* [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (14 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde,
Raveendra Padasalagi, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: vikas.gupta@broadcom.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (13 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 05/16] event/cnxk: fix pointer mismatch in cleanup
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
` (12 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 06/16] examples/vhost: fix free function mismatch
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
` (2 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger
` (11 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: jin.yu@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 07/16] net/cnxk: fix use-after-free
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
` (3 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
` (10 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 08/16] bpf: fix free mismatch if convert fails
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
` (4 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger
` (9 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 09/16] net/e1000: fix use-after-free
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
` (5 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
` (8 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: wei.zhao1@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 11/16] net/cpfl: fix free of nonheap object
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
` (6 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
` (7 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 12/16] raw/ifpga/base: fix use after free
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
` (7 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (6 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: tianfei.zhang@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH 14/16] drivers/ifpga: fix free function mismatch
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
` (8 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
` (5 subsequent siblings)
15 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (8 subsequent siblings)
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde,
Raveendra Padasalagi, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: vikas.gupta@broadcom.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (7 subsequent siblings)
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 05/16] event/cnxk: fix pointer mismatch in cleanup
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
` (6 subsequent siblings)
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 06/16] examples/vhost: fix free function mismatch
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
` (2 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger
` (5 subsequent siblings)
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: jin.yu@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 07/16] net/cnxk: fix use-after-free
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
` (3 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
` (4 subsequent siblings)
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 08/16] bpf: fix free mismatch if convert fails
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
` (4 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger
` (3 subsequent siblings)
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 09/16] net/e1000: fix use-after-free
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
` (5 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
` (2 subsequent siblings)
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: wei.zhao1@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 11/16] net/cpfl: fix free of nonheap object
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
` (6 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 13/16] raw/ifpga/base: fix use after free
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
` (7 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: tianfei.zhang@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v2 15/16] drivers/ifpga: fix free function mismatch
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
` (8 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
9 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (9 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde,
Raveendra Padasalagi, Akhil Goyal
The device structure is allocated with rte_malloc() and then
incorrectly freed with free(). This will lead to corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: vikas.gupta@broadcom.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (8 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 04/18] event/cnxk: fix pointer mismatch in cleanup
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
` (7 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 05/18] examples/vhost: fix free function mismatch
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
` (2 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-30 9:16 ` fengchengwen
2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger
` (6 subsequent siblings)
10 siblings, 1 reply; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: jin.yu@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 06/18] net/cnxk: fix use-after-free
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
` (3 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger
` (5 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 07/18] bpf: fix free mismatch if convert fails
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
` (4 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger
` (4 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 08/18] net/e1000: fix use-after-free
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
` (5 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger
` (3 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: wei.zhao1@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 10/18] net/cpfl: fix free of nonheap object
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
` (6 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger
` (2 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 12/18] raw/ifpga/base: fix use after free
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
` (7 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: tianfei.zhang@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 14/18] drivers/ifpga: fix free function mismatch
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
` (8 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, David Marchand,
Hyong Youb Kim
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v3 15/18] baseband/la12xx: prevent use after free
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
` (9 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-30 8:25 ` Hemant Agrawal
10 siblings, 1 reply; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hemant.agrawal, stable, Gagandeep Singh,
Nipun Gupta, Nicolas Chautru, Akhil Goyal
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: hemant.agrawal@nxp.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* Re: [PATCH v3 15/18] baseband/la12xx: prevent use after free
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-09-30 8:25 ` Hemant Agrawal
0 siblings, 0 replies; 81+ messages in thread
From: Hemant Agrawal @ 2024-09-30 8:25 UTC (permalink / raw)
To: Stephen Hemminger, dev
Cc: hemant.agrawal, stable, Gagandeep Singh, Nipun Gupta,
Nicolas Chautru, Akhil Goyal
On 29-09-2024 21:04, Stephen Hemminger wrote:
> It is possible that the info pointer (hp) could get freed twice.
> Fix by nulling after free.
>
> In function 'setup_la12xx_dev',
> inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
> inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
> ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
> 901 | rte_free(hp);
> | ^~~~~~~~~~~~
> ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
> 791 | rte_free(hp);
> | ^~~~~~~~~~~~
>
> Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
> Cc: hemant.agrawal@nxp.com
> Cc: stable@dpdk.org
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
> index 1a56e73abd..cad6f9490e 100644
> --- a/drivers/baseband/la12xx/bbdev_la12xx.c
> +++ b/drivers/baseband/la12xx/bbdev_la12xx.c
> @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
> ipc_priv->hugepg_start.size = hp->len;
>
> rte_free(hp);
> + hp = NULL;
> }
>
> dev_ipc = open_ipc_dev(priv->modem_id);
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
^ permalink raw reply [flat|nested] 81+ messages in thread
* Re: [PATCH v3 05/18] examples/vhost: fix free function mismatch
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-30 9:16 ` fengchengwen
0 siblings, 0 replies; 81+ messages in thread
From: fengchengwen @ 2024-09-30 9:16 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: jin.yu, stable, Maxime Coquelin, Chenbo Xia
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
On 2024/9/29 23:34, Stephen Hemminger wrote:
> The pointer bdev is allocated with rte_zmalloc() and then
> incorrectly freed with free() which will lead pool corruption.
>
> Bugzilla ID: 1553
> Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
> Cc: jin.yu@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-09-30 20:06 ` Ajit Khaparde
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (9 subsequent siblings)
10 siblings, 1 reply; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi,
Vikas Gupta, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-10-01 12:41 ` Bruce Richardson
2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (8 subsequent siblings)
10 siblings, 1 reply; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 04/17] event/cnxk: fix pointer mismatch in cleanup
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
` (7 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 05/17] examples/vhost: fix free function mismatch
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
` (2 preceding siblings ...)
2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger
` (6 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 06/17] net/cnxk: fix use-after-free
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
` (3 preceding siblings ...)
2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
` (5 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 07/17] bpf: fix free mismatch if convert fails
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
` (4 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger
` (4 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 08/17] net/e1000: fix use-after-free
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
` (5 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
` (3 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 10/17] net/cpfl: fix free of nonheap object
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
` (6 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
` (2 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 12/17] raw/ifpga/base: fix use after free
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
` (7 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 14/17] drivers/ifpga: fix free function mismatch
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
` (8 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v4 15/17] baseband/la12xx: prevent use after free
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
` (9 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Nicolas Chautru, Nipun Gupta, Akhil Goyal
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* Re: [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-30 20:06 ` Ajit Khaparde
0 siblings, 0 replies; 81+ messages in thread
From: Ajit Khaparde @ 2024-09-30 20:06 UTC (permalink / raw)
To: Stephen Hemminger
Cc: dev, stable, Raveendra Padasalagi, Vikas Gupta, Akhil Goyal
[-- Attachment #1: Type: text/plain, Size: 1242 bytes --]
On Mon, Sep 30, 2024 at 11:46 AM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> The device structure is allocated with rte_malloc() and
> then incorrectly freed with free(). This will lead to
> corrupt malloc pool.
>
> Bugzilla ID: 1552
> Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
> ---
> drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
> index ada7ba342c..46522970d5 100644
> --- a/drivers/crypto/bcmfs/bcmfs_device.c
> +++ b/drivers/crypto/bcmfs/bcmfs_device.c
> @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
> return fsdev;
>
> cleanup:
> - free(fsdev);
> + rte_free(fsdev);
>
> return NULL;
> }
> @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
> return;
>
> TAILQ_REMOVE(&fsdev_list, fsdev, next);
> - free(fsdev);
> + rte_free(fsdev);
> }
>
> static int
> --
> 2.45.2
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4218 bytes --]
^ permalink raw reply [flat|nested] 81+ messages in thread
* Re: [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-01 12:41 ` Bruce Richardson
0 siblings, 0 replies; 81+ messages in thread
From: Bruce Richardson @ 2024-10-01 12:41 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev, kevin.laatz, stable, Conor Walsh
On Mon, Sep 30, 2024 at 11:43:57AM -0700, Stephen Hemminger wrote:
> The data structure is allocated with rte_malloc and incorrectly
> freed in cleanup logic using free.
>
> Bugzilla ID: 1549
> Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
> Cc: kevin.laatz@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
> ---
> drivers/dma/idxd/idxd_pci.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
> index 81637d9420..f89e2b41ff 100644
> --- a/drivers/dma/idxd/idxd_pci.c
> +++ b/drivers/dma/idxd/idxd_pci.c
> @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
> return nb_wqs;
>
> err:
> - free(pci);
> + rte_free(pci);
> return err_code;
> }
>
> --
> 2.45.2
>
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (9 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi,
Vikas Gupta, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 17:04 ` Bruce Richardson
2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (8 subsequent siblings)
10 siblings, 1 reply; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 04/17] event/cnxk: fix pointer mismatch in cleanup
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
` (7 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 05/17] examples/vhost: fix free function mismatch
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
` (2 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger
` (6 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 06/17] net/cnxk: fix use-after-free
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
` (3 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
` (5 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 07/17] bpf: fix free mismatch if convert fails
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
` (4 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger
` (4 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 08/17] net/e1000: fix use-after-free
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
` (5 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
` (3 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 10/17] net/cpfl: fix free of nonheap object
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
` (6 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
` (2 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 12/17] raw/ifpga/base: fix use after free
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
` (7 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 14/17] drivers/ifpga: fix free function mismatch
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
` (8 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v5 15/17] baseband/la12xx: prevent use after free
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
` (9 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Nipun Gupta, Akhil Goyal, Nicolas Chautru
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* Re: [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-01 17:04 ` Bruce Richardson
0 siblings, 0 replies; 81+ messages in thread
From: Bruce Richardson @ 2024-10-01 17:04 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev, kevin.laatz, stable, Conor Walsh
On Tue, Oct 01, 2024 at 09:35:26AM -0700, Stephen Hemminger wrote:
> The data structure is allocated with rte_malloc and incorrectly
> freed in cleanup logic using free.
>
> Bugzilla ID: 1549
> Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
> Cc: kevin.laatz@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
From previous revision:
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (9 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi,
Vikas Gupta, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (8 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 04/17] event/cnxk: fix pointer mismatch in cleanup
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
` (7 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 05/17] examples/vhost: fix free function mismatch
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
` (2 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger
` (6 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 06/17] net/cnxk: fix use-after-free
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
` (3 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
` (5 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 07/17] bpf: fix free mismatch if convert fails
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
` (4 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger
` (4 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 08/17] net/e1000: fix use-after-free
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
` (5 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
` (3 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 10/17] net/cpfl: fix free of nonheap object
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
` (6 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
` (2 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 12/17] raw/ifpga/base: fix use after free
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
` (7 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 14/17] drivers/ifpga: fix free function mismatch
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
` (8 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, David Marchand,
Hyong Youb Kim
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v6 15/17] baseband/la12xx: prevent use after free
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
` (9 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Nicolas Chautru, Nipun Gupta, Akhil Goyal
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (9 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Vikas Gupta,
Akhil Goyal, Raveendra Padasalagi
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (8 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 04/16] event/cnxk: fix pointer mismatch in cleanup
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-03 5:52 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger
` (7 subsequent siblings)
10 siblings, 1 reply; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 05/16] examples/vhost: fix free function mismatch
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
` (2 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger
` (6 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 06/16] net/cnxk: fix use-after-free
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
` (3 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger
` (5 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 07/16] bpf: fix free mismatch if convert fails
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
` (4 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger
` (4 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 08/16] net/e1000: fix use-after-free
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
` (5 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger
` (3 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 10/16] net/cpfl: fix free of nonheap object
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
` (6 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
` (2 subsequent siblings)
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 12/16] raw/ifpga/base: fix use after free
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
` (7 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Andy Pei, Tianfei Zhang
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 14/16] drivers/ifpga: fix free function mismatch
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
` (8 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* [PATCH v7 15/16] baseband/la12xx: prevent use after free
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
` (9 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
10 siblings, 0 replies; 81+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Akhil Goyal, Nipun Gupta, Nicolas Chautru
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
* RE: [EXTERNAL] [PATCH v7 04/16] event/cnxk: fix pointer mismatch in cleanup
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-03 5:52 ` Pavan Nikhilesh Bhagavatula
0 siblings, 0 replies; 81+ messages in thread
From: Pavan Nikhilesh Bhagavatula @ 2024-10-03 5:52 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Shijith Thotton, stable, Jerin Jacob
> The code to cleanup in case of error was passing incorrect
> value to rte_free. The ports[] entry was allocated with
> rte_malloc and that should be used instead of the offset
> in that object.
>
> Fixes: 97a05c1fe634 ("event/cnxk: add port config")
> Cc: sthotton@marvell.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/event/cnxk/cnxk_eventdev.c
> b/drivers/event/cnxk/cnxk_eventdev.c
> index 4b2d6bffa6..08c6ce0c07 100644
> --- a/drivers/event/cnxk/cnxk_eventdev.c
> +++ b/drivers/event/cnxk/cnxk_eventdev.c
> @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev
> *event_dev,
> return 0;
> hws_fini:
> for (i = i - 1; i >= 0; i--) {
> + void *ws = event_dev->data->ports[i];
> +
> event_dev->data->ports[i] = NULL;
> - rte_free(cnxk_sso_hws_get_cookie(event_dev->data-
> >ports[i]));
> + rte_free(ws);
Hi Stephen,
The rte_zmalloc memory is pointing to the cookie[1], the memory assigned to
event_dev->data->ports[i] is rte_zmalloc + RTE_CACHE_LINE_SIZE.
There is still a bug in the code where we are assigning NULL before freeing memory.
The fix should be
rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
event_dev->data->ports[i] = NULL;
[1]
/* Allocate event port memory */
ws = rte_zmalloc("cn10k_ws",
sizeof(struct cn10k_sso_hws) + RTE_CACHE_LINE_SIZE,
RTE_CACHE_LINE_SIZE);
/* First cache line is reserved for cookie */
ws = (struct cn10k_sso_hws *)((uint8_t *)ws + RTE_CACHE_LINE_SIZE);
Thanks,
Pavan.
> }
> return -ENOMEM;
> }
> --
> 2.45.2
^ permalink raw reply [flat|nested] 81+ messages in thread
end of thread, other threads:[~2024-10-03 5:52 UTC | newest]
Thread overview: 81+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-30 9:16 ` fengchengwen
2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
2024-09-30 8:25 ` Hemant Agrawal
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-30 20:06 ` Ajit Khaparde
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-01 12:41 ` Bruce Richardson
2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-01 17:04 ` Bruce Richardson
2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-03 5:52 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).