From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail1.windriver.com (mail1.windriver.com [147.11.146.13]) by dpdk.org (Postfix) with ESMTP id C179D1BACA; Wed, 11 Apr 2018 13:28:13 +0200 (CEST) Received: from ALA-HCA.corp.ad.wrs.com ([147.11.189.40]) by mail1.windriver.com (8.15.2/8.15.1) with ESMTPS id w3BBSCMZ000903 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 11 Apr 2018 04:28:12 -0700 (PDT) Received: from ALA-MBD.corp.ad.wrs.com ([169.254.3.147]) by ALA-HCA.corp.ad.wrs.com ([147.11.189.40]) with mapi id 14.03.0361.001; Wed, 11 Apr 2018 04:28:11 -0700 From: "Legacy, Allain" To: "ANANYEV, KONSTANTIN" CC: "dev@dpdk.org" , "Peters, Matt" , "stable@dpdk.org" Thread-Topic: [PATCH v2] ip_frag: fix double free of chained mbufs Thread-Index: AQHTv44lGMPnxe4r5E+0N/1sCPbP9qP7iPSQgAADDTA= Date: Wed, 11 Apr 2018 11:28:11 +0000 Message-ID: <70A7408C6E1BFB41B192A929744D8523BA9FC6A1@ALA-MBD.corp.ad.wrs.com> References: <20180319141833.21669-1-allain.legacy@windriver.com> <20180319142523.22163-1-allain.legacy@windriver.com> <2601191342CEEE43887BDE71AB977258AE9138DD@IRSMSX102.ger.corp.intel.com> In-Reply-To: <2601191342CEEE43887BDE71AB977258AE9138DD@IRSMSX102.ger.corp.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [128.224.140.231] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-stable] [PATCH v2] ip_frag: fix double free of chained mbufs X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2018 11:28:14 -0000 > -----Original Message----- > From: Ananyev, Konstantin [mailto:konstantin.ananyev@intel.com] > Sent: Wednesday, April 11, 2018 7:02 AM <..> >=20 >=20 > I wonder why we have to NULL only first and cur entry? > We probably have to NULL each one in that case, right? We have to do first and current entries at those locations because=20 the code does not clear them properly. All other entries are cleared by=20 the following piece of code but it does not handle the two cases that I am= =20 addressing with my change. /* this mbuf should not be accessed directly */ fp->frags[curr_idx].mb =3D NULL; curr_idx =3D i; > If so, then it probably better to do in the same place we do > ip_frag_key_invalidate(). I don't feel that ip_frag_key_invalidate is the appropriate place to take c= are of this. In the interest of code readability and maintainability it sh= ould stick to what its name implies and only invalidate the key and nothing= else. Since the ipv*_frag_reassemble() functions were already setup to = set the pointers to NULL it should continue to be done there, but of course= since it is does not handle all cases correctly it should be fixed. > As alternative, and probably better approach - can we modify > rte_ip_frag_table_destroy(), so it will free mbufs only for entires with = valid > keys? If you prefer this approach I can start over.=20 Allain