From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 291B4A00C2 for ; Mon, 26 Sep 2022 14:30:24 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id F36644069B; Mon, 26 Sep 2022 14:30:23 +0200 (CEST) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2071.outbound.protection.outlook.com [40.107.223.71]) by mails.dpdk.org (Postfix) with ESMTP id 12ED840695; Mon, 26 Sep 2022 14:30:23 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AuW9qrT1SXtEVBoYnxu/EJdIPMsxaOBe8b8ncV/g7zBBRble4XiMuIfK9kSlFLTuf/tj5dTJrrbXwYmmjRhxYzig4I1ubcwQPTGTyOGokFoXOUW8iLYPbqbIXr95w8ZiuMoEq+Js7nmDVcOeejAZxpOpLwoD1gCwjYbgEQRBG7n2jpePIXVYT2KCWX/zN+UDHviPlLE3qfm2CbbgLAdCmvnaYh/t4I45goI/Iukd7EbM7o+n5qIK4TdeWRBC6W8QFS87AvqelJ3079n7Qh2WyWLe4HYZlJ5a/KdeuA4A3B8EQConKBG1GZ81I7wU2Bg9T49bWwbSRqhq7xU8aYQ1Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jmiLKDiX4E0ENaAsxnHzMaXcwpVm6U6MSkrkwWu2eLM=; b=cqTZlxEdsRpvRU1/vsX88iXlRx3tjDq5kyXkppFb6f+NHWZ50k03D0hmb2fkBvTCCg60YJwDw6kLgt5VWk1tS5f1/7ukc0Zt20qLBLfzc1+6Wy/XnvD6Ea7SP3erGl1h5zucag9qj1WasYbjPX+z16KiAJlE/qpWQHKH8FcJMeZnuhyaYosuMZTE8X2VDBqUjwWg7zlFh9NNDgeYyqf+12AJih46JoAtfX18zFQS59QfmijuSUo1lSaWiw+y5ZZlya82YCR1LJNWPo9LcH+CqDH3Gsx5YjxSf2oLVIGI8rWQanwhtarhtr60Lx9j56Qnq0niD8RB9vufFJ4QqhC6Uw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jmiLKDiX4E0ENaAsxnHzMaXcwpVm6U6MSkrkwWu2eLM=; b=kwusuJOny9ekfVfyFmratMNQd+zpacKCzzXBh+25+RT3Pv3HSks0OyoZm+18ReHxGO2FcOcnY1HAQpTglNF7Ay83/XsOI8Vobwf0rLoKOYDjWXcJhUHNyx9rtCI84XFU8BwQp174tc+Fufw6Yirbr+iMuJ2zJYClVMQ7IjTz1uumkjmWkxRHVfVyDgLKPKNBY2rvyMTTnClJC6284FRNRUjObEaCZZNwNrAXezPu7oByxbXDnygtmKp7Bb9ZNguAScikNxWJcNmMz5V80lT+gmiyNOkYFUWI0Igr/MgsQIukbIyLwCIJIz25QW/5AVsQC98SQg+EfjJFzobXqvP0qw== Received: from DM6PR12MB3753.namprd12.prod.outlook.com (2603:10b6:5:1c7::18) by IA1PR12MB6553.namprd12.prod.outlook.com (2603:10b6:208:3a3::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.25; Mon, 26 Sep 2022 12:30:21 +0000 Received: from DM6PR12MB3753.namprd12.prod.outlook.com ([fe80::e0f7:a30a:e9c:4c53]) by DM6PR12MB3753.namprd12.prod.outlook.com ([fe80::e0f7:a30a:e9c:4c53%4]) with mapi id 15.20.5654.025; Mon, 26 Sep 2022 12:30:21 +0000 From: Slava Ovsiienko To: wangyunjian , "dev@dpdk.org" CC: Matan Azrad , Raslan Darawsheh , Dmitry Kozlyuk , Huangshaozhang , "stable@dpdk.org" Subject: RE: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing tx queues Thread-Topic: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing tx queues Thread-Index: AQHYtrwBIXd9nDF+JUK05baUNFhDC63s8RwAgATnEzA= Date: Mon, 26 Sep 2022 12:30:21 +0000 Message-ID: References: <952a177cf4cc074101bb13773326b7107f496290.1661223500.git.wangyunjian@huawei.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DM6PR12MB3753:EE_|IA1PR12MB6553:EE_ x-ms-office365-filtering-correlation-id: b5e9751e-e23d-4a08-6545-08da9fbae0dc x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: HmtZFIN2OJ2yii6vuObq5mZqaCfUDAOn1Fbo7CLiFHDMtI1lwBujxaoE+W8htbsg+Kp1sNVDj2UujCQUsnCYqzZRilaN4NNMy3kEGxZbj78K0Y7jl94kCYDH/OhKAKXalYuojiUn5qgKHnPxE6N+uE2g8r67lmp6/9iIfeXnUBuS67zddTURhM26CidX8D5HSwsfUKGJ0RkthpeGXZ/+RwOvws4cD0D/+9SNkv7m536otAUfhFqyrEJeA6vx5Ms3G7d/+WTOIJxunsxTE0bkj77hXdLWCA7WLwss8+rN5769gRMgUlT168kGjWRCWVXnoRFMU7KpvrC3NzDbq1in3RatoqJmBxETZEAA+TkCETBGgsGGBa1put+mRcivgAfI9XgX2GIz9fsbdVRqcJOiOaCqtR5LGcmPVkuAu5noUsLhlCXfib+VAoF0j1E6d1gaExeO5yWH3+FOl3iVt4C+fctSewaWxT5CSXsiJ7kpDwBcrLEm5eWrJuS41m2xFo9LZhFDGVfXLfjkA32gmgcTbeh/q6yew6orZKhhHB3Q9rCsk/INlnvJ7W4VjmlnT+cfoNBOB+7e5dLLI8+hR0AA6BB1TX3Y8dQhhK/gRh7/igOVIPT7O+1NWpghDVZAmwIg+f5MyJWCzuInkpBEhasZc6EaNJVvN2nAMziRz64yhl/3giJ0ivxyXEVPNgoznkHGJHeCl8Xc+0J7HMCSjN2FQ4Xn7G7apMydkZqdJsGtSsocIH6ZjRX6NShBmx9VWFHfFekdVQLwA/3jDO8Fao326A== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR12MB3753.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(376002)(136003)(39860400002)(366004)(396003)(346002)(451199015)(6506007)(53546011)(7696005)(478600001)(41300700001)(71200400001)(9686003)(83380400001)(186003)(2906002)(26005)(5660300002)(55016003)(110136005)(54906003)(8936002)(66446008)(66946007)(52536014)(76116006)(66476007)(66556008)(64756008)(4326008)(8676002)(316002)(38100700002)(86362001)(122000001)(38070700005)(33656002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?LkpqlnfAtg/K1ptXU7SvDIPTXFr3/wMgbcSn45vx34WsBwiQAQJEwQcTzLg5?= =?us-ascii?Q?uAVUWXCXMbaqvQn5kJz5wlQlP0aEbY2g4AO372MgRKihJycOHqsiwIY2H4iJ?= =?us-ascii?Q?MS6pETsxmipZ2MVuslmHyqQsQ1BXLKXzZDeJwZLas0U/6eymITrgkGBqeR3A?= =?us-ascii?Q?g42ELXe9jFvugVHtZYH6rWyMpEZO+TbbwJzN1L4vnGyBCeqSsh5FrLozV5Tt?= =?us-ascii?Q?OyHo2EQcFobzVEZIk/eBOhX2TwknhQe2UfQfLE2Y57RpFfdK03ZYq475iYet?= =?us-ascii?Q?yxBndriVsX1q28g9+e8NalhJevwvPJQsoqPsow77LUJvjpoTq+qvgUJvv6oe?= =?us-ascii?Q?+6bvBfVbrR1w+PqUaAwfcUnO5vQGT6V8uEwSPvTdcnfpGlQSFSdzM6Yqh9RU?= =?us-ascii?Q?uETYYum64Nm159J3n0NJaqs6Wm7yw4hkI7ZaVahWQ3Tw6EA7C5wxRIYj7ZUT?= =?us-ascii?Q?pn9+yimkgIjclwr5652C/5dDdgX+BMMAkyhDQo+N3M/fC6JszhhzIlUzla5f?= =?us-ascii?Q?Jn+rahvNk8R1NNxpnoOFL0PtWstYopPwvobIpmYeXud82sqBBOx8wB0w88lW?= =?us-ascii?Q?fnRQW5L+yKnTuN1jcI+X6zh6eWaOx3UaTdjwfssdRZhqUTKv/9ZfNxsBCrOb?= =?us-ascii?Q?5JmharMVBhaCFwm1Y52nHbn10OvurwGeMPCHiH4aM1U/oQC/cE1+0LiysR3U?= =?us-ascii?Q?q+ytZyBzdDrtv2I500/FdLOTmOAQt/0CDrz5tYatTq/ATzm5u6PhHsfw/91n?= =?us-ascii?Q?LPhJ6GltUda7T9D13/WOmyvaMy4Xt4E5x7IMMLFg9YQgS91cQh6370Tl06Az?= =?us-ascii?Q?0ZHkI2W/KG+JWMMmIdMrU0af8yiVZPkkBnwXkGejtTnR17CXiWDsvlomm1q6?= =?us-ascii?Q?qW+H30gJDjsQCP4TO6AhY4MGO5B3MxL0vo5UZP/q4RM8YdWSBsDaBKQZaW7I?= =?us-ascii?Q?BFbiv+8b2AylLpRBxfCsAxH884/gfA6HS+RgDXHZ9BryFlQ+sWcemX1aeUCc?= =?us-ascii?Q?mR5h2A5rAEwam0Fdr/V3aI++kUQTNpFeqkg7E+EQvzrYhawthriJ7kL5uYVe?= =?us-ascii?Q?mNnNruqi9AYkT6KOxXeNeh8Nsr0dTwOBBrYibvgUPR2Hl0nM6egmyaZDJ2Fd?= =?us-ascii?Q?nWYWaRUsqADdJKs7gOvmFUzlPtxun+WzmhRUJYGYEmNNYxInOyUSn1/MvCCb?= =?us-ascii?Q?lTRPuNix9yPboROJ7I4uyIXaU/3tZI2L23cJxt5CZWyVTKQHCxze1WmmvEcm?= =?us-ascii?Q?sesfHeCoWvuw8ft3/5n5xM++QMIlBs1hKntWvIqpzkegTjAcKY+f2WTsxEXy?= =?us-ascii?Q?sZ5KYxaRCSNX93YvJBjeWJN15efCz9xtdcTB/WRO0FtNRWD6GLaEp7jAEbb1?= =?us-ascii?Q?zajQCdSOiJohLEPcK3nHZk/kZbhypzJfxCpTK0H5nBsflDad8v96d4cpdb6J?= =?us-ascii?Q?hdbqUyUtzslCZ8wrcAHG3D2P+5dq7q4rqDNuEcY/w6o3D9xlHd+Da/i9mWnq?= =?us-ascii?Q?DQZgHqmx/EKlAcP8vQi83gb0vVOO0ZTyDKiSkwH9Ltn8gUQ8Fz3UgwOIbsmZ?= =?us-ascii?Q?8/1weHA0j0wpY6Z1N1vyYkA8rQW/+cVJulssbKkL?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR12MB3753.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b5e9751e-e23d-4a08-6545-08da9fbae0dc X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Sep 2022 12:30:21.1463 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: AHewD7rAazFcvAI9cCI0Ht0a6p8WZTgc1Fj8J6QdcafAwaDsasv8EohQSMzKB42FNF8o5Ne3h0F45EONMSLaeA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB6553 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, Yunjian Could you, please, tell more details about problematic scenario? In bonding slave? It is not fully clean for me how mlx5_txq_release frees priv->txqs[idx] (BTW NULL is OK to free, it is safe). We have check for NULL here: > > - if (priv->txqs =3D=3D NULL || (*priv->txqs)[idx] =3D=3D NULL) priv->txq is internal objects managed by PMD, dev->data->tx_queues are DPDK-wide ones. Theoretically it might happen when DPDK objects are created and internals are not, and vice versa. So, checking=20 for existence of external objects in the routine that manages internals does not look so reasonable. Internal queue object management is based on the atomic reference counter and, generally speaking, should not depend on externals. With best regards, Slava=20 > -----Original Message----- > From: wangyunjian > Sent: Friday, September 23, 2022 12:32 > To: dev@dpdk.org > Cc: Matan Azrad ; Raslan Darawsheh = ; > Slava Ovsiienko ; Dmitry Kozlyuk > ; Huangshaozhang ; > stable@dpdk.org > Subject: RE: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when > releasing tx queues >=20 > Friendly ping. >=20 > > -----Original Message----- > > From: wangyunjian > > Sent: Tuesday, August 23, 2022 2:46 PM > > To: dev@dpdk.org > > Cc: matan@nvidia.com; rasland@nvidia.com; viacheslavo@nvidia.com; > > dkozlyuk@nvidia.com; Huangshaozhang ; > > wangyunjian ; stable@dpdk.org > > Subject: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when > > releasing tx queues > > > > The bonding slave remove function was calling the > > eth_dev_tx_queue_config function, which frees dev->data->tx_queues, > > and then tries to free > > priv->txqs[idx] in mlx5_txq_release function, which causes the heap > > priv->use > > after free issue. Add checks whether dev->data->tx_queues is not NULL. > > > > Fixes: 94e257ec8ca ("net/mlx5: fix Rx/Tx queue checks") > > Cc: stable@dpdk.org > > > > Signed-off-by: Yunjian Wang > > --- > > drivers/net/mlx5/mlx5_txq.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/net/mlx5/mlx5_txq.c b/drivers/net/mlx5/mlx5_txq.c > > index > > 0140f8b3b2..cb2c33a060 100644 > > --- a/drivers/net/mlx5/mlx5_txq.c > > +++ b/drivers/net/mlx5/mlx5_txq.c > > @@ -1198,7 +1198,8 @@ mlx5_txq_release(struct rte_eth_dev *dev, > > uint16_t > > idx) > > struct mlx5_priv *priv =3D dev->data->dev_private; > > struct mlx5_txq_ctrl *txq_ctrl; > > > > - if (priv->txqs =3D=3D NULL || (*priv->txqs)[idx] =3D=3D NULL) > > + if (dev->data->tx_queues =3D=3D NULL || priv->txqs =3D=3D NULL || > > + (*priv->txqs)[idx] =3D=3D NULL) > > return 0; > > txq_ctrl =3D container_of((*priv->txqs)[idx], struct mlx5_txq_ctrl, > txq); > > if (__atomic_sub_fetch(&txq_ctrl->refcnt, 1, __ATOMIC_RELAXED) > 1) > > -- > > 2.27.0