From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4BCFEA0093 for ; Thu, 9 Dec 2021 17:29:28 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 41F6B4014F; Thu, 9 Dec 2021 17:29:28 +0100 (CET) Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mails.dpdk.org (Postfix) with ESMTP id E339B40041 for ; Thu, 9 Dec 2021 17:29:26 +0100 (CET) Received: by mail-wr1-f48.google.com with SMTP id u1so10582628wru.13 for ; Thu, 09 Dec 2021 08:29:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=QEI6a58x1ZwHOiAf2A63t/rp93NzqHlDOSGeh8OKXRI=; b=WaLuWLEp8AoXj/4Cu8ZsZ//xePRmu3zNiEJUv0F08TzxDmXDrrZpjU92zPOXndt8FC mrgeufLs99QqUl05pxUCKGvtRKUYKXmXM8VinixKgXdrl2wxLxu3nW2ruG2tjY5+f+cc F5oabZDej+XJGXwbLYG+7ocuTBEvrF+fntEk1qw9anN04YATsr9usG95SO6d41lu/Rai rkcM/0IrN2wIYfyac9NH2DrR6KzZ0z4mONSYUtJwS/pH4tB9o2tCfIPRTE+cMNzoFqbh y2J0VP5LN8W+MibQNuOxr4xfJdekrIhiXjRBy1E3CBdUZB7RTzhEx/dMMHDR6rJjQ0Kz WVFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=QEI6a58x1ZwHOiAf2A63t/rp93NzqHlDOSGeh8OKXRI=; b=ozo9TI4n3agX3SesIIoOdn+2AThvIRpfVCramG3WC7/JZMqb/naWzSwEJ9eb9WFc4R gBUf54JBlOu4BhGm4+awh0Nk1F0ljCDm+7SO4dN6ZGSjHYFg5K8bsq81dLMhhuv1eSnY +vXe50NgBspozpn3dpOIjmCqP2cjxp7skPOav73e0j7vFcqKp1M+pyzoLyHYXbzeBW+S 7t9bZZe4nczmUPd3JjN0larOwGDFmfY9jVI9YEydU7czJ5gXlSDRhWjyBnIMs96hbf+C EK4uRYPxnirZoniQ05c/mE9JjIto+UX3aEz/iw8ZG1q9DJ26hbY+aMKtVZFac6RMiL/8 hJbg== X-Gm-Message-State: AOAM533wTHl4yZWKcBf31agKj6kjA9u0qS+iWlMiFjknuNP26GhGmNzW oqVxwVJ7bM1QX29J36C0LzUYzBcVaJ6ilg== X-Google-Smtp-Source: ABdhPJx4LAOJhQbfC12Ccl4ko3fB9jMu3Pw/+c1F9BeReu4RHfI4zqaSo0DUvxRKx1zrD4b/MKAvsQ== X-Received: by 2002:adf:c751:: with SMTP id b17mr7882858wrh.560.1639067366662; Thu, 09 Dec 2021 08:29:26 -0800 (PST) Received: from gojira.dev.6wind.com ([185.13.181.2]) by smtp.gmail.com with ESMTPSA id j40sm273907wms.16.2021.12.09.08.29.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Dec 2021 08:29:26 -0800 (PST) From: Olivier Matz To: stable@dpdk.org Cc: David Marchand Subject: [PATCH 19.11] test/mbuf: fix access to freed memory Date: Thu, 9 Dec 2021 17:29:14 +0100 Message-Id: <20211209162914.29808-1-olivier.matz@6wind.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org [ upstream commit 7dc627426e534c3b04e4f872343e1899df26471e ] Seen by ASan. In the external buffer mbuf test, we check that the buffer is freed by checking that its refcount is 0. This is not a valid condition, because it accesses to an already freed area. Fix this by setting a boolean flag in the callback when rte_free() is actually called, and check this flag instead. Bugzilla ID: 867 Fixes: 7b295dceea07 ("test/mbuf: add unit test cases") Reported-by: David Marchand Signed-off-by: Olivier Matz Reviewed-by: David Marchand --- app/test/test_mbuf.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/app/test/test_mbuf.c b/app/test/test_mbuf.c index da9d1d9323..3a7ff90290 100644 --- a/app/test/test_mbuf.c +++ b/app/test/test_mbuf.c @@ -4,6 +4,7 @@ #include #include +#include #include #include #include @@ -2286,16 +2287,16 @@ test_pktmbuf_read_from_chain(struct rte_mempool *pktmbuf_pool) /* Define a free call back function to be used for external buffer */ static void -ext_buf_free_callback_fn(void *addr __rte_unused, void *opaque) +ext_buf_free_callback_fn(void *addr, void *opaque) { - void *ext_buf_addr = opaque; + bool *freed = opaque; - if (ext_buf_addr == NULL) { + if (addr == NULL) { printf("External buffer address is invalid\n"); return; } - rte_free(ext_buf_addr); - ext_buf_addr = NULL; + rte_free(addr); + *freed = true; printf("External buffer freed via callback\n"); } @@ -2319,6 +2320,7 @@ test_pktmbuf_ext_shinfo_init_helper(struct rte_mempool *pktmbuf_pool) void *ext_buf_addr = NULL; uint16_t buf_len = EXT_BUF_TEST_DATA_LEN + sizeof(struct rte_mbuf_ext_shared_info); + bool freed = false; /* alloc a mbuf */ m = rte_pktmbuf_alloc(pktmbuf_pool); @@ -2334,7 +2336,7 @@ test_pktmbuf_ext_shinfo_init_helper(struct rte_mempool *pktmbuf_pool) GOTO_FAIL("%s: External buffer allocation failed\n", __func__); ret_shinfo = rte_pktmbuf_ext_shinfo_init_helper(ext_buf_addr, &buf_len, - ext_buf_free_callback_fn, ext_buf_addr); + ext_buf_free_callback_fn, &freed); if (ret_shinfo == NULL) GOTO_FAIL("%s: Shared info initialization failed!\n", __func__); @@ -2367,26 +2369,35 @@ test_pktmbuf_ext_shinfo_init_helper(struct rte_mempool *pktmbuf_pool) if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 2) GOTO_FAIL("%s: Invalid ext_buf ref_cnt\n", __func__); + if (freed) + GOTO_FAIL("%s: extbuf should not be freed\n", __func__); /* test to manually update ext_buf_ref_cnt from 2 to 3*/ rte_mbuf_ext_refcnt_update(ret_shinfo, 1); if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 3) GOTO_FAIL("%s: Update ext_buf ref_cnt failed\n", __func__); + if (freed) + GOTO_FAIL("%s: extbuf should not be freed\n", __func__); /* reset the ext_refcnt before freeing the external buffer */ rte_mbuf_ext_refcnt_set(ret_shinfo, 2); if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 2) GOTO_FAIL("%s: set ext_buf ref_cnt failed\n", __func__); + if (freed) + GOTO_FAIL("%s: extbuf should not be freed\n", __func__); /* detach the external buffer from mbufs */ rte_pktmbuf_detach_extbuf(m); /* check if ref cnt is decremented */ if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 1) GOTO_FAIL("%s: Invalid ext_buf ref_cnt\n", __func__); + if (freed) + GOTO_FAIL("%s: extbuf should not be freed\n", __func__); rte_pktmbuf_detach_extbuf(clone); - if (rte_mbuf_ext_refcnt_read(ret_shinfo) != 0) - GOTO_FAIL("%s: Invalid ext_buf ref_cnt\n", __func__); + if (!freed) + GOTO_FAIL("%s: extbuf should be freed\n", __func__); + freed = false; rte_pktmbuf_free(m); m = NULL; -- 2.30.2