* [DPDK/ethdev Bug 1551] use after free in Sfc driver
@ 2024-09-25 16:32 bugzilla
2024-10-16 20:45 ` bugzilla
0 siblings, 1 reply; 2+ messages in thread
From: bugzilla @ 2024-09-25 16:32 UTC (permalink / raw)
To: dev
[-- Attachment #1: Type: text/plain, Size: 11906 bytes --]
https://bugs.dpdk.org/show_bug.cgi?id=1551
Bug ID: 1551
Summary: use after free in Sfc driver
Product: DPDK
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: ethdev
Assignee: dev@dpdk.org
Reporter: stephen@networkplumber.org
Target Milestone: ---
If GCC function attributes are added to rte_malloc, then it is able to spot use
after free in several places.
1255/2957] Compiling C object
drivers/libtmp_rte_net_sfc.a.p/net_sfc_sfc_flow_rss.c.o
In file included from ../drivers/net/sfc/sfc.h:28,
from ../drivers/net/sfc/sfc_flow_rss.c:15:
../drivers/net/sfc/sfc_flow_rss.c: In function ‘sfc_flow_rss_ctx_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘ctx’ used after
‘rte_free’ [-Wuse-after-free]
38 | rte_log(level, type,
\
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n",
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40 | _sas->log_prefix,
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41 | RTE_FMT_TAIL(__VA_ARGS__,)));
\
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,
\
| ^~~~~~~
../drivers/net/sfc/sfc_flow_rss.c:308:9: note: in expansion of macro ‘sfc_dbg’
308 | sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
| ^~~~~~~
../drivers/net/sfc/sfc_flow_rss.c:306:9: note: call to ‘rte_free’ here
306 | rte_free(ctx);
| ^~~~~~~~~~~~~
[1262/2957] Compiling C object
drivers/libtmp_rte_net_sfc.a.p/net_sfc_sfc_mae.c.o
In file included from ../drivers/net/sfc/sfc.h:28,
from ../drivers/net/sfc/sfc_mae.c:19:
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_encap_header_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘encap_header’ used after
‘rte_free’ [-Wuse-after-free]
38 | rte_log(level, type,
\
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n",
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40 | _sas->log_prefix,
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41 | RTE_FMT_TAIL(__VA_ARGS__,)));
\
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,
\
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:791:9: note: in expansion of macro ‘sfc_dbg’
791 | sfc_dbg(sa, "deleted encap_header=%p", encap_header);
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:789:9: note: call to ‘rte_free’ here
789 | rte_free(encap_header);
| ^~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_mac_addr_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘mac_addr’ used after
‘rte_free’ [-Wuse-after-free]
38 | rte_log(level, type,
\
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n",
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40 | _sas->log_prefix,
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41 | RTE_FMT_TAIL(__VA_ARGS__,)));
\
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,
\
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:590:9: note: in expansion of macro ‘sfc_dbg’
590 | sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:588:9: note: call to ‘rte_free’ here
588 | rte_free(mac_addr);
| ^~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_outer_rule_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘rule’ used after
‘rte_free’ [-Wuse-after-free]
38 | rte_log(level, type,
\
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n",
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40 | _sas->log_prefix,
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41 | RTE_FMT_TAIL(__VA_ARGS__,)));
\
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,
\
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:405:9: note: in expansion of macro ‘sfc_dbg’
405 | sfc_dbg(sa, "deleted outer_rule=%p", rule);
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:403:9: note: call to ‘rte_free’ here
403 | rte_free(rule);
| ^~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_counter_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘counter’ used after
‘rte_free’ [-Wuse-after-free]
38 | rte_log(level, type,
\
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n",
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40 | _sas->log_prefix,
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41 | RTE_FMT_TAIL(__VA_ARGS__,)));
\
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,
\
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:988:9: note: in expansion of macro ‘sfc_dbg’
988 | sfc_dbg(sa, "deleted counter=%p", counter);
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:986:9: note: call to ‘rte_free’ here
986 | rte_free(counter);
| ^~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_set_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘action_set’ used after
‘rte_free’ [-Wuse-after-free]
38 | rte_log(level, type,
\
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n",
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40 | _sas->log_prefix,
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41 | RTE_FMT_TAIL(__VA_ARGS__,)));
\
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,
\
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1170:9: note: in expansion of macro ‘sfc_dbg’
1170 | sfc_dbg(sa, "deleted action_set=%p", action_set);
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1168:9: note: call to ‘rte_free’ here
1168 | rte_free(action_set);
| ^~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_set_list_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘action_set_list’ used
after ‘rte_free’ [-Wuse-after-free]
38 | rte_log(level, type,
\
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n",
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40 | _sas->log_prefix,
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41 | RTE_FMT_TAIL(__VA_ARGS__,)));
\
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,
\
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1407:9: note: in expansion of macro ‘sfc_dbg’
1407 | sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1405:9: note: call to ‘rte_free’ here
1405 | rte_free(action_set_list);
| ^~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_rule_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘rule’ used after
‘rte_free’ [-Wuse-after-free]
38 | rte_log(level, type,
\
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n",
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40 | _sas->log_prefix,
\
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41 | RTE_FMT_TAIL(__VA_ARGS__,)));
\
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,
\
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1672:9: note: in expansion of macro ‘sfc_dbg’
1672 | sfc_dbg(sa, "deleted action_rule=%p", rule);
| ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1670:9: note: call to ‘rte_free’ here
1670 | rte_free(rule);
| ^~~~~~~~~~~~~~
--
You are receiving this mail because:
You are the assignee for the bug.
[-- Attachment #2: Type: text/html, Size: 14050 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [DPDK/ethdev Bug 1551] use after free in Sfc driver
2024-09-25 16:32 [DPDK/ethdev Bug 1551] use after free in Sfc driver bugzilla
@ 2024-10-16 20:45 ` bugzilla
0 siblings, 0 replies; 2+ messages in thread
From: bugzilla @ 2024-10-16 20:45 UTC (permalink / raw)
To: dev
[-- Attachment #1: Type: text/plain, Size: 548 bytes --]
https://bugs.dpdk.org/show_bug.cgi?id=1551
Thomas Monjalon (thomas@monjalon.net) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Thomas Monjalon (thomas@monjalon.net) ---
Resolved in http://git.dpdk.org/dpdk/commit/?id=757b0b6f20
--
You are receiving this mail because:
You are the assignee for the bug.
[-- Attachment #2: Type: text/html, Size: 2553 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-10-16 20:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-09-25 16:32 [DPDK/ethdev Bug 1551] use after free in Sfc driver bugzilla
2024-10-16 20:45 ` bugzilla
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).