From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BD71A455AD for ; Mon, 15 Jul 2024 17:31:18 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B8ED140E24; Mon, 15 Jul 2024 17:31:18 +0200 (CEST) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mails.dpdk.org (Postfix) with ESMTP id 1D2F540DFB for ; Mon, 15 Jul 2024 17:31:17 +0200 (CEST) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-3679df4cb4cso2831339f8f.0 for ; Mon, 15 Jul 2024 08:31:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721057477; x=1721662277; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PR7rMDW2xc4NyEk7+sHVqGM+HauQMXM0I29IwPnRxPc=; b=Vo7e8CbQVv3kwtQjDs+aPhtvOSwcn4d261tJnkcU0OX0RsEdXq/bKSl0txmdR8eiBv 4Yf/04bVTxA8apDFVss5bkSiiHC7HcJpkNrMgVTOMIujuShxrJqj8X7e4AhtUBhGbnva djMwhgkOu7KtSPDyF69oGzRRBV+OUQ/h4q0ic2F8C/dz2vAgEQ1IsFUMzFs5peKPqiVi CBu9bd3h4XRQL+FYvF9K0Q9ykdIz/Xm1nO9M5NNJJ1NgmHet0TFm8Y0b9J3qSk1KU5ny o5z9TSG/o78GVupn2Nqb+YmeNCjZiU+rRjUs2VyZrMZhTBxopvNf3DfOHLPcgbjhpV2C jZDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721057477; x=1721662277; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PR7rMDW2xc4NyEk7+sHVqGM+HauQMXM0I29IwPnRxPc=; b=OK1BSgiBKRrgaHk/mXymY2q0nLqjZ5CqU85qMhKkM1aMeMZhGHbIdm0Q88yY7pT6wx PgMYhmpwhsXYWHvtAMEoExWyxDvv73xOhrWsab8LRwddViB3bXwVAni4dlyqhJhdQ9eX fUnLVxKXt5hDoNQnFrA7SuEx4PO7TnZhvPeN2o67GaHdO3bNs8EtZN/mM4FuTnOQhwG7 x02ioBw/3ary7BrZZBhb6RyCGJ7uuqpmMrDldlTe69l0zeFdNXDe76xkAaVZaazCBLBK QrdEpd8cnCRD4n0yXaOuUD1AatawbeXbjnaATaSK6nQjufopIGbEPLpcRWw7vLxF5krt nG7A== X-Gm-Message-State: AOJu0YzMCT5laPcFX1UQi74Xrfc9vkA6CnA/i9RMsA4qP2qxdywMwGoY 5aJT6OdkgLz6CLNKi0vBppIv1EXtxRHvVrVSepeFCfXcqxZcC63r8YfweP9KOjY= X-Google-Smtp-Source: AGHT+IGJflE/rExab1gZ28Kl2izg6n1CM8+cOdlft2Wzk/54oA5kAo9U8Q/YlcA1MghEQCIdCJxGxw== X-Received: by 2002:a5d:47c4:0:b0:366:e9f7:4e73 with SMTP id ffacd0b85a97d-367ff6e758emr10328463f8f.5.1721057476678; Mon, 15 Jul 2024 08:31:16 -0700 (PDT) Received: from localhost ([137.220.120.171]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-427a5e827efsm92617665e9.16.2024.07.15.08.31.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Jul 2024 08:31:15 -0700 (PDT) From: luca.boccassi@gmail.com To: Andrew Boyer Cc: dpdk stable Subject: patch 'net/ionic: fix mbuf double-free when emptying array' has been queued to stable release 22.11.6 Date: Mon, 15 Jul 2024 16:26:56 +0100 Message-Id: <20240715152704.2229503-78-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240715152704.2229503-1-luca.boccassi@gmail.com> References: <20240624235907.885628-81-luca.boccassi@gmail.com> <20240715152704.2229503-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 22.11.6 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 07/17/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/bluca/dpdk-stable This queued commit can be viewed at: https://github.com/bluca/dpdk-stable/commit/047aff2cf1715705748e3cc4b20b28e61340393a Thanks. Luca Boccassi --- >From 047aff2cf1715705748e3cc4b20b28e61340393a Mon Sep 17 00:00:00 2001 From: Andrew Boyer Date: Mon, 1 Jul 2024 08:19:43 -0700 Subject: [PATCH] net/ionic: fix mbuf double-free when emptying array [ upstream commit d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 ] The bulk-allocation array is used back to front, so we need to free everything before the marker, not after it. Flip ionic_empty_array() so that it frees from 0 to the provided index. Adjust the callers as needed. Fixes: 218afd825bca ("net/ionic: do bulk allocations of Rx mbufs") Signed-off-by: Andrew Boyer --- drivers/net/ionic/ionic_rxtx.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/net/ionic/ionic_rxtx.c b/drivers/net/ionic/ionic_rxtx.c index 2f1ca986b3..170d3b0802 100644 --- a/drivers/net/ionic/ionic_rxtx.c +++ b/drivers/net/ionic/ionic_rxtx.c @@ -26,38 +26,40 @@ #include "ionic_logs.h" static void -ionic_empty_array(void **array, uint32_t cnt, uint16_t idx) +ionic_empty_array(void **array, uint32_t free_idx, uint32_t zero_idx) { uint32_t i; - for (i = idx; i < cnt; i++) + for (i = 0; i < free_idx; i++) if (array[i]) rte_pktmbuf_free_seg(array[i]); - memset(array, 0, sizeof(void *) * cnt); + memset(array, 0, sizeof(void *) * zero_idx); } static void __rte_cold ionic_tx_empty(struct ionic_tx_qcq *txq) { struct ionic_queue *q = &txq->qcq.q; + uint32_t info_len = q->num_descs * q->num_segs; - ionic_empty_array(q->info, q->num_descs * q->num_segs, 0); + ionic_empty_array(q->info, info_len, info_len); } static void __rte_cold ionic_rx_empty(struct ionic_rx_qcq *rxq) { struct ionic_queue *q = &rxq->qcq.q; + uint32_t info_len = q->num_descs * q->num_segs; /* * Walk the full info array so that the clean up includes any * fragments that were left dangling for later reuse */ - ionic_empty_array(q->info, q->num_descs * q->num_segs, 0); + ionic_empty_array(q->info, info_len, info_len); - ionic_empty_array((void **)rxq->mbs, - IONIC_MBUF_BULK_ALLOC, rxq->mb_idx); + ionic_empty_array((void **)rxq->mbs, rxq->mb_idx, + IONIC_MBUF_BULK_ALLOC); rxq->mb_idx = 0; } -- 2.39.2 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-07-15 16:19:38.482283536 +0100 +++ 0078-net-ionic-fix-mbuf-double-free-when-emptying-array.patch 2024-07-15 16:19:34.720209709 +0100 @@ -1 +1 @@ -From d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 Mon Sep 17 00:00:00 2001 +From 047aff2cf1715705748e3cc4b20b28e61340393a Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 ] + @@ -12 +13,0 @@ -CC: stable@dpdk.org @@ -20 +21 @@ -index 923f517661..339b20f113 100644 +index 2f1ca986b3..170d3b0802 100644