb53c in mlx5_dev_close ../drivers/net/mlx5/mlx5.c:2286 > #2 0xe12dc0 in rte_eth_dev_close ../lib/ethdev/rte_ethdev.c:1877 > #3 0x6bac1c in close_port ../app/test-pmd/testpmd.c:3540 > #4 0x6bc320 in pmd_test_exit ../app/test-pmd/testpmd.c:3808 > #5 0x6c1a94 in main ../app/test-pmd/testpmd.c:4759 > #6 0xffff9328f038 (/usr/lib64/libc.so.6+0x2b038) > #7 0xffff9328f110 in __libc_start_main (/usr/lib64/libc.so.6+ > 0x2b110) >=20 > Fixes: 6e78005 ("net/mlx5: add reference counter on DPDK Tx queues") > Cc: stable@dpdk.org >=20 > Reported-by: Yunjian Wang > Signed-off-by: Pengfei Sun Acked-by: Dariusz Sosnowski Thank you for the patch. Question to ethdev maintainers: While reviewing this patch, I took a look at rte_eth_dev_internal_reset() w= hich is called by bonding PMD for removed members. This resets Rx and Tx queue configuration, and dev->data->dev_conf, but not dev->data->dev_configured flag. So theoretically, after this call, a port can be started without port confi= guration, which seems invalid. What do you think? Should it be fixed?=20 Best regards, Dariusz Sosnowski