From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <luca.boccassi@gmail.com>
Received: from mail-wm0-f66.google.com (mail-wm0-f66.google.com [74.125.82.66])
 by dpdk.org (Postfix) with ESMTP id 77E0928F3
 for <stable@dpdk.org>; Tue,  1 May 2018 12:47:07 +0200 (CEST)
Received: by mail-wm0-f66.google.com with SMTP id f8so7933533wmc.4
 for <stable@dpdk.org>; Tue, 01 May 2018 03:47:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=DyxRnLTmuSNJvD0VLuDhO1lGBsA84XK6892VfwbrAGw=;
 b=mwrNeBPmh4SMQ27MjIlZmaQ+Vkcoqg4LWMeSbSzfbtEFjwk12LxR6HdQk/enIi5JEV
 IbsDw+YQy20FW0kmq9FTk9rYapIIxZKWvfbTKijI94ZL0Ku+gl1uDZvIuoD0Uxc0MUwD
 d38OGfH5lBM1b3LqTdSEhsAHe3xaDVYaSUl04j21+rFXLB5H93HVp64LQMLdebspa0f6
 YYlLNDnoj6XNN857vXGfyba4FMff65pazKmWyaqq7lip52W4VNKxh5PUV6AE2pkF+1Dk
 00LNUvQy1C6mpMxAdg1unZqQC+iYOqwlEDxB9XUfrQv/bWbuPMHjB3jaKjYyQzRDijJF
 1V7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=DyxRnLTmuSNJvD0VLuDhO1lGBsA84XK6892VfwbrAGw=;
 b=c/hz2fAMEAr2/8hED8DfZpJi5Z5HMhKKzJhbPEPhOaRK57o/G0JfKIRJaOVs6yC7Iw
 CpXvcQYhNqj9h3iNo7qvq7zmum8FIRzrcIrrZEfojLYtWiNr5OzrWHzlZoW5Wt2+wyJj
 q6hMhL0C35AX1H7hY7h2luVl3z7TipmQqamzYfbXXZH16Rr0ci371o3+8jRgbs1hztxE
 qY0FdTqqdbRjg/Q9ATRPtPBWUajkmkRINSC7W7sf/zawFxALIZjn98FH6RchuivZAPDS
 Ph8X74yTTnzlzc15+CJQxE9U5BN11Nlqj1acFaBjnKDavdqU+uCDy5CgadD5Cbm2i4n8
 ClVg==
X-Gm-Message-State: ALQs6tCIREdS8QK3wjxNcjqUeTiutwCcLNP1NmwdaaJt1K5wxCK259N6
 5Oe5N7sQF+F5gczAMc8m01Y=
X-Google-Smtp-Source: AB8JxZp8cHLD0T1lGEWhcpoU6X1/s5wWoqMNtDgfPskVoV46tvan5fJ6igBFeXi/7bgawj8ykuaCyw==
X-Received: by 10.28.52.73 with SMTP id b70mr6851676wma.42.1525171627079;
 Tue, 01 May 2018 03:47:07 -0700 (PDT)
Received: from localhost (slip139-92-244-193.lon.uk.prserv.net.
 [139.92.244.193])
 by smtp.gmail.com with ESMTPSA id 47-v6sm2614800wrw.40.2018.05.01.03.47.06
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 01 May 2018 03:47:06 -0700 (PDT)
From: luca.boccassi@gmail.com
To: Allain Legacy <allain.legacy@windriver.com>
Cc: Konstantin Ananyev <konstantin.ananyev@intel.com>,
 dpdk stable <stable@dpdk.org>
Date: Tue,  1 May 2018 11:44:44 +0100
Message-Id: <20180501104509.17238-21-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.14.2
In-Reply-To: <20180501104509.17238-1-luca.boccassi@gmail.com>
References: <20180501104509.17238-1-luca.boccassi@gmail.com>
Subject: [dpdk-stable] patch 'ip_frag: fix double free of chained mbufs' has
	been queued to LTS release 16.11.7
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2018 10:47:07 -0000

Hi,

FYI, your patch has been queued to LTS release 16.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/03/18. So please
shout if anyone has objections.

Thanks.

Luca Boccassi

---
>>From 874bea998d7a60cf1a4e8838c8dac07ce5999685 Mon Sep 17 00:00:00 2001
From: Allain Legacy <allain.legacy@windriver.com>
Date: Mon, 19 Mar 2018 09:25:23 -0500
Subject: [PATCH] ip_frag: fix double free of chained mbufs

[ upstream commit 4f512a1919998933a39886ab2ec7f2fdde48756c ]

The first mbuf and the last mbuf to be visited in the preceding loop
are not set to NULL in the fragmentation table.  This creates the
possibility of a double free when the fragmentation table is later freed
with rte_ip_frag_table_destroy().

Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy")

Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_ip_frag/rte_ipv4_reassembly.c | 2 ++
 lib/librte_ip_frag/rte_ipv6_reassembly.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/lib/librte_ip_frag/rte_ipv4_reassembly.c b/lib/librte_ip_frag/rte_ipv4_reassembly.c
index e084ca59a..847ea0d63 100644
--- a/lib/librte_ip_frag/rte_ipv4_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv4_reassembly.c
@@ -88,7 +88,9 @@ ipv4_frag_reassemble(struct ip_frag_pkt *fp)
 	/* chain with the first fragment. */
 	rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
 	rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+	fp->frags[curr_idx].mb = NULL;
 	m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+	fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
 
 	/* update mbuf fields for reassembled packet. */
 	m->ol_flags |= PKT_TX_IP_CKSUM;
diff --git a/lib/librte_ip_frag/rte_ipv6_reassembly.c b/lib/librte_ip_frag/rte_ipv6_reassembly.c
index 21a5ef5d3..d9b5d6903 100644
--- a/lib/librte_ip_frag/rte_ipv6_reassembly.c
+++ b/lib/librte_ip_frag/rte_ipv6_reassembly.c
@@ -111,7 +111,9 @@ ipv6_frag_reassemble(struct ip_frag_pkt *fp)
 	/* chain with the first fragment. */
 	rte_pktmbuf_adj(m, (uint16_t)(m->l2_len + m->l3_len));
 	rte_pktmbuf_chain(fp->frags[IP_FIRST_FRAG_IDX].mb, m);
+	fp->frags[curr_idx].mb = NULL;
 	m = fp->frags[IP_FIRST_FRAG_IDX].mb;
+	fp->frags[IP_FIRST_FRAG_IDX].mb = NULL;
 
 	/* update mbuf fields for reassembled packet. */
 	m->ol_flags |= PKT_TX_IP_CKSUM;
-- 
2.14.2