From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
by inbox.dpdk.org (Postfix) with ESMTP id 33C8E42993
for <public@inbox.dpdk.org>; Thu, 20 Apr 2023 08:44:19 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
by mails.dpdk.org (Postfix) with ESMTP id 2683942C24;
Thu, 20 Apr 2023 08:44:19 +0200 (CEST)
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
by mails.dpdk.org (Postfix) with ESMTP id 5CFFA40687;
Thu, 20 Apr 2023 08:44:17 +0200 (CEST)
Received: from dggpemm500008.china.huawei.com (unknown [172.30.72.57])
by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4Q27MK5ywDzndBM;
Thu, 20 Apr 2023 14:40:29 +0800 (CST)
Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com
(7.185.36.136) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 20 Apr
2023 14:44:14 +0800
From: Yunjian Wang <wangyunjian@huawei.com>
To: <dev@dpdk.org>
CC: <honnappa.nagarahalli@arm.com>, <konstantin.v.ananyev@yandex.ru>,
<luyicai@huawei.com>, Yunjian Wang <wangyunjian@huawei.com>,
<stable@dpdk.org>
Subject: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release
Date: Thu, 20 Apr 2023 14:43:30 +0800
Message-ID: <c23b1135e1b0676ef7d82969b39a21df992d418f.1681972694.git.wangyunjian@huawei.com>
X-Mailer: git-send-email 1.9.5.msysgit.1
In-Reply-To: <d175f9250542291dd0b86f4587a5fde018b945b1.1681736644.git.wangyunjian@huawei.com>
References: <d175f9250542291dd0b86f4587a5fde018b945b1.1681736644.git.wangyunjian@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.174.242.157]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
dggpemm500008.china.huawei.com (7.185.36.136)
X-CFilter-Loop: Reflected
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
<mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
<mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
If rte_ring_lookup is called at this time, it will cause a use-after-free
problem. This change prevents that from happening.
Fixes: 4e32101f9b01 ("ring: support freeing")
Cc: stable@dpdk.org
Suggested-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
v2: update code suggested by Honnappa Nagarahalli
---
lib/ring/rte_ring.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
index 8ed455043d..2755323b8a 100644
--- a/lib/ring/rte_ring.c
+++ b/lib/ring/rte_ring.c
@@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
return;
}
- if (rte_memzone_free(r->memzone) != 0) {
- RTE_LOG(ERR, RING, "Cannot free memory\n");
- return;
- }
-
ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
rte_mcfg_tailq_write_lock();
@@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
TAILQ_REMOVE(ring_list, te, next);
+ if (rte_memzone_free(r->memzone) != 0)
+ RTE_LOG(ERR, RING, "Cannot free memory\n");
+
rte_mcfg_tailq_write_unlock();
rte_free(te);
--
2.33.0