From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by dpdk.org (Postfix) with ESMTP id 437B4239 for ; Tue, 21 Nov 2017 14:24:37 +0100 (CET) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id EC18E206CC; Tue, 21 Nov 2017 08:24:36 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute1.internal (MEProxy); Tue, 21 Nov 2017 08:24:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fridaylinux.org; h=cc:date:from:in-reply-to:message-id:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=+/2E+HYjvkz5YyxFk s6LANtH3xER8cwW8dN0nzVrFbo=; b=JgvDEboIgAogMCLXQk4RfYRiPixqv2TYb ENoGpfSdglVNJRyG0IC17767VgZT4+sU8Yn9TyxJWlfti8ouLC7ZfUN/rHJCYQ8n vvuy+DTBMZUnz+8mEyCwdcs+fWL2kEEjeTovJEMDt/bpm+6vpel0vXbfHhsKRIHE ZLiRwixncUnz6yM+BWOdMXci9UFcAfWoHmun/09XNoZpQ3qh52cAsJmhQhgicc+A cpdgsgllEzlXb7Lp4O3LNGziBpuoZuHjWlvTE8vTHQvDfvNw4Ht5hqFzJ6XJEXhR cFgy1nQTvqGH/WGykbnuwXg0pyKMlgqRq1xLZdOyefi+fGKyiG4/g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:in-reply-to:message-id :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=+/2E+HYjvkz5YyxFks6LANtH3xER8cwW8dN0nzVrFbo=; b=DABglTyD NgeHWu7PABleIjNlfIDTtgvoO5WJ2lTwGOHXSMsDzF9wygdDhjy+C2GxnQycKf/Z Oa4gSPHAj+TG7fkgkz8UC6mSaCjBwyc/6+tph8iozzYVNzlbFd4wVNJDflU/6lIn adbNIo/tRHmdZqBvUNcOF9Qy9IeCaqVE2vF/ML0ZlxvzKo0chmXzQKFvQjJtbexo rdAG0rWcp77Xo4zD5LJZ4DM+zmU05sPikR8C3dbaFv/IQ74TxNNNjS7Y5GTg1mz+ d5DVm6Zpst+jU38QHgSVzMvHRaZ5FD1X1Z1on1FCWD5jFh1iq1DSLbZ68A86sq4u KtPTlsbTKCUQiA== X-ME-Sender: Received: from localhost.localdomain (unknown [180.158.62.0]) by mail.messagingengine.com (Postfix) with ESMTPA id 889C724CCE; Tue, 21 Nov 2017 08:24:34 -0500 (EST) From: Yuanhan Liu To: Patrick MacArthur Cc: Sergio Gonzalez Monroy , dpdk stable Date: Tue, 21 Nov 2017 21:17:04 +0800 Message-Id: <1511270333-31002-82-git-send-email-yliu@fridaylinux.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511270333-31002-1-git-send-email-yliu@fridaylinux.org> References: <1511270333-31002-1-git-send-email-yliu@fridaylinux.org> Subject: [dpdk-stable] patch 'eal: copy raw strings taken from command line' has been queued to stable release 17.08.1 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Nov 2017 13:24:37 -0000 Hi, FYI, your patch has been queued to stable release 17.08.1 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/24/17. So please shout if anyone has objections. Thanks. --yliu --- >>From fc780b6246c648e32a290368f829909bfc0bc735 Mon Sep 17 00:00:00 2001 From: Patrick MacArthur Date: Fri, 4 Aug 2017 14:53:57 -0400 Subject: [PATCH] eal: copy raw strings taken from command line [ upstream commit e3f141879ef480c9e72e95d179c0879aed461406 ] Normally, command line argument strings are considered immutable, but SPDK [1] and urdma [2] construct argv arrays to pass to rte_eal_init(). These strings are allocated using malloc() and freed after DPDK initialization with free(). However, in the case of --file-prefix and --huge-dir, DPDK takes the pointer to these strings in argv directly. If a secondary process calls rte_eal_pci_probe() after rte_eal_init() returns, as is done by SPDK, this causes a use-after-free error because the strings have been freed by the calling code immediately after rte_eal_init() returns. This problem was observed when running SPDK example programs as a secondary process and causes the secondary processes to fail: Starting DPDK 16.11.1 initialization... [ DPDK EAL parameters: identify -c 4 --file-prefix=spdk3260 --base-virtaddr=0x1000000000 --proc-type=auto ] EAL: Detected 40 lcore(s) EAL: Auto-detected process type: SECONDARY EAL: Probing VFIO support... EAL: VFIO support initialized EAL: PCI device 0000:81:00.0 on NUMA socket 1 EAL: probe driver: 8086:953 spdk_nvme EAL: cannot connect to primary process! EAL: Error - exiting with code: 1 Cause: Requested device 0000:81:00.0 cannot be used Running strace shows that the file prefix has been zero'd out by the time that the secondary process attempts to probe the NVMe device. The use-after-free errors can be easily detected with valgrind: ==8489== Invalid read of size 1 ==8489== at 0x4C30D22: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8489== by 0x58DB955: vfprintf (vfprintf.c:1637) ==8489== by 0x59A4685: __vsnprintf_chk (vsnprintf_chk.c:63) ==8489== by 0x59A45E7: __snprintf_chk (snprintf_chk.c:34) ==8489== by 0x1246AB: get_socket_path.constprop.0 (in /home/pmacarth/src/spdk/examples/nvme/identify/identify) ==8489== by 0x124B09: vfio_mp_sync_connect_to_primary (in /home/pmacarth/src/spdk/examples/nvme/identify/identify) ==8489== by 0x123BE4: vfio_get_group_fd.part.1 (in /home/pmacarth/src/spdk/examples/nvme/identify/identify) ==8489== by 0x124366: vfio_setup_device (in /home/pmacarth/src/spdk/examples/nvme/identify/identify) ==8489== by 0x126C8A: pci_vfio_map_resource (in /home/pmacarth/src/spdk/examples/nvme/identify/identify) ==8489== by 0x12B115: pci_probe_all_drivers.part.0 (in /home/pmacarth/src/spdk/examples/nvme/identify/identify) ==8489== by 0x12B596: rte_eal_pci_probe (in /home/pmacarth/src/spdk/examples/nvme/identify/identify) ==8489== by 0x11D5B5: spdk_pci_enumerate (pci.c:147) ==8489== Address 0x63f362e is 14 bytes inside a block of size 32 free'd ==8489== at 0x4C2ED5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8489== by 0x11E6FB: spdk_free_args (init.c:136) ==8489== by 0x11EBF5: spdk_env_init (init.c:309) ==8489== by 0x10D2AA: main (identify.c:976) ==8489== Block was alloc'd at ==8489== at 0x4C2DB2F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8489== by 0x11E7D7: _sprintf_alloc (init.c:76) ==8489== by 0x11EA78: spdk_build_eal_cmdline (init.c:251) ==8489== by 0x11EA78: spdk_env_init (init.c:282) ==8489== by 0x10D2AA: main (identify.c:976) ==8489== Fix this by using strdup() to create separate memory buffers for these strings. Note that this patch will cause valgrind to report memory leaks of these buffers as there is nowhere to free them. Using static buffers is an option but would make these strings have a fixed maximum length whereas there is currently no limit defined by the API. [1] http://spdk.io [2] https://github.com/zrlio/urdma Fixes: af75078fece3 ("first public release") Signed-off-by: Patrick MacArthur Acked-by: Sergio Gonzalez Monroy --- lib/librte_eal/linuxapp/eal/eal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/librte_eal/linuxapp/eal/eal.c b/lib/librte_eal/linuxapp/eal/eal.c index 48f12f4..529d2ce 100644 --- a/lib/librte_eal/linuxapp/eal/eal.c +++ b/lib/librte_eal/linuxapp/eal/eal.c @@ -569,11 +569,11 @@ eal_parse_args(int argc, char **argv) break; case OPT_HUGE_DIR_NUM: - internal_config.hugepage_dir = optarg; + internal_config.hugepage_dir = strdup(optarg); break; case OPT_FILE_PREFIX_NUM: - internal_config.hugefile_prefix = optarg; + internal_config.hugefile_prefix = strdup(optarg); break; case OPT_SOCKET_MEM_NUM: -- 2.7.4