From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BEBA342A32 for ; Mon, 1 May 2023 14:32:33 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B987A42B8B; Mon, 1 May 2023 14:32:33 +0200 (CEST) Received: from forward103a.mail.yandex.net (forward103a.mail.yandex.net [178.154.239.86]) by mails.dpdk.org (Postfix) with ESMTP id 9C1E740EE3; Mon, 1 May 2023 14:32:31 +0200 (CEST) Received: from mail-nwsmtp-smtp-production-main-18.vla.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-18.vla.yp-c.yandex.net [IPv6:2a02:6b8:c1f:5f1d:0:640:49bf:0]) by forward103a.mail.yandex.net (Yandex) with ESMTP id 0047346C74; Mon, 1 May 2023 15:32:31 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-18.vla.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id SWLrmOeDca60-6UKhedKs; Mon, 01 May 2023 15:32:30 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1682944350; bh=YfYHFK87LKxJof1lnJhNw2cz2FOFRKy1rimtL8GraZY=; h=From:Subject:In-Reply-To:Cc:Date:References:To:Message-ID; b=U0GDZkOjPTa5tblM3iOTXOlSdsa9bP9x3Yquz0OGr4rT3miq+RDXqp8Kqdd3Lj/8w +hCiCc9FFjeYpPzG4eDgYzE4/gbxLXLs6S8+haFJSd9CJgyKbIedpvQxCOLzHpIBkX viScxYwCQ84nIvk/5TBmFdJxapimiB91vxeK5in0= Authentication-Results: mail-nwsmtp-smtp-production-main-18.vla.yp-c.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <1e024be7-14a7-1997-43a2-2d2571fc984d@yandex.ru> Date: Mon, 1 May 2023 13:32:28 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 To: wangyunjian@huawei.com Cc: dev@dpdk.org, honnappa.nagarahalli@arm.com, konstantin.v.ananyev@yandex.ru, luyicai@huawei.com, stable@dpdk.org References: Subject: Re: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release Content-Language: en-US From: Konstantin Ananyev In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org > After the memzone is freed, it is not removed from the 'rte_ring_tailq'. > If rte_ring_lookup is called at this time, it will cause a use-after-free > problem. This change prevents that from happening. > > Fixes: 4e32101f9b01 ("ring: support freeing") > Cc: stable@dpdk.org > > Suggested-by: Honnappa Nagarahalli > Signed-off-by: Yunjian Wang > --- > v2: update code suggested by Honnappa Nagarahalli > --- > lib/ring/rte_ring.c | 8 +++----- > 1 file changed, 3 insertions(+), 5 deletions(-) > > diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c > index 8ed455043d..2755323b8a 100644 > --- a/lib/ring/rte_ring.c > +++ b/lib/ring/rte_ring.c > @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r) > return; > } > > - if (rte_memzone_free(r->memzone) != 0) { > - RTE_LOG(ERR, RING, "Cannot free memory\n"); > - return; > - } > - > ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list); > rte_mcfg_tailq_write_lock(); > > @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r) > > TAILQ_REMOVE(ring_list, te, next); > > + if (rte_memzone_free(r->memzone) != 0) > + RTE_LOG(ERR, RING, "Cannot free memory\n"); > + I nit: I think it is a bit better to first release the lock and then free the memzone. Apart from that, LGTM. Acked-by: Konstantin Ananyev > rte_mcfg_tailq_write_unlock(); > > rte_free(te); > -- > 2.33.0