From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 33C8E42993
	for <public@inbox.dpdk.org>; Thu, 20 Apr 2023 08:44:19 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 2683942C24;
	Thu, 20 Apr 2023 08:44:19 +0200 (CEST)
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
 by mails.dpdk.org (Postfix) with ESMTP id 5CFFA40687;
 Thu, 20 Apr 2023 08:44:17 +0200 (CEST)
Received: from dggpemm500008.china.huawei.com (unknown [172.30.72.57])
 by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4Q27MK5ywDzndBM;
 Thu, 20 Apr 2023 14:40:29 +0800 (CST)
Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com
 (7.185.36.136) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 20 Apr
 2023 14:44:14 +0800
From: Yunjian Wang <wangyunjian@huawei.com>
To: <dev@dpdk.org>
CC: <honnappa.nagarahalli@arm.com>, <konstantin.v.ananyev@yandex.ru>,
 <luyicai@huawei.com>, Yunjian Wang <wangyunjian@huawei.com>,
 <stable@dpdk.org>
Subject: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release
Date: Thu, 20 Apr 2023 14:43:30 +0800
Message-ID: <c23b1135e1b0676ef7d82969b39a21df992d418f.1681972694.git.wangyunjian@huawei.com>
X-Mailer: git-send-email 1.9.5.msysgit.1
In-Reply-To: <d175f9250542291dd0b86f4587a5fde018b945b1.1681736644.git.wangyunjian@huawei.com>
References: <d175f9250542291dd0b86f4587a5fde018b945b1.1681736644.git.wangyunjian@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.174.242.157]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 dggpemm500008.china.huawei.com (7.185.36.136)
X-CFilter-Loop: Reflected
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
If rte_ring_lookup is called at this time, it will cause a use-after-free
problem. This change prevents that from happening.

Fixes: 4e32101f9b01 ("ring: support freeing")
Cc: stable@dpdk.org

Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
v2: update code suggested by Honnappa Nagarahalli
---
 lib/ring/rte_ring.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
index 8ed455043d..2755323b8a 100644
--- a/lib/ring/rte_ring.c
+++ b/lib/ring/rte_ring.c
@@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
 		return;
 	}
 
-	if (rte_memzone_free(r->memzone) != 0) {
-		RTE_LOG(ERR, RING, "Cannot free memory\n");
-		return;
-	}
-
 	ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
 	rte_mcfg_tailq_write_lock();
 
@@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
 
 	TAILQ_REMOVE(ring_list, te, next);
 
+	if (rte_memzone_free(r->memzone) != 0)
+		RTE_LOG(ERR, RING, "Cannot free memory\n");
+
 	rte_mcfg_tailq_write_unlock();
 
 	rte_free(te);
-- 
2.33.0