From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2BD074298E for ; Wed, 19 Apr 2023 23:44:29 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1EAD541149; Wed, 19 Apr 2023 23:44:29 +0200 (CEST) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2078.outbound.protection.outlook.com [40.107.22.78]) by mails.dpdk.org (Postfix) with ESMTP id BCEB24021F; Wed, 19 Apr 2023 23:44:26 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r8QMoP43I+sPudlH0NYheWzveJei5QEocKk9ROFr73Q=; b=oOGBFvp8vVR75mpMBClWBxLTu6xS7aBlLcV17u6l2apd0974ZbxxJFEgOqfKKe4uMmDScUYfmR09lXu+OpSxQ78FKsObAhsyFcSzoInfNYu10DZD7vd92yQCpLUe28djT7h6+c3nX8/AEeGKYA7XUdL1LQ99T/oGj9HcGZ3c29g= Received: from DB6PR0202CA0023.eurprd02.prod.outlook.com (2603:10a6:4:29::33) by AS2PR08MB8309.eurprd08.prod.outlook.com (2603:10a6:20b:554::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.21; Wed, 19 Apr 2023 21:44:24 +0000 Received: from DBAEUR03FT060.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:29:cafe::38) by DB6PR0202CA0023.outlook.office365.com (2603:10a6:4:29::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.20 via Frontend Transport; Wed, 19 Apr 2023 21:44:24 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DBAEUR03FT060.mail.protection.outlook.com (100.127.142.238) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.23 via Frontend Transport; Wed, 19 Apr 2023 21:44:24 +0000 Received: ("Tessian outbound 3570909035da:v136"); Wed, 19 Apr 2023 21:44:24 +0000 X-CR-MTA-TID: 64aa7808 Received: from 14a336eac0b3.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 214FFFFF-0EDF-42E8-AE28-506344C0FE29.1; Wed, 19 Apr 2023 21:44:18 +0000 Received: from EUR02-DB5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 14a336eac0b3.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 19 Apr 2023 21:44:18 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KijR9YyeyddlRPNlMrQtVt16J9VUXdltLWEq1IpV0NRQt4r/rDjsE+gy8TNbc+VibnZs3QMMn7KFAW8KDCgRz5GcZS1rnaNaiqfDX+4xFH+5G+CYHR3xafbqn+Re8bddHNdMujr8B52i90/HjfdLRMAuTm8JFmlqg4SapryqTHFYrWJC0kyUtWujFglEiv5F88OuBSL8VEZQJi7ppHzwbOLDJZZ/cySwxriVUAj8g0sxdbDvrWWZjLnV0tGUx3RsRFF3HyhlOEGUeGgXHyuCniXKPoh9CxYrzAvtq/RWXbZnNY7CGFYAVFK53tG4On7szHHw6CZm4f7Jc4AL97V7kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r8QMoP43I+sPudlH0NYheWzveJei5QEocKk9ROFr73Q=; b=Gbyx9s+NYSziHYYMqD/2gKGaPGGj4pvSw7LGOIaVM1uW4l1tP41bKn2xXwIXigYYQece87k+rsdoJwjyc8FKJD4VqHuP2hvSVQxauTH7TrY2Llo/oJVVEmlArwgUggOQZYuSsern4kcb3xjXy7zUmUnJDbmUtrx94OBCr0iUXIAVfcco11YYNPVGJeHM4MsF60X57KiXFKbgoQ3kB6Uf2a7S03d2rxkbQXUjKVoOsmKwNu3PHR/yymj0V+8GFovCrpA5i/KpUFta2yzAFcdP+TgzutfL6aEYdpSjYfDwI+tKoZAIqYVAal1zxOf02xNAnVeop2Z39KXP6ry6GVIFIA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r8QMoP43I+sPudlH0NYheWzveJei5QEocKk9ROFr73Q=; b=oOGBFvp8vVR75mpMBClWBxLTu6xS7aBlLcV17u6l2apd0974ZbxxJFEgOqfKKe4uMmDScUYfmR09lXu+OpSxQ78FKsObAhsyFcSzoInfNYu10DZD7vd92yQCpLUe28djT7h6+c3nX8/AEeGKYA7XUdL1LQ99T/oGj9HcGZ3c29g= Received: from DBAPR08MB5814.eurprd08.prod.outlook.com (2603:10a6:10:1b1::6) by GV1PR08MB7683.eurprd08.prod.outlook.com (2603:10a6:150:62::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.45; Wed, 19 Apr 2023 21:44:15 +0000 Received: from DBAPR08MB5814.eurprd08.prod.outlook.com ([fe80::621c:838a:cb11:19b7]) by DBAPR08MB5814.eurprd08.prod.outlook.com ([fe80::621c:838a:cb11:19b7%7]) with mapi id 15.20.6319.022; Wed, 19 Apr 2023 21:44:15 +0000 From: Honnappa Nagarahalli To: wangyunjian , "dev@dpdk.org" CC: "konstantin.v.ananyev@yandex.ru" , luyicai , "stable@dpdk.org" , nd , nd Subject: RE: [dpdk-dev] [PATCH] ring: fix use after free in ring release Thread-Topic: [dpdk-dev] [PATCH] ring: fix use after free in ring release Thread-Index: AQHZcS5ODwXmKqOtKEurHIAnpAWT1K8xvsqggAB6eYCAAO/yQA== Date: Wed, 19 Apr 2023 21:44:12 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ts-tracking-id: AEAFC8DC6BE2D94798E4D9693601D70F.0 x-checkrecipientchecked: true Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; x-ms-traffictypediagnostic: DBAPR08MB5814:EE_|GV1PR08MB7683:EE_|DBAEUR03FT060:EE_|AS2PR08MB8309:EE_ X-MS-Office365-Filtering-Correlation-Id: 9b1fb198-e5b1-42ab-de70-08db411f3dee x-checkrecipientrouted: true nodisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: rQCE55rfz7wQe6AvkwQW95xU/0XW8QcRdGwHwLeO/moY8ql85a82Ld4bkGLBF9msfEiXaLHtwFCkDCUxo3vFc08HYFSN8PblKhEDAkZi4lvnBXI3rjqXxSQthkzte1X/nk9vtClEEG0AdfbH6IIYc39HziPH7i26bxjy9/yp+vlsMgXYDspr1ka7U6vKyuva5pBZ2jd4DuQfK9uD+oJafg+bVBuBz+V96bOkmgTr2XN0CZ6MDnpUcgss4NIxA/JCOAOCzZGgc4+FTbfxDjQ6qelU01octBBEQEGx6rehx9YyVfoeDbeYc3BLIDDLauuFzkx/fyd605inDBl2W2d7+R1h9FVMZvqR0a2nZDGVNGWihEQs58Jt5yHEQ2K82KwbMY7GkHu5xwaKt+Wg1jZxxhkunpE/bP2V1gPyiuHY07TCz/yqOp2lD9UxgWPM5JBHUEZNeF4j4kpbLe1LupXGUH6+s8mTV3bfAGG7HKU707O45y/gaio108WjzFj8L8S7o0fMOftMq8XcxSSAi43gQPIY0oLq2aJ+8wefL1UEBGGOUCCEx3RlGcbT47u2QqDlykw4K7woeimUMEiiCCJkVYhtVC6GcF3HRbbbD6/KZQePGUCigyR5FtA/UQz8Tt/zm7Bgwq3S2JjPAHINULNBRA== X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR08MB5814.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(136003)(396003)(376002)(39860400002)(366004)(451199021)(33656002)(53546011)(76116006)(4326008)(54906003)(316002)(110136005)(66946007)(66556008)(66476007)(66446008)(64756008)(41300700001)(6666004)(478600001)(55016003)(71200400001)(5660300002)(8676002)(8936002)(52536014)(2906002)(38070700005)(86362001)(122000001)(38100700002)(6506007)(9686003)(26005)(83380400001)(186003)(7696005)(23180200003); DIR:OUT; SFP:1101; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR08MB7683 Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DBAEUR03FT060.eop-EUR03.prod.protection.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: 8b6c100f-9fc6-473c-9c6d-08db411f36d2 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vS89qTKWJ3ilsdD2QlsxIU0TTKsXC1upmODbZwc5o9XjTl4ZAOr7Ae89iVtWjs2l+4oakdrPbDHyaTV+hbLraEBA4MdXiZIIfNobJtYBbKcllA6XdE6b0DO05BXOtg7/1SG8KafWakMVGBuq6wMJVLi8wjPeDRAGL4FP1nHqE8l9EgEQG8CfgbCVbqah32sE7yTOW4CC4nh1MYPTDdFFP5GA1QN5ghCoAbhtLg0GPGDiIh97CoBauw4W7tTuHefGjWSOy+w5ew0fEdPnxi7Vf8uIXcRWzd8euGUe6A6hmW34Gbfj2Mtc5e+aqL+OWj6cWVkRm0xtthcs7sycnkgUTzhM1FgGqhxH9sP5etBroDb35NS/ziS02vFyInls5HNqrctFgkq4uhKeLe7Z5JHNx3A/2aD5QOrJ1aWTzLmD+GRPIYhrrs4YCChl5cr+TOVR1KZgVtZ/EXD7/Wpy2ynQFPZi9MOkUP9Bkbzx+fFT9RxT/SFcPvTLgKiINVVhhUa4ZPIKS5UG3l26igawjiXNxiVzearYEUfszoS1qq+7YgGzCsjMOH1Cy369km0yv40EgUaz44z30Jfcqvv/w7GhPZ0GCDlYKWAclJV8GYrDhaJ7Sn7RDi2MbntWR33KWwpW0VpsXMmT5gyNS1pzTuIdjBLSbz6TRVZph2VQvmNN75UchMOMvrrSN/Np/s5BBtvW3hyy2koI3WD/swl33AtW8HbR+yJWsHLRIqBQJ+9WJ60= X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230028)(4636009)(396003)(39860400002)(136003)(376002)(346002)(451199021)(36840700001)(40470700004)(46966006)(54906003)(40460700003)(6666004)(82310400005)(478600001)(6506007)(26005)(53546011)(82740400003)(9686003)(81166007)(110136005)(356005)(36860700001)(40480700001)(86362001)(7696005)(55016003)(41300700001)(186003)(47076005)(316002)(52536014)(5660300002)(8676002)(8936002)(33656002)(70206006)(450100002)(4326008)(70586007)(2906002)(83380400001)(336012)(23180200003); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Apr 2023 21:44:24.1913 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9b1fb198-e5b1-42ab-de70-08db411f3dee X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: DBAEUR03FT060.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR08MB8309 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org > > > > > -----Original Message----- > > > From: Yunjian Wang > > > Sent: Monday, April 17, 2023 8:12 AM > > > To: dev@dpdk.org > > > Cc: Honnappa Nagarahalli ; > > > konstantin.v.ananyev@yandex.ru; luyicai@huawei.com; Yunjian Wang > > > ; stable@dpdk.org > > > Subject: [dpdk-dev] [PATCH] ring: fix use after free in ring release > > > > > > When using the ring to find out tailq entry, however it had been > > > freed by rte_memzone_free function. This change prevents that from > happening. > > I am unable to follow the problem you are describing. > > After the memzone for the ring is released, the contents of the > > memzone are not being used. I understand that the variable 'r' is > > being used, but that should not cause any issues. > > > > > > > > Fixes: 4e32101f9b01 ("ring: support freeing") > > > Cc: stable@dpdk.org > > > > > > Signed-off-by: Yunjian Wang > > > --- > > > lib/ring/rte_ring.c | 11 +++++------ > > > 1 file changed, 5 insertions(+), 6 deletions(-) > > > > > > diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index > > > 8ed455043d..17d2d7f8a8 100644 > > > --- a/lib/ring/rte_ring.c > > > +++ b/lib/ring/rte_ring.c > > > @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r) > > > return; > > > } > > > > > > - if (rte_memzone_free(r->memzone) !=3D 0) { > > > - RTE_LOG(ERR, RING, "Cannot free memory\n"); > > > - return; > > > - } > > Why do we need to free the memzone later? >=20 > After the memzone is freed, it is not removed from the 'rte_ring_tailq'. > If rte_ring_lookup is called at this time, it will cause a use-after-free= problem. Thanks, understood >=20 > Thanks, > Yunjian > > > > > - > > > ring_list =3D RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list); > > > rte_mcfg_tailq_write_lock(); > > > > > > @@ -349,7 +344,7 @@ rte_ring_free(struct rte_ring *r) > > > > > > if (te =3D=3D NULL) { > > > rte_mcfg_tailq_write_unlock(); > > > - return; > > > + goto free_memzone; We do not need this. If 'te =3D=3D NULL' is true, then the ring was not fou= nd or possibly already freed. > > > } > > > > > > TAILQ_REMOVE(ring_list, te, next); @@ -357,6 +352,10 @@ > > > rte_ring_free(struct rte_ring *r) We should free the memzone here while holding the lock > > > rte_mcfg_tailq_write_unlock(); > > > > > > rte_free(te); > > > + > > > +free_memzone: > > > + if (rte_memzone_free(r->memzone) !=3D 0) > > > + RTE_LOG(ERR, RING, "Cannot free memory\n"); > > > } Should be moved up as mentioned above > > > > > > /* dump the status of the ring on the console */ > > > -- > > > 2.33.0