From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 4BCFEA0093
	for <public@inbox.dpdk.org>; Thu,  9 Dec 2021 17:29:28 +0100 (CET)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 41F6B4014F;
	Thu,  9 Dec 2021 17:29:28 +0100 (CET)
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com
 [209.85.221.48]) by mails.dpdk.org (Postfix) with ESMTP id E339B40041
 for <stable@dpdk.org>; Thu,  9 Dec 2021 17:29:26 +0100 (CET)
Received: by mail-wr1-f48.google.com with SMTP id u1so10582628wru.13
 for <stable@dpdk.org>; Thu, 09 Dec 2021 08:29:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=QEI6a58x1ZwHOiAf2A63t/rp93NzqHlDOSGeh8OKXRI=;
 b=WaLuWLEp8AoXj/4Cu8ZsZ//xePRmu3zNiEJUv0F08TzxDmXDrrZpjU92zPOXndt8FC
 mrgeufLs99QqUl05pxUCKGvtRKUYKXmXM8VinixKgXdrl2wxLxu3nW2ruG2tjY5+f+cc
 F5oabZDej+XJGXwbLYG+7ocuTBEvrF+fntEk1qw9anN04YATsr9usG95SO6d41lu/Rai
 rkcM/0IrN2wIYfyac9NH2DrR6KzZ0z4mONSYUtJwS/pH4tB9o2tCfIPRTE+cMNzoFqbh
 y2J0VP5LN8W+MibQNuOxr4xfJdekrIhiXjRBy1E3CBdUZB7RTzhEx/dMMHDR6rJjQ0Kz
 WVFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=QEI6a58x1ZwHOiAf2A63t/rp93NzqHlDOSGeh8OKXRI=;
 b=ozo9TI4n3agX3SesIIoOdn+2AThvIRpfVCramG3WC7/JZMqb/naWzSwEJ9eb9WFc4R
 gBUf54JBlOu4BhGm4+awh0Nk1F0ljCDm+7SO4dN6ZGSjHYFg5K8bsq81dLMhhuv1eSnY
 +vXe50NgBspozpn3dpOIjmCqP2cjxp7skPOav73e0j7vFcqKp1M+pyzoLyHYXbzeBW+S
 7t9bZZe4nczmUPd3JjN0larOwGDFmfY9jVI9YEydU7czJ5gXlSDRhWjyBnIMs96hbf+C
 EK4uRYPxnirZoniQ05c/mE9JjIto+UX3aEz/iw8ZG1q9DJ26hbY+aMKtVZFac6RMiL/8
 hJbg==
X-Gm-Message-State: AOAM533wTHl4yZWKcBf31agKj6kjA9u0qS+iWlMiFjknuNP26GhGmNzW
 oqVxwVJ7bM1QX29J36C0LzUYzBcVaJ6ilg==
X-Google-Smtp-Source: ABdhPJx4LAOJhQbfC12Ccl4ko3fB9jMu3Pw/+c1F9BeReu4RHfI4zqaSo0DUvxRKx1zrD4b/MKAvsQ==
X-Received: by 2002:adf:c751:: with SMTP id b17mr7882858wrh.560.1639067366662; 
 Thu, 09 Dec 2021 08:29:26 -0800 (PST)
Received: from gojira.dev.6wind.com ([185.13.181.2])
 by smtp.gmail.com with ESMTPSA id j40sm273907wms.16.2021.12.09.08.29.26
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 09 Dec 2021 08:29:26 -0800 (PST)
From: Olivier Matz <olivier.matz@6wind.com>
To: stable@dpdk.org
Cc: David Marchand <david.marchand@redhat.com>
Subject: [PATCH 19.11] test/mbuf: fix access to freed memory
Date: Thu,  9 Dec 2021 17:29:14 +0100
Message-Id: <20211209162914.29808-1-olivier.matz@6wind.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

[ upstream commit 7dc627426e534c3b04e4f872343e1899df26471e ]

Seen by ASan.

In the external buffer mbuf test, we check that the buffer is freed
by checking that its refcount is 0.
This is not a valid condition, because it accesses to an already
freed area.

Fix this by setting a boolean flag in the callback when rte_free()
is actually called, and check this flag instead.

Bugzilla ID: 867
Fixes: 7b295dceea07 ("test/mbuf: add unit test cases")

Reported-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
---
 app/test/test_mbuf.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/app/test/test_mbuf.c b/app/test/test_mbuf.c
index da9d1d9323..3a7ff90290 100644
--- a/app/test/test_mbuf.c
+++ b/app/test/test_mbuf.c
@@ -4,6 +4,7 @@
 
 #include <string.h>
 #include <stdarg.h>
+#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdint.h>
@@ -2286,16 +2287,16 @@ test_pktmbuf_read_from_chain(struct rte_mempool *pktmbuf_pool)
 
 /* Define a free call back function to be used for external buffer */
 static void
-ext_buf_free_callback_fn(void *addr __rte_unused, void *opaque)
+ext_buf_free_callback_fn(void *addr, void *opaque)
 {
-	void *ext_buf_addr = opaque;
+	bool *freed = opaque;
 
-	if (ext_buf_addr == NULL) {
+	if (addr == NULL) {
 		printf("External buffer address is invalid\n");
 		return;
 	}
-	rte_free(ext_buf_addr);
-	ext_buf_addr = NULL;
+	rte_free(addr);
+	*freed = true;
 	printf("External buffer freed via callback\n");
 }
 
@@ -2319,6 +2320,7 @@ test_pktmbuf_ext_shinfo_init_helper(struct rte_mempool *pktmbuf_pool)
 	void *ext_buf_addr = NULL;
 	uint16_t buf_len = EXT_BUF_TEST_DATA_LEN +
 				sizeof(struct rte_mbuf_ext_shared_info);
+	bool freed = false;
 
 	/* alloc a mbuf */
 	m = rte_pktmbuf_alloc(pktmbuf_pool);
@@ -2334,7 +2336,7 @@ test_pktmbuf_ext_shinfo_init_helper(struct rte_mempool *pktmbuf_pool)
 		GOTO_FAIL("%s: External buffer allocation failed\n", __func__);
 
 	ret_shinfo = rte_pktmbuf_ext_shinfo_init_helper(ext_buf_addr, &buf_len,
-		ext_buf_free_callback_fn, ext_buf_addr);
+		ext_buf_free_callback_fn, &freed);
 	if (ret_shinfo == NULL)
 		GOTO_FAIL("%s: Shared info initialization failed!\n", __func__);
 
@@ -2367,26 +2369,35 @@ test_pktmbuf_ext_shinfo_init_helper(struct rte_mempool *pktmbuf_pool)
 
 	if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 2)
 		GOTO_FAIL("%s: Invalid ext_buf ref_cnt\n", __func__);
+	if (freed)
+		GOTO_FAIL("%s: extbuf should not be freed\n", __func__);
 
 	/* test to manually update ext_buf_ref_cnt from 2 to 3*/
 	rte_mbuf_ext_refcnt_update(ret_shinfo, 1);
 	if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 3)
 		GOTO_FAIL("%s: Update ext_buf ref_cnt failed\n", __func__);
+	if (freed)
+		GOTO_FAIL("%s: extbuf should not be freed\n", __func__);
 
 	/* reset the ext_refcnt before freeing the external buffer */
 	rte_mbuf_ext_refcnt_set(ret_shinfo, 2);
 	if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 2)
 		GOTO_FAIL("%s: set ext_buf ref_cnt failed\n", __func__);
+	if (freed)
+		GOTO_FAIL("%s: extbuf should not be freed\n", __func__);
 
 	/* detach the external buffer from mbufs */
 	rte_pktmbuf_detach_extbuf(m);
 	/* check if ref cnt is decremented */
 	if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 1)
 		GOTO_FAIL("%s: Invalid ext_buf ref_cnt\n", __func__);
+	if (freed)
+		GOTO_FAIL("%s: extbuf should not be freed\n", __func__);
 
 	rte_pktmbuf_detach_extbuf(clone);
-	if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 0)
-		GOTO_FAIL("%s: Invalid ext_buf ref_cnt\n", __func__);
+	if (!freed)
+		GOTO_FAIL("%s: extbuf should be freed\n", __func__);
+	freed = false;
 
 	rte_pktmbuf_free(m);
 	m = NULL;
-- 
2.30.2