From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D69FB46EB1; Tue, 9 Sep 2025 15:05:11 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 86C6B402C2; Tue, 9 Sep 2025 15:05:11 +0200 (CEST) Received: from lf-1-17.ptr.blmpb.com (lf-1-17.ptr.blmpb.com [103.149.242.17]) by mails.dpdk.org (Postfix) with ESMTP id D5DE540281 for ; Tue, 9 Sep 2025 15:05:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=feishu2403070942; d=yunsilicon.com; t=1757423099; h=from:subject: mime-version:from:date:message-id:subject:to:cc:reply-to:content-type: mime-version:in-reply-to:message-id; bh=RzEtqgMbeIsMefqeRV4KaONwg1wOEUhIbh/j8yE4IEA=; b=Z91eQd30MVe0q+s9MKmzC+oFzfw5YNMFGD/r0/WTcJk9IWJWmHOVuUKVmAEXLVUSvNrSMg MK1XSCywVvkNTM9Tbp3XluhjOxlpqrdGGmrZB9ZeJWukuHCO6dH4BSl5KEZ0sS0FqOAMKc 1TVpTEK7l5wG3LxRE04v2O6+B8eGxvv0byz4EjfUgK+XtiXewRUYKp4TzNCef2XbVEmROA W6C6h75zGDNyAU7QjMBPHNBOv+3daYXdNUweZFAeChF71DmpHu0F96FiLb71cDigsl+dM3 QhcKWHVMVDftjdSDWazymP1TdD6LeeZAHX9ffqxWXeUANDiNmB6aAmFj+ZcvLg== To: "Thomas Monjalon" , "Na Na" , "Rong Qian" , "Xiaoxiong Zhang" , "Dongwei Xu" Subject: Re: [PATCH] net/xsc: fix use after free in some RXQ cleanup Date: Tue, 9 Sep 2025 21:04:54 +0800 Message-Id: Content-Transfer-Encoding: 7bit X-Original-From: Renyong Wan In-Reply-To: <24075832.6Emhk5qWAg@thomas> X-Lms-Return-Path: Mime-Version: 1.0 User-Agent: Mozilla Thunderbird Received: from [127.0.0.1] ([114.92.98.197]) by smtp.feishu.cn with ESMTPS; Tue, 09 Sep 2025 21:04:57 +0800 Content-Type: text/plain; charset=UTF-8 Cc: "David Marchand" , From: "Renyong Wan" References: <20250909070427.2711048-1-david.marchand@redhat.com> <24075832.6Emhk5qWAg@thomas> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org On 2025/9/9 17:22, Thomas Monjalon wrote: > 09/09/2025 10:08, Renyong Wan: >> Thanks David for catching this issue. >> We'll address it in the 25.11 release. > I don't understand your answer. > Do you ack this change? > We want to merge it today because it is breaking our CI on the main branch > (next-net has been pulled yesterday). Sorry, I did not carefully read the mail. Thanks for the fix. Acked-by: Renyong Wan > >> On 2025/9/9 15:04, David Marchand wrote: >>> Debian 12 gcc complains about a use after free in this cleanup section. >>> >>> [7/11] Compiling C object drivers/libtmp_rte_net_xsc.a.p/net_xsc_xsc_rx.c.o >>> In function 'xsc_rss_qp_create', >>> inlined from 'xsc_rxq_rss_obj_new' at ../drivers/net/xsc/xsc_rx.c:565:8: >>> ../drivers/net/xsc/xsc_rx.c:501:9: warning: pointer 'req' may be used after >>> 'free' [-Wuse-after-free] >>> 501 | free(req); >>> | ^~~~~~~~~ >>> ../drivers/net/xsc/xsc_rx.c:501:9: note: call to 'free' here >>> >>> Indeed, req may be free'd twice, as an error in the cleanup loop may >>> jump back to the set_qp_fail label. >>> >>> Instead, skip the erroneous rxq and don't touch errno since all the code >>> jumping to set_qp_fail already sets it. >>> >>> Fixes: 3991c890fb4c ("net/xsc: optimize RSS queue creation") >>> >>> Signed-off-by: David Marchand >>> --- >>> drivers/net/xsc/xsc_rx.c | 6 ++---- >>> 1 file changed, 2 insertions(+), 4 deletions(-) >>> >>> diff --git a/drivers/net/xsc/xsc_rx.c b/drivers/net/xsc/xsc_rx.c >>> index 5f8003a1f6..5ff3f818c2 100644 >>> --- a/drivers/net/xsc/xsc_rx.c >>> +++ b/drivers/net/xsc/xsc_rx.c >>> @@ -502,10 +502,8 @@ xsc_rss_qp_create(struct xsc_ethdev_priv *priv, int port_id) >>> for (i = 0; i < set_last_no; i++) { >>> xsc_unset_qp_info(xdev, rqn_base + i); >>> rxq_data = xsc_rxq_get(priv, i); >>> - if (rxq_data == NULL) { >>> - rte_errno = EINVAL; >>> - goto set_qp_fail; >>> - } >>> + if (rxq_data == NULL) >>> + continue; >>> rte_memzone_free(rxq_data->rq_pas); >>> rxq_data->rq_pas = NULL; >>> } > > -- Best regards, Renyong Wan