From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 2BD074298E
	for <public@inbox.dpdk.org>; Wed, 19 Apr 2023 23:44:29 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 1EAD541149;
	Wed, 19 Apr 2023 23:44:29 +0200 (CEST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com
 (mail-am6eur05on2078.outbound.protection.outlook.com [40.107.22.78])
 by mails.dpdk.org (Postfix) with ESMTP id BCEB24021F;
 Wed, 19 Apr 2023 23:44:26 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; 
 s=selector2-armh-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=r8QMoP43I+sPudlH0NYheWzveJei5QEocKk9ROFr73Q=;
 b=oOGBFvp8vVR75mpMBClWBxLTu6xS7aBlLcV17u6l2apd0974ZbxxJFEgOqfKKe4uMmDScUYfmR09lXu+OpSxQ78FKsObAhsyFcSzoInfNYu10DZD7vd92yQCpLUe28djT7h6+c3nX8/AEeGKYA7XUdL1LQ99T/oGj9HcGZ3c29g=
Received: from DB6PR0202CA0023.eurprd02.prod.outlook.com (2603:10a6:4:29::33)
 by AS2PR08MB8309.eurprd08.prod.outlook.com (2603:10a6:20b:554::21)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.21; Wed, 19 Apr
 2023 21:44:24 +0000
Received: from DBAEUR03FT060.eop-EUR03.prod.protection.outlook.com
 (2603:10a6:4:29:cafe::38) by DB6PR0202CA0023.outlook.office365.com
 (2603:10a6:4:29::33) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.20 via Frontend
 Transport; Wed, 19 Apr 2023 21:44:24 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123)
 smtp.mailfrom=arm.com; dkim=pass (signature was verified)
 header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 63.35.35.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
 pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by
 DBAEUR03FT060.mail.protection.outlook.com (100.127.142.238) with
 Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6319.23 via Frontend Transport; Wed, 19 Apr 2023 21:44:24 +0000
Received: ("Tessian outbound 3570909035da:v136");
 Wed, 19 Apr 2023 21:44:24 +0000
X-CR-MTA-TID: 64aa7808
Received: from 14a336eac0b3.1
 by 64aa7808-outbound-1.mta.getcheckrecipient.com id
 214FFFFF-0EDF-42E8-AE28-506344C0FE29.1; 
 Wed, 19 Apr 2023 21:44:18 +0000
Received: from EUR02-DB5-obe.outbound.protection.outlook.com
 by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 14a336eac0b3.1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
 Wed, 19 Apr 2023 21:44:18 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=KijR9YyeyddlRPNlMrQtVt16J9VUXdltLWEq1IpV0NRQt4r/rDjsE+gy8TNbc+VibnZs3QMMn7KFAW8KDCgRz5GcZS1rnaNaiqfDX+4xFH+5G+CYHR3xafbqn+Re8bddHNdMujr8B52i90/HjfdLRMAuTm8JFmlqg4SapryqTHFYrWJC0kyUtWujFglEiv5F88OuBSL8VEZQJi7ppHzwbOLDJZZ/cySwxriVUAj8g0sxdbDvrWWZjLnV0tGUx3RsRFF3HyhlOEGUeGgXHyuCniXKPoh9CxYrzAvtq/RWXbZnNY7CGFYAVFK53tG4On7szHHw6CZm4f7Jc4AL97V7kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=r8QMoP43I+sPudlH0NYheWzveJei5QEocKk9ROFr73Q=;
 b=Gbyx9s+NYSziHYYMqD/2gKGaPGGj4pvSw7LGOIaVM1uW4l1tP41bKn2xXwIXigYYQece87k+rsdoJwjyc8FKJD4VqHuP2hvSVQxauTH7TrY2Llo/oJVVEmlArwgUggOQZYuSsern4kcb3xjXy7zUmUnJDbmUtrx94OBCr0iUXIAVfcco11YYNPVGJeHM4MsF60X57KiXFKbgoQ3kB6Uf2a7S03d2rxkbQXUjKVoOsmKwNu3PHR/yymj0V+8GFovCrpA5i/KpUFta2yzAFcdP+TgzutfL6aEYdpSjYfDwI+tKoZAIqYVAal1zxOf02xNAnVeop2Z39KXP6ry6GVIFIA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass
 header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; 
 s=selector2-armh-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=r8QMoP43I+sPudlH0NYheWzveJei5QEocKk9ROFr73Q=;
 b=oOGBFvp8vVR75mpMBClWBxLTu6xS7aBlLcV17u6l2apd0974ZbxxJFEgOqfKKe4uMmDScUYfmR09lXu+OpSxQ78FKsObAhsyFcSzoInfNYu10DZD7vd92yQCpLUe28djT7h6+c3nX8/AEeGKYA7XUdL1LQ99T/oGj9HcGZ3c29g=
Received: from DBAPR08MB5814.eurprd08.prod.outlook.com (2603:10a6:10:1b1::6)
 by GV1PR08MB7683.eurprd08.prod.outlook.com (2603:10a6:150:62::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.45; Wed, 19 Apr
 2023 21:44:15 +0000
Received: from DBAPR08MB5814.eurprd08.prod.outlook.com
 ([fe80::621c:838a:cb11:19b7]) by DBAPR08MB5814.eurprd08.prod.outlook.com
 ([fe80::621c:838a:cb11:19b7%7]) with mapi id 15.20.6319.022; Wed, 19 Apr 2023
 21:44:15 +0000
From: Honnappa Nagarahalli <Honnappa.Nagarahalli@arm.com>
To: wangyunjian <wangyunjian@huawei.com>, "dev@dpdk.org" <dev@dpdk.org>
CC: "konstantin.v.ananyev@yandex.ru" <konstantin.v.ananyev@yandex.ru>, luyicai
 <luyicai@huawei.com>, "stable@dpdk.org" <stable@dpdk.org>, nd <nd@arm.com>,
 nd <nd@arm.com>
Subject: RE: [dpdk-dev] [PATCH] ring: fix use after free in ring release
Thread-Topic: [dpdk-dev] [PATCH] ring: fix use after free in ring release
Thread-Index: AQHZcS5ODwXmKqOtKEurHIAnpAWT1K8xvsqggAB6eYCAAO/yQA==
Date: Wed, 19 Apr 2023 21:44:12 +0000
Message-ID: <DBAPR08MB5814F0B1465A6BCB1BB2963D98629@DBAPR08MB5814.eurprd08.prod.outlook.com>
References: <d175f9250542291dd0b86f4587a5fde018b945b1.1681736644.git.wangyunjian@huawei.com>
 <DBAPR08MB581409286B5529C3C0053D23989D9@DBAPR08MB5814.eurprd08.prod.outlook.com>
 <cf3f9717443842e18226acfb72b18c61@huawei.com>
In-Reply-To: <cf3f9717443842e18226acfb72b18c61@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ts-tracking-id: AEAFC8DC6BE2D94798E4D9693601D70F.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-traffictypediagnostic: DBAPR08MB5814:EE_|GV1PR08MB7683:EE_|DBAEUR03FT060:EE_|AS2PR08MB8309:EE_
X-MS-Office365-Filtering-Correlation-Id: 9b1fb198-e5b1-42ab-de70-08db411f3dee
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: rQCE55rfz7wQe6AvkwQW95xU/0XW8QcRdGwHwLeO/moY8ql85a82Ld4bkGLBF9msfEiXaLHtwFCkDCUxo3vFc08HYFSN8PblKhEDAkZi4lvnBXI3rjqXxSQthkzte1X/nk9vtClEEG0AdfbH6IIYc39HziPH7i26bxjy9/yp+vlsMgXYDspr1ka7U6vKyuva5pBZ2jd4DuQfK9uD+oJafg+bVBuBz+V96bOkmgTr2XN0CZ6MDnpUcgss4NIxA/JCOAOCzZGgc4+FTbfxDjQ6qelU01octBBEQEGx6rehx9YyVfoeDbeYc3BLIDDLauuFzkx/fyd605inDBl2W2d7+R1h9FVMZvqR0a2nZDGVNGWihEQs58Jt5yHEQ2K82KwbMY7GkHu5xwaKt+Wg1jZxxhkunpE/bP2V1gPyiuHY07TCz/yqOp2lD9UxgWPM5JBHUEZNeF4j4kpbLe1LupXGUH6+s8mTV3bfAGG7HKU707O45y/gaio108WjzFj8L8S7o0fMOftMq8XcxSSAi43gQPIY0oLq2aJ+8wefL1UEBGGOUCCEx3RlGcbT47u2QqDlykw4K7woeimUMEiiCCJkVYhtVC6GcF3HRbbbD6/KZQePGUCigyR5FtA/UQz8Tt/zm7Bgwq3S2JjPAHINULNBRA==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
 SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR08MB5814.eurprd08.prod.outlook.com;
 PTR:; CAT:NONE;
 SFS:(13230028)(4636009)(346002)(136003)(396003)(376002)(39860400002)(366004)(451199021)(33656002)(53546011)(76116006)(4326008)(54906003)(316002)(110136005)(66946007)(66556008)(66476007)(66446008)(64756008)(41300700001)(6666004)(478600001)(55016003)(71200400001)(5660300002)(8676002)(8936002)(52536014)(2906002)(38070700005)(86362001)(122000001)(38100700002)(6506007)(9686003)(26005)(83380400001)(186003)(7696005)(23180200003);
 DIR:OUT; SFP:1101; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR08MB7683
Original-Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DBAEUR03FT060.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 8b6c100f-9fc6-473c-9c6d-08db411f36d2
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: vS89qTKWJ3ilsdD2QlsxIU0TTKsXC1upmODbZwc5o9XjTl4ZAOr7Ae89iVtWjs2l+4oakdrPbDHyaTV+hbLraEBA4MdXiZIIfNobJtYBbKcllA6XdE6b0DO05BXOtg7/1SG8KafWakMVGBuq6wMJVLi8wjPeDRAGL4FP1nHqE8l9EgEQG8CfgbCVbqah32sE7yTOW4CC4nh1MYPTDdFFP5GA1QN5ghCoAbhtLg0GPGDiIh97CoBauw4W7tTuHefGjWSOy+w5ew0fEdPnxi7Vf8uIXcRWzd8euGUe6A6hmW34Gbfj2Mtc5e+aqL+OWj6cWVkRm0xtthcs7sycnkgUTzhM1FgGqhxH9sP5etBroDb35NS/ziS02vFyInls5HNqrctFgkq4uhKeLe7Z5JHNx3A/2aD5QOrJ1aWTzLmD+GRPIYhrrs4YCChl5cr+TOVR1KZgVtZ/EXD7/Wpy2ynQFPZi9MOkUP9Bkbzx+fFT9RxT/SFcPvTLgKiINVVhhUa4ZPIKS5UG3l26igawjiXNxiVzearYEUfszoS1qq+7YgGzCsjMOH1Cy369km0yv40EgUaz44z30Jfcqvv/w7GhPZ0GCDlYKWAclJV8GYrDhaJ7Sn7RDi2MbntWR33KWwpW0VpsXMmT5gyNS1pzTuIdjBLSbz6TRVZph2VQvmNN75UchMOMvrrSN/Np/s5BBtvW3hyy2koI3WD/swl33AtW8HbR+yJWsHLRIqBQJ+9WJ60=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:;
 IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com;
 PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE;
 SFS:(13230028)(4636009)(396003)(39860400002)(136003)(376002)(346002)(451199021)(36840700001)(40470700004)(46966006)(54906003)(40460700003)(6666004)(82310400005)(478600001)(6506007)(26005)(53546011)(82740400003)(9686003)(81166007)(110136005)(356005)(36860700001)(40480700001)(86362001)(7696005)(55016003)(41300700001)(186003)(47076005)(316002)(52536014)(5660300002)(8676002)(8936002)(33656002)(70206006)(450100002)(4326008)(70586007)(2906002)(83380400001)(336012)(23180200003);
 DIR:OUT; SFP:1101; 
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Apr 2023 21:44:24.1913 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b1fb198-e5b1-42ab-de70-08db411f3dee
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123];
 Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DBAEUR03FT060.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR08MB8309
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

<snip>

> >
> > > -----Original Message-----
> > > From: Yunjian Wang <wangyunjian@huawei.com>
> > > Sent: Monday, April 17, 2023 8:12 AM
> > > To: dev@dpdk.org
> > > Cc: Honnappa Nagarahalli <Honnappa.Nagarahalli@arm.com>;
> > > konstantin.v.ananyev@yandex.ru; luyicai@huawei.com; Yunjian Wang
> > > <wangyunjian@huawei.com>; stable@dpdk.org
> > > Subject: [dpdk-dev] [PATCH] ring: fix use after free in ring release
> > >
> > > When using the ring to find out tailq entry, however it had been
> > > freed by rte_memzone_free function. This change prevents that from
> happening.
> > I am unable to follow the problem you are describing.
> > After the memzone for the ring is released, the contents of the
> > memzone are not being used. I understand that the variable 'r' is
> > being used, but that should not cause any issues.
> >
> > >
> > > Fixes: 4e32101f9b01 ("ring: support freeing")
> > > Cc: stable@dpdk.org
> > >
> > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> > > ---
> > >  lib/ring/rte_ring.c | 11 +++++------
> > >  1 file changed, 5 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> > > 8ed455043d..17d2d7f8a8 100644
> > > --- a/lib/ring/rte_ring.c
> > > +++ b/lib/ring/rte_ring.c
> > > @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
> > >  		return;
> > >  	}
> > >
> > > -	if (rte_memzone_free(r->memzone) !=3D 0) {
> > > -		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > > -		return;
> > > -	}
> > Why do we need to free the memzone later?
>=20
> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> If rte_ring_lookup is called at this time, it will cause a use-after-free=
 problem.
Thanks, understood

>=20
> Thanks,
> Yunjian
> >
> > > -
> > >  	ring_list =3D RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
> > >  	rte_mcfg_tailq_write_lock();
> > >
> > > @@ -349,7 +344,7 @@ rte_ring_free(struct rte_ring *r)
> > >
> > >  	if (te =3D=3D NULL) {
> > >  		rte_mcfg_tailq_write_unlock();
> > > -		return;
> > > +		goto free_memzone;
We do not need this. If 'te =3D=3D NULL' is true, then the ring was not fou=
nd or possibly already freed.

> > >  	}
> > >
> > >  	TAILQ_REMOVE(ring_list, te, next); @@ -357,6 +352,10 @@
> > > rte_ring_free(struct rte_ring *r)
We should free the memzone here while holding the lock

> > >  	rte_mcfg_tailq_write_unlock();
> > >
> > >  	rte_free(te);
> > > +
> > > +free_memzone:
> > > +	if (rte_memzone_free(r->memzone) !=3D 0)
> > > +		RTE_LOG(ERR, RING, "Cannot free memory\n");
> > >  }
Should be moved up as mentioned above

> > >
> > >  /* dump the status of the ring on the console */
> > > --
> > > 2.33.0