From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f193.google.com (mail-wr0-f193.google.com [209.85.128.193]) by dpdk.org (Postfix) with ESMTP id 3E68D187 for ; Mon, 30 Apr 2018 16:43:00 +0200 (CEST) Received: by mail-wr0-f193.google.com with SMTP id o15-v6so8277395wro.11 for ; Mon, 30 Apr 2018 07:43:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wOtHA3H4pNyVFrlE1dYwGvQ9MzFWSMAzPd8A/mpwudc=; b=E+EtLsf9K3L27NAihNhIl6H0pbmPUPrzujXkKyn2RJ4cK6tFq3IcoIFPsPRwzQCfuQ fqjxtodbIOVkULAdgKxguGMmvY8X83sbElKVP6/21CiLNGvXDTGqPlFgT3deQTWIAElu KaIIU7kzAk+GTFw9FG0QsKJpdXacXM00/RWLrWQRJY1r+0FV1K5Q0R1IlMjUeoISh05T 70kph7/MoM4ePE1XPELfgffGF7kr2FPcTJN1AWLekGkZ++0erApzp6v0AI2aGIkhHzqM UYvA/bZMrrOtIoy2rk6myibiKnMaqvX96JwLCtRMtnJd5Gq4QwxRXYZOhK3oiL8yc/Ep pF1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=wOtHA3H4pNyVFrlE1dYwGvQ9MzFWSMAzPd8A/mpwudc=; b=bkRuWWIMv5JO/M6eX4HMFBrRgPRJvd4ke6uoZRfyUf4EuCVBD+S4T13CWg+ntNh+uN ZU9AfGaCTcKxiSSfrs4hXNp1A08hzF0EavmPRRgQllsBqgR5dmlzqR2lGvdNZHUODC72 eTG8yXcS1oHWKy/VVewvvSESBx7NA22PNdNFxMiMn3m6mqzxxNLvwMr2AHqYxgSaU6Af JDXhhtZeGvOV/laXReS90QCnLKzyviCCTblKuh+PJ5UwTC1FlOaWDuFiYA30vO6nneom yi3Im0d5bUaUZTm/FZ58y0FnXVXJEK61Cb1YgHI0Jdm6S0oN3wy4JeqwPiOwFUh3SzF0 aLLQ== X-Gm-Message-State: ALQs6tAxraCvpN5z2EKebWyoVvqh5UcxK7YLFZdxkIqVh7rIlig7nk6Q UM1dPLu3LAziy1QCCVxXuYE= X-Google-Smtp-Source: AB8JxZqJZzsTXRCsq36KKCcSsrxHNExQ8lt6Hd+jleTdEYapnfscxZQiv14Jm7V9A1N7syO+Xyfvow== X-Received: by 2002:adf:93e5:: with SMTP id 92-v6mr3859655wrp.230.1525099379819; Mon, 30 Apr 2018 07:42:59 -0700 (PDT) Received: from localhost ([2a00:23c5:be9a:5200:ce4c:82c0:d567:ecbb]) by smtp.gmail.com with ESMTPSA id d9-v6sm1345554wrn.71.2018.04.30.07.42.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 30 Apr 2018 07:42:58 -0700 (PDT) From: luca.boccassi@gmail.com To: Allain Legacy Cc: Konstantin Ananyev , dpdk stable Date: Mon, 30 Apr 2018 15:40:37 +0100 Message-Id: <20180430144223.18657-22-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20180430144223.18657-1-luca.boccassi@gmail.com> References: <20180430140606.4615-80-luca.boccassi@gmail.com> <20180430144223.18657-1-luca.boccassi@gmail.com> Subject: [dpdk-stable] patch 'ip_frag: fix double free of chained mbufs' has been queued to stable release 18.02.2 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2018 14:43:00 -0000 Hi, FYI, your patch has been queued to stable release 18.02.2 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 05/02/18. So please shout if anyone has objections. Thanks. Luca Boccassi --- >>From 495b149f719b6ad560a4ffde6d4a6fbb15a2c3ac Mon Sep 17 00:00:00 2001 From: Allain Legacy Date: Mon, 19 Mar 2018 09:25:23 -0500 Subject: [PATCH] ip_frag: fix double free of chained mbufs [ upstream commit 4f512a1919998933a39886ab2ec7f2fdde48756c ] The first mbuf and the last mbuf to be visited in the preceding loop are not set to NULL in the fragmentation table. This creates the possibility of a double free when the fragmentation table is later freed with rte_ip_frag_table_destroy(). Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy") Signed-off-by: Allain Legacy Acked-by: Konstantin Ananyev --- lib/librte_ip_frag/rte_ipv4_reassembly.c | 2 ++ lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c index 82e831ca3..4956b99ea 100644 --- a/lib/librte_ip_frag/rte_ipv4_reassembly.c +++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c @@ -59,7 +59,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp) /* chain with the first fragment. */ rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m); + fp->frags[curr_idx].mb = NULL; m = fp->frags[IP_FIRST_FRAG_IDX].mb; + fp->frags[IP_FIRST_FRAG_IDX].mb = NULL; /* update mbuf fields for reassembled packet. */ m->ol_flags |= PKT_TX_IP_CKSUM; diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c index 3479fabb8..db249fe60 100644 --- a/lib/librte_ip_frag/rte_ipv6_reassembly.c +++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c @@ -82,7 +82,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp) /* chain with the first fragment. */ rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len)); rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m); + fp->frags[curr_idx].mb = NULL; m = fp->frags[IP_FIRST_FRAG_IDX].mb; + fp->frags[IP_FIRST_FRAG_IDX].mb = NULL; /* update mbuf fields for reassembled packet. */ m->ol_flags |= PKT_TX_IP_CKSUM; -- 2.14.2