From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B8A174296D; Mon, 17 Apr 2023 15:12:23 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 49A4340DFB; Mon, 17 Apr 2023 15:12:23 +0200 (CEST) Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by mails.dpdk.org (Postfix) with ESMTP id 4006040698; Mon, 17 Apr 2023 15:12:20 +0200 (CEST) Received: from dggpemm500008.china.huawei.com (unknown [7.185.36.136]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4Q0S6X03dJz17TH9; Mon, 17 Apr 2023 21:08:36 +0800 (CST) Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com (7.185.36.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Mon, 17 Apr 2023 21:12:16 +0800 From: Yunjian Wang To: CC: , , , Yunjian Wang , Subject: [dpdk-dev] [PATCH] ring: fix use after free in ring release Date: Mon, 17 Apr 2023 21:11:59 +0800 Message-ID: X-Mailer: git-send-email 1.9.5.msysgit.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.174.242.157] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpemm500008.china.huawei.com (7.185.36.136) X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org When using the ring to find out tailq entry, however it had been freed by rte_memzone_free function. This change prevents that from happening. Fixes: 4e32101f9b01 ("ring: support freeing") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang --- lib/ring/rte_ring.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index 8ed455043d..17d2d7f8a8 100644 --- a/lib/ring/rte_ring.c +++ b/lib/ring/rte_ring.c @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r) return; } - if (rte_memzone_free(r->memzone) != 0) { - RTE_LOG(ERR, RING, "Cannot free memory\n"); - return; - } - ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list); rte_mcfg_tailq_write_lock(); @@ -349,7 +344,7 @@ rte_ring_free(struct rte_ring *r) if (te == NULL) { rte_mcfg_tailq_write_unlock(); - return; + goto free_memzone; } TAILQ_REMOVE(ring_list, te, next); @@ -357,6 +352,10 @@ rte_ring_free(struct rte_ring *r) rte_mcfg_tailq_write_unlock(); rte_free(te); + +free_memzone: + if (rte_memzone_free(r->memzone) != 0) + RTE_LOG(ERR, RING, "Cannot free memory\n"); } /* dump the status of the ring on the console */ -- 2.33.0