[dpdk-dev] [PATCH] ring: fix use after free in ring release

[dpdk-dev] [PATCH] ring: fix use after free in ring release

[Yunjian Wang]

When using the ring to find out tailq entry, however it had been
freed by rte_memzone_free function. This change prevents that
from happening.

Fixes: 4e32101f9b01 ("ring: support freeing")
Cc: stable@dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 lib/ring/rte_ring.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
index 8ed455043d..17d2d7f8a8 100644
--- a/lib/ring/rte_ring.c
+++ b/lib/ring/rte_ring.c
@@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
 		return;
 	}
 
-	if (rte_memzone_free(r->memzone) != 0) {
-		RTE_LOG(ERR, RING, "Cannot free memory\n");
-		return;
-	}
-
 	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
 	rte_mcfg_tailq_write_lock();
 
@@ -349,7 +344,7 @@ rte_ring_free(struct rte_ring *r)
 
 	if (te == NULL) {
 		rte_mcfg_tailq_write_unlock();
-		return;
+		goto free_memzone;
 	}
 
 	TAILQ_REMOVE(ring_list, te, next);
@@ -357,6 +352,10 @@ rte_ring_free(struct rte_ring *r)
 	rte_mcfg_tailq_write_unlock();
 
 	rte_free(te);
+
+free_memzone:
+	if (rte_memzone_free(r->memzone) != 0)
+		RTE_LOG(ERR, RING, "Cannot free memory\n");
 }
 
 /* dump the status of the ring on the console */
-- 
2.33.0

RE: [dpdk-dev] [PATCH] ring: fix use after free in ring release

[Honnappa Nagarahalli]

> -----Original Message-----
> From: Yunjian Wang <wangyunjian@huawei.com>
> Sent: Monday, April 17, 2023 8:12 AM
> To: dev@dpdk.org
> Cc: Honnappa Nagarahalli <Honnappa.Nagarahalli@arm.com>;
> konstantin.v.ananyev@yandex.ru; luyicai@huawei.com; Yunjian Wang
> <wangyunjian@huawei.com>; stable@dpdk.org
> Subject: [dpdk-dev] [PATCH] ring: fix use after free in ring release
> 
> When using the ring to find out tailq entry, however it had been freed by
> rte_memzone_free function. This change prevents that from happening.
I am unable to follow the problem you are describing.
After the memzone for the ring is released, the contents of the memzone are not being used. I understand that the variable 'r' is being used, but that should not cause any issues.

> 
> Fixes: 4e32101f9b01 ("ring: support freeing")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  lib/ring/rte_ring.c | 11 +++++------
>  1 file changed, 5 insertions(+), 6 deletions(-)
> 
> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> 8ed455043d..17d2d7f8a8 100644
> --- a/lib/ring/rte_ring.c
> +++ b/lib/ring/rte_ring.c
> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
>  		return;
>  	}
> 
> -	if (rte_memzone_free(r->memzone) != 0) {
> -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> -		return;
> -	}
Why do we need to free the memzone later?

> -
>  	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
>  	rte_mcfg_tailq_write_lock();
> 
> @@ -349,7 +344,7 @@ rte_ring_free(struct rte_ring *r)
> 
>  	if (te == NULL) {
>  		rte_mcfg_tailq_write_unlock();
> -		return;
> +		goto free_memzone;
>  	}
> 
>  	TAILQ_REMOVE(ring_list, te, next);
> @@ -357,6 +352,10 @@ rte_ring_free(struct rte_ring *r)
>  	rte_mcfg_tailq_write_unlock();
> 
>  	rte_free(te);
> +
> +free_memzone:
> +	if (rte_memzone_free(r->memzone) != 0)
> +		RTE_LOG(ERR, RING, "Cannot free memory\n");
>  }
> 
>  /* dump the status of the ring on the console */
> --
> 2.33.0

RE: [dpdk-dev] [PATCH] ring: fix use after free in ring release

[wangyunjian]

> -----Original Message-----
> From: Honnappa Nagarahalli [mailto:Honnappa.Nagarahalli@arm.com]
> Sent: Wednesday, April 19, 2023 7:53 AM
> To: wangyunjian <wangyunjian@huawei.com>; dev@dpdk.org
> Cc: konstantin.v.ananyev@yandex.ru; luyicai <luyicai@huawei.com>;
> stable@dpdk.org; nd <nd@arm.com>; Honnappa Nagarahalli
> <Honnappa.Nagarahalli@arm.com>; nd <nd@arm.com>
> Subject: RE: [dpdk-dev] [PATCH] ring: fix use after free in ring release
> 
> 
> 
> > -----Original Message-----
> > From: Yunjian Wang <wangyunjian@huawei.com>
> > Sent: Monday, April 17, 2023 8:12 AM
> > To: dev@dpdk.org
> > Cc: Honnappa Nagarahalli <Honnappa.Nagarahalli@arm.com>;
> > konstantin.v.ananyev@yandex.ru; luyicai@huawei.com; Yunjian Wang
> > <wangyunjian@huawei.com>; stable@dpdk.org
> > Subject: [dpdk-dev] [PATCH] ring: fix use after free in ring release
> >
> > When using the ring to find out tailq entry, however it had been freed
> > by rte_memzone_free function. This change prevents that from happening.
> I am unable to follow the problem you are describing.
> After the memzone for the ring is released, the contents of the memzone are
> not being used. I understand that the variable 'r' is being used, but that should
> not cause any issues.
> 
> >
> > Fixes: 4e32101f9b01 ("ring: support freeing")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> > ---
> >  lib/ring/rte_ring.c | 11 +++++------
> >  1 file changed, 5 insertions(+), 6 deletions(-)
> >
> > diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> > 8ed455043d..17d2d7f8a8 100644
> > --- a/lib/ring/rte_ring.c
> > +++ b/lib/ring/rte_ring.c
> > @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
> >  		return;
> >  	}
> >
> > -	if (rte_memzone_free(r->memzone) != 0) {
> > -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > -		return;
> > -	}
> Why do we need to free the memzone later?

After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
If rte_ring_lookup is called at this time, it will cause a use-after-free problem.

Thanks,
Yunjian
> 
> > -
> >  	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
> >  	rte_mcfg_tailq_write_lock();
> >
> > @@ -349,7 +344,7 @@ rte_ring_free(struct rte_ring *r)
> >
> >  	if (te == NULL) {
> >  		rte_mcfg_tailq_write_unlock();
> > -		return;
> > +		goto free_memzone;
> >  	}
> >
> >  	TAILQ_REMOVE(ring_list, te, next);
> > @@ -357,6 +352,10 @@ rte_ring_free(struct rte_ring *r)
> >  	rte_mcfg_tailq_write_unlock();
> >
> >  	rte_free(te);
> > +
> > +free_memzone:
> > +	if (rte_memzone_free(r->memzone) != 0)
> > +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> >  }
> >
> >  /* dump the status of the ring on the console */
> > --
> > 2.33.0

RE: [dpdk-dev] [PATCH] ring: fix use after free in ring release

[Honnappa Nagarahalli]

<snip>

> >
> > > -----Original Message-----
> > > From: Yunjian Wang <wangyunjian@huawei.com>
> > > Sent: Monday, April 17, 2023 8:12 AM
> > > To: dev@dpdk.org
> > > Cc: Honnappa Nagarahalli <Honnappa.Nagarahalli@arm.com>;
> > > konstantin.v.ananyev@yandex.ru; luyicai@huawei.com; Yunjian Wang
> > > <wangyunjian@huawei.com>; stable@dpdk.org
> > > Subject: [dpdk-dev] [PATCH] ring: fix use after free in ring release
> > >
> > > When using the ring to find out tailq entry, however it had been
> > > freed by rte_memzone_free function. This change prevents that from
> happening.
> > I am unable to follow the problem you are describing.
> > After the memzone for the ring is released, the contents of the
> > memzone are not being used. I understand that the variable 'r' is
> > being used, but that should not cause any issues.
> >
> > >
> > > Fixes: 4e32101f9b01 ("ring: support freeing")
> > > Cc: stable@dpdk.org
> > >
> > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> > > ---
> > >  lib/ring/rte_ring.c | 11 +++++------
> > >  1 file changed, 5 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> > > 8ed455043d..17d2d7f8a8 100644
> > > --- a/lib/ring/rte_ring.c
> > > +++ b/lib/ring/rte_ring.c
> > > @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
> > >  		return;
> > >  	}
> > >
> > > -	if (rte_memzone_free(r->memzone) != 0) {
> > > -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > > -		return;
> > > -	}
> > Why do we need to free the memzone later?
> 
> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> If rte_ring_lookup is called at this time, it will cause a use-after-free problem.
Thanks, understood

> 
> Thanks,
> Yunjian
> >
> > > -
> > >  	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
> > >  	rte_mcfg_tailq_write_lock();
> > >
> > > @@ -349,7 +344,7 @@ rte_ring_free(struct rte_ring *r)
> > >
> > >  	if (te == NULL) {
> > >  		rte_mcfg_tailq_write_unlock();
> > > -		return;
> > > +		goto free_memzone;
We do not need this. If 'te == NULL' is true, then the ring was not found or possibly already freed.

> > >  	}
> > >
> > >  	TAILQ_REMOVE(ring_list, te, next); @@ -357,6 +352,10 @@
> > > rte_ring_free(struct rte_ring *r)
We should free the memzone here while holding the lock

> > >  	rte_mcfg_tailq_write_unlock();
> > >
> > >  	rte_free(te);
> > > +
> > > +free_memzone:
> > > +	if (rte_memzone_free(r->memzone) != 0)
> > > +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > >  }
Should be moved up as mentioned above

> > >
> > >  /* dump the status of the ring on the console */
> > > --
> > > 2.33.0

RE: [dpdk-dev] [PATCH] ring: fix use after free in ring release

[wangyunjian]

> -----Original Message-----
> From: Honnappa Nagarahalli [mailto:Honnappa.Nagarahalli@arm.com]
> Sent: Thursday, April 20, 2023 5:44 AM
> To: wangyunjian <wangyunjian@huawei.com>; dev@dpdk.org
> Cc: konstantin.v.ananyev@yandex.ru; luyicai <luyicai@huawei.com>;
> stable@dpdk.org; nd <nd@arm.com>; nd <nd@arm.com>
> Subject: RE: [dpdk-dev] [PATCH] ring: fix use after free in ring release
> 
> <snip>
> 
> > >
> > > > -----Original Message-----
> > > > From: Yunjian Wang <wangyunjian@huawei.com>
> > > > Sent: Monday, April 17, 2023 8:12 AM
> > > > To: dev@dpdk.org
> > > > Cc: Honnappa Nagarahalli <Honnappa.Nagarahalli@arm.com>;
> > > > konstantin.v.ananyev@yandex.ru; luyicai@huawei.com; Yunjian Wang
> > > > <wangyunjian@huawei.com>; stable@dpdk.org
> > > > Subject: [dpdk-dev] [PATCH] ring: fix use after free in ring
> > > > release
> > > >
> > > > When using the ring to find out tailq entry, however it had been
> > > > freed by rte_memzone_free function. This change prevents that from
> > happening.
> > > I am unable to follow the problem you are describing.
> > > After the memzone for the ring is released, the contents of the
> > > memzone are not being used. I understand that the variable 'r' is
> > > being used, but that should not cause any issues.
> > >
> > > >
> > > > Fixes: 4e32101f9b01 ("ring: support freeing")
> > > > Cc: stable@dpdk.org
> > > >
> > > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> > > > ---
> > > >  lib/ring/rte_ring.c | 11 +++++------
> > > >  1 file changed, 5 insertions(+), 6 deletions(-)
> > > >
> > > > diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> > > > 8ed455043d..17d2d7f8a8 100644
> > > > --- a/lib/ring/rte_ring.c
> > > > +++ b/lib/ring/rte_ring.c
> > > > @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
> > > >  		return;
> > > >  	}
> > > >
> > > > -	if (rte_memzone_free(r->memzone) != 0) {
> > > > -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > > > -		return;
> > > > -	}
> > > Why do we need to free the memzone later?
> >
> > After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> > If rte_ring_lookup is called at this time, it will cause a use-after-free problem.
> Thanks, understood
> 
> >
> > Thanks,
> > Yunjian
> > >
> > > > -
> > > >  	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
> > > >  	rte_mcfg_tailq_write_lock();
> > > >
> > > > @@ -349,7 +344,7 @@ rte_ring_free(struct rte_ring *r)
> > > >
> > > >  	if (te == NULL) {
> > > >  		rte_mcfg_tailq_write_unlock();
> > > > -		return;
> > > > +		goto free_memzone;
> We do not need this. If 'te == NULL' is true, then the ring was not found or
> possibly already freed.

OK

> 
> > > >  	}
> > > >
> > > >  	TAILQ_REMOVE(ring_list, te, next); @@ -357,6 +352,10 @@
> > > > rte_ring_free(struct rte_ring *r)
> We should free the memzone here while holding the lock

OK, You are right. I fix it on your suggestions.

https://patchwork.dpdk.org/project/dpdk/patch/c23b1135e1b0676ef7d82969b39a21df992d418f.1681972694.git.wangyunjian@huawei.com/

Thanks,
Yunjian

> 
> > > >  	rte_mcfg_tailq_write_unlock();
> > > >
> > > >  	rte_free(te);
> > > > +
> > > > +free_memzone:
> > > > +	if (rte_memzone_free(r->memzone) != 0)
> > > > +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > > >  }
> Should be moved up as mentioned above
> 
> > > >
> > > >  /* dump the status of the ring on the console */
> > > > --
> > > > 2.33.0

[dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Yunjian Wang]

After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
If rte_ring_lookup is called at this time, it will cause a use-after-free
problem. This change prevents that from happening.

Fixes: 4e32101f9b01 ("ring: support freeing")
Cc: stable@dpdk.org

Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
v2: update code suggested by Honnappa Nagarahalli
---
 lib/ring/rte_ring.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
index 8ed455043d..2755323b8a 100644
--- a/lib/ring/rte_ring.c
+++ b/lib/ring/rte_ring.c
@@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
 		return;
 	}
 
-	if (rte_memzone_free(r->memzone) != 0) {
-		RTE_LOG(ERR, RING, "Cannot free memory\n");
-		return;
-	}
-
 	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
 	rte_mcfg_tailq_write_lock();
 
@@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
 
 	TAILQ_REMOVE(ring_list, te, next);
 
+	if (rte_memzone_free(r->memzone) != 0)
+		RTE_LOG(ERR, RING, "Cannot free memory\n");
+
 	rte_mcfg_tailq_write_unlock();
 
 	rte_free(te);
-- 
2.33.0

RE: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Honnappa Nagarahalli]

> -----Original Message-----
> From: Yunjian Wang <wangyunjian@huawei.com>
> Sent: Thursday, April 20, 2023 1:44 AM
> To: dev@dpdk.org
> Cc: Honnappa Nagarahalli <Honnappa.Nagarahalli@arm.com>;
> konstantin.v.ananyev@yandex.ru; luyicai@huawei.com; Yunjian Wang
> <wangyunjian@huawei.com>; stable@dpdk.org
> Subject: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release
> 
> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> If rte_ring_lookup is called at this time, it will cause a use-after-free problem.
> This change prevents that from happening.
> 
> Fixes: 4e32101f9b01 ("ring: support freeing")
> Cc: stable@dpdk.org
> 
> Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
This is incorrect, this is not a suggestion from me. Please remove this.

> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Other than the above, the patch looks fine.

Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>

> ---
> v2: update code suggested by Honnappa Nagarahalli
> ---
>  lib/ring/rte_ring.c | 8 +++-----
>  1 file changed, 3 insertions(+), 5 deletions(-)
> 
> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> 8ed455043d..2755323b8a 100644
> --- a/lib/ring/rte_ring.c
> +++ b/lib/ring/rte_ring.c
> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
>  		return;
>  	}
> 
> -	if (rte_memzone_free(r->memzone) != 0) {
> -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> -		return;
> -	}
> -
>  	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
>  	rte_mcfg_tailq_write_lock();
> 
> @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
> 
>  	TAILQ_REMOVE(ring_list, te, next);
> 
> +	if (rte_memzone_free(r->memzone) != 0)
> +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> +
>  	rte_mcfg_tailq_write_unlock();
> 
>  	rte_free(te);
> --
> 2.33.0

Re: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Konstantin Ananyev]

> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> If rte_ring_lookup is called at this time, it will cause a use-after-free
> problem. This change prevents that from happening.
> 
> Fixes: 4e32101f9b01 ("ring: support freeing")
> Cc: stable@dpdk.org
> 
> Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
> v2: update code suggested by Honnappa Nagarahalli
> ---
>  lib/ring/rte_ring.c | 8 +++-----
>  1 file changed, 3 insertions(+), 5 deletions(-)
> 
> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
> index 8ed455043d..2755323b8a 100644
> --- a/lib/ring/rte_ring.c
> +++ b/lib/ring/rte_ring.c
> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
>  		return;
>  	}
>  
> -	if (rte_memzone_free(r->memzone) != 0) {
> -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> -		return;
> -	}
> -
>  	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
>  	rte_mcfg_tailq_write_lock();
>  
> @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
>  
>  	TAILQ_REMOVE(ring_list, te, next);
>  
> +	if (rte_memzone_free(r->memzone) != 0)
> +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> +

I nit: I think it is a bit better to first release the lock and
then free the memzone.
Apart from that, LGTM.
Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>

>  	rte_mcfg_tailq_write_unlock();
>  
>  	rte_free(te);
> -- 
> 2.33.0

RE: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Honnappa Nagarahalli]

> -----Original Message-----
> From: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
> Sent: Monday, May 1, 2023 7:32 AM
> To: wangyunjian@huawei.com
> Cc: dev@dpdk.org; Honnappa Nagarahalli
> <Honnappa.Nagarahalli@arm.com>; konstantin.v.ananyev@yandex.ru;
> luyicai@huawei.com; stable@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release
> 
> 
> 
> > After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> > If rte_ring_lookup is called at this time, it will cause a
> > use-after-free problem. This change prevents that from happening.
> >
> > Fixes: 4e32101f9b01 ("ring: support freeing")
> > Cc: stable@dpdk.org
> >
> > Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
> > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> > ---
> > v2: update code suggested by Honnappa Nagarahalli
> > ---
> >  lib/ring/rte_ring.c | 8 +++-----
> >  1 file changed, 3 insertions(+), 5 deletions(-)
> >
> > diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> > 8ed455043d..2755323b8a 100644
> > --- a/lib/ring/rte_ring.c
> > +++ b/lib/ring/rte_ring.c
> > @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
> >  		return;
> >  	}
> >
> > -	if (rte_memzone_free(r->memzone) != 0) {
> > -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > -		return;
> > -	}
> > -
> >  	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
> >  	rte_mcfg_tailq_write_lock();
> >
> > @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
> >
> >  	TAILQ_REMOVE(ring_list, te, next);
> >
> > +	if (rte_memzone_free(r->memzone) != 0)
> > +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > +
> 
> I nit: I think it is a bit better to first release the lock and then free the
> memzone.
I think both of our suggestions are contradictory. Any reason why you want to free outside the locked region?

I thought, since it belongs to the ring being freed, it makes sense to free it while holding the lock to avoid any race conditions (though, I have not checked what those are).

> Apart from that, LGTM.
> Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
> 
> >  	rte_mcfg_tailq_write_unlock();
> >
> >  	rte_free(te);
> > --
> > 2.33.0
> 

Re: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Konstantin Ananyev]

01/05/2023 20:06, Honnappa Nagarahalli пишет:
> 
> 
>> -----Original Message-----
>> From: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
>> Sent: Monday, May 1, 2023 7:32 AM
>> To: wangyunjian@huawei.com
>> Cc: dev@dpdk.org; Honnappa Nagarahalli
>> <Honnappa.Nagarahalli@arm.com>; konstantin.v.ananyev@yandex.ru;
>> luyicai@huawei.com; stable@dpdk.org
>> Subject: Re: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release
>>
>>
>>
>>> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
>>> If rte_ring_lookup is called at this time, it will cause a
>>> use-after-free problem. This change prevents that from happening.
>>>
>>> Fixes: 4e32101f9b01 ("ring: support freeing")
>>> Cc: stable@dpdk.org
>>>
>>> Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
>>> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
>>> ---
>>> v2: update code suggested by Honnappa Nagarahalli
>>> ---
>>>   lib/ring/rte_ring.c | 8 +++-----
>>>   1 file changed, 3 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
>>> 8ed455043d..2755323b8a 100644
>>> --- a/lib/ring/rte_ring.c
>>> +++ b/lib/ring/rte_ring.c
>>> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
>>>   		return;
>>>   	}
>>>
>>> -	if (rte_memzone_free(r->memzone) != 0) {
>>> -		RTE_LOG(ERR, RING, "Cannot free memory\n");
>>> -		return;
>>> -	}
>>> -
>>>   	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
>>>   	rte_mcfg_tailq_write_lock();
>>>
>>> @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
>>>
>>>   	TAILQ_REMOVE(ring_list, te, next);
>>>
>>> +	if (rte_memzone_free(r->memzone) != 0)
>>> +		RTE_LOG(ERR, RING, "Cannot free memory\n");
>>> +
>>
>> I nit: I think it is a bit better to first release the lock and then free the
>> memzone.
> I think both of our suggestions are contradictory. Any reason why you want to free outside the locked region?


Don't know what you mean by 'both suggestions' here.
I think I gave only one - move memzone_free() after tailq_write_unlock().
To be more precise:
1) rte_mcfg_tailq_write_lock();
...
2) TAILQ_REMOVE(...);
3) rte_mcfg_tailq_write_unlock();
4) rte_memzone_free(r->memzone);

As I remember, memzones are protected by their own lock (mlock), so
we don't need to hold qlock to free a memzone, after ring was already
removed from the ring_list.

> 
> I thought, since it belongs to the ring being freed, it makes sense to free it while holding the lock to avoid any race conditions (though, I have not checked what those are).


As I understand, it is ok with current design to grab mlock while 
holding qlock.
So, there is nothing wrong with current patch,
I just think that in that case it is excessive, and can be safely avoided.

> 
>> Apart from that, LGTM.
>> Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
>>
>>>   	rte_mcfg_tailq_write_unlock();
>>>
>>>   	rte_free(te);
>>> --
>>> 2.33.0
>>
> 

RE: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Honnappa Nagarahalli]

<snip>

> >>
> >>
> >>
> >>> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> >>> If rte_ring_lookup is called at this time, it will cause a
> >>> use-after-free problem. This change prevents that from happening.
> >>>
> >>> Fixes: 4e32101f9b01 ("ring: support freeing")
> >>> Cc: stable@dpdk.org
> >>>
> >>> Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
> >>> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> >>> ---
> >>> v2: update code suggested by Honnappa Nagarahalli
> >>> ---
> >>>   lib/ring/rte_ring.c | 8 +++-----
> >>>   1 file changed, 3 insertions(+), 5 deletions(-)
> >>>
> >>> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> >>> 8ed455043d..2755323b8a 100644
> >>> --- a/lib/ring/rte_ring.c
> >>> +++ b/lib/ring/rte_ring.c
> >>> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
> >>>   		return;
> >>>   	}
> >>>
> >>> -	if (rte_memzone_free(r->memzone) != 0) {
> >>> -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> >>> -		return;
> >>> -	}
> >>> -
> >>>   	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
> >>>   	rte_mcfg_tailq_write_lock();
> >>>
> >>> @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
> >>>
> >>>   	TAILQ_REMOVE(ring_list, te, next);
> >>>
> >>> +	if (rte_memzone_free(r->memzone) != 0)
> >>> +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> >>> +
> >>
> >> I nit: I think it is a bit better to first release the lock and then
> >> free the memzone.
> > I think both of our suggestions are contradictory. Any reason why you want
> to free outside the locked region?
> 
> 
> Don't know what you mean by 'both suggestions' here.
I wrote 'both of our suggestions'. Essentially, in v1, freeing the memzone was outside of the lock. I suggested to move it inside and you are suggesting to move it inside.

> I think I gave only one - move memzone_free() after tailq_write_unlock().
> To be more precise:
> 1) rte_mcfg_tailq_write_lock();
> ...
> 2) TAILQ_REMOVE(...);
> 3) rte_mcfg_tailq_write_unlock();
> 4) rte_memzone_free(r->memzone);
> 
> As I remember, memzones are protected by their own lock (mlock), so we
> don't need to hold qlock to free a memzone, after ring was already removed
> from the ring_list.
> 
> >
> > I thought, since it belongs to the ring being freed, it makes sense to free it
> while holding the lock to avoid any race conditions (though, I have not
> checked what those are).
> 
> 
> As I understand, it is ok with current design to grab mlock while holding qlock.
> So, there is nothing wrong with current patch, I just think that in that case it is
> excessive, and can be safely avoided.
> 
> >
> >> Apart from that, LGTM.
> >> Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
> >>
> >>>   	rte_mcfg_tailq_write_unlock();
> >>>
> >>>   	rte_free(te);
> >>> --
> >>> 2.33.0
> >>
> >

Re: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Konstantin Ananyev]

03/05/2023 06:44, Honnappa Nagarahalli пишет:
> <snip>
> 
>>>>
>>>>
>>>>
>>>>> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
>>>>> If rte_ring_lookup is called at this time, it will cause a
>>>>> use-after-free problem. This change prevents that from happening.
>>>>>
>>>>> Fixes: 4e32101f9b01 ("ring: support freeing")
>>>>> Cc: stable@dpdk.org
>>>>>
>>>>> Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
>>>>> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
>>>>> ---
>>>>> v2: update code suggested by Honnappa Nagarahalli
>>>>> ---
>>>>>    lib/ring/rte_ring.c | 8 +++-----
>>>>>    1 file changed, 3 insertions(+), 5 deletions(-)
>>>>>
>>>>> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
>>>>> 8ed455043d..2755323b8a 100644
>>>>> --- a/lib/ring/rte_ring.c
>>>>> +++ b/lib/ring/rte_ring.c
>>>>> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
>>>>>    		return;
>>>>>    	}
>>>>>
>>>>> -	if (rte_memzone_free(r->memzone) != 0) {
>>>>> -		RTE_LOG(ERR, RING, "Cannot free memory\n");
>>>>> -		return;
>>>>> -	}
>>>>> -
>>>>>    	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
>>>>>    	rte_mcfg_tailq_write_lock();
>>>>>
>>>>> @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
>>>>>
>>>>>    	TAILQ_REMOVE(ring_list, te, next);
>>>>>
>>>>> +	if (rte_memzone_free(r->memzone) != 0)
>>>>> +		RTE_LOG(ERR, RING, "Cannot free memory\n");
>>>>> +
>>>>
>>>> I nit: I think it is a bit better to first release the lock and then
>>>> free the memzone.
>>> I think both of our suggestions are contradictory. Any reason why you want
>> to free outside the locked region?
>>
>>
>> Don't know what you mean by 'both suggestions' here.
> I wrote 'both of our suggestions'. Essentially, in v1, freeing the memzone was outside of the lock. I suggested to move it inside and you are suggesting to move it inside.


Ah ok, I missed v1 and your comments for it.
As I said before, I don't think that we need to hold qlock here
while calling mmezone_free().
Though I don't see any harm with it either.
I'd personally would move memzone_free() after releasing qlock,
but if you guys prefer to keep it as it is - I wouldn't insist.

> 
>> I think I gave only one - move memzone_free() after tailq_write_unlock().
>> To be more precise:
>> 1) rte_mcfg_tailq_write_lock();
>> ...
>> 2) TAILQ_REMOVE(...);
>> 3) rte_mcfg_tailq_write_unlock();
>> 4) rte_memzone_free(r->memzone);
>>
>> As I remember, memzones are protected by their own lock (mlock), so we
>> don't need to hold qlock to free a memzone, after ring was already removed
>> from the ring_list.
>>
>>>
>>> I thought, since it belongs to the ring being freed, it makes sense to free it
>> while holding the lock to avoid any race conditions (though, I have not
>> checked what those are).
>>
>>
>> As I understand, it is ok with current design to grab mlock while holding qlock.
>> So, there is nothing wrong with current patch, I just think that in that case it is
>> excessive, and can be safely avoided.
>>
>>>
>>>> Apart from that, LGTM.
>>>> Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
>>>>
>>>>>    	rte_mcfg_tailq_write_unlock();
>>>>>
>>>>>    	rte_free(te);
>>>>> --
>>>>> 2.33.0
>>>>
>>>
> 

RE: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Honnappa Nagarahalli]

<snip>

> >
> >>>>
> >>>>
> >>>>
> >>>>> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> >>>>> If rte_ring_lookup is called at this time, it will cause a
> >>>>> use-after-free problem. This change prevents that from happening.
> >>>>>
> >>>>> Fixes: 4e32101f9b01 ("ring: support freeing")
> >>>>> Cc: stable@dpdk.org
> >>>>>
> >>>>> Suggested-by: Honnappa Nagarahalli
> <honnappa.nagarahalli@arm.com>
> >>>>> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> >>>>> ---
> >>>>> v2: update code suggested by Honnappa Nagarahalli
> >>>>> ---
> >>>>>    lib/ring/rte_ring.c | 8 +++-----
> >>>>>    1 file changed, 3 insertions(+), 5 deletions(-)
> >>>>>
> >>>>> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> >>>>> 8ed455043d..2755323b8a 100644
> >>>>> --- a/lib/ring/rte_ring.c
> >>>>> +++ b/lib/ring/rte_ring.c
> >>>>> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
> >>>>>    		return;
> >>>>>    	}
> >>>>>
> >>>>> -	if (rte_memzone_free(r->memzone) != 0) {
> >>>>> -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> >>>>> -		return;
> >>>>> -	}
> >>>>> -
> >>>>>    	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head,
> rte_ring_list);
> >>>>>    	rte_mcfg_tailq_write_lock();
> >>>>>
> >>>>> @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
> >>>>>
> >>>>>    	TAILQ_REMOVE(ring_list, te, next);
> >>>>>
> >>>>> +	if (rte_memzone_free(r->memzone) != 0)
> >>>>> +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> >>>>> +
> >>>>
> >>>> I nit: I think it is a bit better to first release the lock and
> >>>> then free the memzone.
> >>> I think both of our suggestions are contradictory. Any reason why
> >>> you want
> >> to free outside the locked region?
> >>
> >>
> >> Don't know what you mean by 'both suggestions' here.
> > I wrote 'both of our suggestions'. Essentially, in v1, freeing the memzone
> was outside of the lock. I suggested to move it inside and you are suggesting
> to move it inside.
> 
> 
> Ah ok, I missed v1 and your comments for it.
> As I said before, I don't think that we need to hold qlock here while calling
> mmezone_free().
> Though I don't see any harm with it either.
> I'd personally would move memzone_free() after releasing qlock, but if you
> guys prefer to keep it as it is - I wouldn't insist.
I looked at other libraries, stack library is the closest. Stack library frees the memzone outside the lock. I think we should keep it consistent.
I am fine to move the free outside the lock.

> 
> >
> >> I think I gave only one - move memzone_free() after tailq_write_unlock().
> >> To be more precise:
> >> 1) rte_mcfg_tailq_write_lock();
> >> ...
> >> 2) TAILQ_REMOVE(...);
> >> 3) rte_mcfg_tailq_write_unlock();
> >> 4) rte_memzone_free(r->memzone);
> >>
> >> As I remember, memzones are protected by their own lock (mlock), so
> >> we don't need to hold qlock to free a memzone, after ring was already
> >> removed from the ring_list.
> >>
> >>>
> >>> I thought, since it belongs to the ring being freed, it makes sense
> >>> to free it
> >> while holding the lock to avoid any race conditions (though, I have
> >> not checked what those are).
> >>
> >>
> >> As I understand, it is ok with current design to grab mlock while holding
> qlock.
> >> So, there is nothing wrong with current patch, I just think that in
> >> that case it is excessive, and can be safely avoided.
> >>
> >>>
> >>>> Apart from that, LGTM.
> >>>> Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
> >>>>
> >>>>>    	rte_mcfg_tailq_write_unlock();
> >>>>>
> >>>>>    	rte_free(te);
> >>>>> --
> >>>>> 2.33.0
> >>>>
> >>>
> >

RE: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[wangyunjian]

> -----Original Message-----
> From: Honnappa Nagarahalli [mailto:Honnappa.Nagarahalli@arm.com]
> Sent: Thursday, May 4, 2023 7:46 AM
> To: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>; wangyunjian
> <wangyunjian@huawei.com>
> Cc: dev@dpdk.org; luyicai <luyicai@huawei.com>; stable@dpdk.org; nd
> <nd@arm.com>; nd <nd@arm.com>
> Subject: RE: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release
> 
> <snip>
> 
> > >
> > >>>>
> > >>>>
> > >>>>
> > >>>>> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> > >>>>> If rte_ring_lookup is called at this time, it will cause a
> > >>>>> use-after-free problem. This change prevents that from happening.
> > >>>>>
> > >>>>> Fixes: 4e32101f9b01 ("ring: support freeing")
> > >>>>> Cc: stable@dpdk.org
> > >>>>>
> > >>>>> Suggested-by: Honnappa Nagarahalli
> > <honnappa.nagarahalli@arm.com>
> > >>>>> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> > >>>>> ---
> > >>>>> v2: update code suggested by Honnappa Nagarahalli
> > >>>>> ---
> > >>>>>    lib/ring/rte_ring.c | 8 +++-----
> > >>>>>    1 file changed, 3 insertions(+), 5 deletions(-)
> > >>>>>
> > >>>>> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> > >>>>> 8ed455043d..2755323b8a 100644
> > >>>>> --- a/lib/ring/rte_ring.c
> > >>>>> +++ b/lib/ring/rte_ring.c
> > >>>>> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
> > >>>>>    		return;
> > >>>>>    	}
> > >>>>>
> > >>>>> -	if (rte_memzone_free(r->memzone) != 0) {
> > >>>>> -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > >>>>> -		return;
> > >>>>> -	}
> > >>>>> -
> > >>>>>    	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head,
> > rte_ring_list);
> > >>>>>    	rte_mcfg_tailq_write_lock();
> > >>>>>
> > >>>>> @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
> > >>>>>
> > >>>>>    	TAILQ_REMOVE(ring_list, te, next);
> > >>>>>
> > >>>>> +	if (rte_memzone_free(r->memzone) != 0)
> > >>>>> +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > >>>>> +
> > >>>>
> > >>>> I nit: I think it is a bit better to first release the lock and
> > >>>> then free the memzone.
> > >>> I think both of our suggestions are contradictory. Any reason why
> > >>> you want
> > >> to free outside the locked region?
> > >>
> > >>
> > >> Don't know what you mean by 'both suggestions' here.
> > > I wrote 'both of our suggestions'. Essentially, in v1, freeing the
> > > memzone
> > was outside of the lock. I suggested to move it inside and you are
> > suggesting to move it inside.
> >
> >
> > Ah ok, I missed v1 and your comments for it.
> > As I said before, I don't think that we need to hold qlock here while
> > calling mmezone_free().
> > Though I don't see any harm with it either.
> > I'd personally would move memzone_free() after releasing qlock, but if
> > you guys prefer to keep it as it is - I wouldn't insist.
> I looked at other libraries, stack library is the closest. Stack library frees the
> memzone outside the lock. I think we should keep it consistent.
> I am fine to move the free outside the lock.

Thanks, Konstantin Ananyev and Honnappa Nagarahalli.
I will update the patch in v3 and move the free outside the lock.

> 
> >
> > >
> > >> I think I gave only one - move memzone_free() after tailq_write_unlock().
> > >> To be more precise:
> > >> 1) rte_mcfg_tailq_write_lock();
> > >> ...
> > >> 2) TAILQ_REMOVE(...);
> > >> 3) rte_mcfg_tailq_write_unlock();
> > >> 4) rte_memzone_free(r->memzone);
> > >>
> > >> As I remember, memzones are protected by their own lock (mlock), so
> > >> we don't need to hold qlock to free a memzone, after ring was
> > >> already removed from the ring_list.
> > >>
> > >>>
> > >>> I thought, since it belongs to the ring being freed, it makes
> > >>> sense to free it
> > >> while holding the lock to avoid any race conditions (though, I have
> > >> not checked what those are).
> > >>
> > >>
> > >> As I understand, it is ok with current design to grab mlock while
> > >> holding
> > qlock.
> > >> So, there is nothing wrong with current patch, I just think that in
> > >> that case it is excessive, and can be safely avoided.
> > >>
> > >>>
> > >>>> Apart from that, LGTM.
> > >>>> Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
> > >>>>
> > >>>>>    	rte_mcfg_tailq_write_unlock();
> > >>>>>
> > >>>>>    	rte_free(te);
> > >>>>> --
> > >>>>> 2.33.0
> > >>>>
> > >>>
> > >

[dpdk-dev] [PATCH v3] ring: fix use after free in ring release

[Yunjian Wang]

After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
If rte_ring_lookup is called at this time, it will cause a use-after-free
problem. This change prevents that from happening.

Fixes: 4e32101f9b01 ("ring: support freeing")
Cc: stable@dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
---
v3:
   move memzone free outside the lock
---
 lib/ring/rte_ring.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
index 8ed455043d..057d25ff6f 100644
--- a/lib/ring/rte_ring.c
+++ b/lib/ring/rte_ring.c
@@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
 		return;
 	}
 
-	if (rte_memzone_free(r->memzone) != 0) {
-		RTE_LOG(ERR, RING, "Cannot free memory\n");
-		return;
-	}
-
 	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
 	rte_mcfg_tailq_write_lock();
 
@@ -356,6 +351,9 @@ rte_ring_free(struct rte_ring *r)
 
 	rte_mcfg_tailq_write_unlock();
 
+	if (rte_memzone_free(r->memzone) != 0)
+		RTE_LOG(ERR, RING, "Cannot free memory\n");
+
 	rte_free(te);
 }
 
-- 
2.33.0

Re: [dpdk-dev] [PATCH v3] ring: fix use after free in ring release

[Thomas Monjalon]

05/05/2023 08:48, Yunjian Wang:
> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> If rte_ring_lookup is called at this time, it will cause a use-after-free
> problem. This change prevents that from happening.
> 
> Fixes: 4e32101f9b01 ("ring: support freeing")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>

Applied, thanks.
That's a real pleasure to see reliability improved :)