From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 33C8E42993 for ; Thu, 20 Apr 2023 08:44:19 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2683942C24; Thu, 20 Apr 2023 08:44:19 +0200 (CEST) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by mails.dpdk.org (Postfix) with ESMTP id 5CFFA40687; Thu, 20 Apr 2023 08:44:17 +0200 (CEST) Received: from dggpemm500008.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4Q27MK5ywDzndBM; Thu, 20 Apr 2023 14:40:29 +0800 (CST) Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com (7.185.36.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 20 Apr 2023 14:44:14 +0800 From: Yunjian Wang To: CC: , , , Yunjian Wang , Subject: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release Date: Thu, 20 Apr 2023 14:43:30 +0800 Message-ID: X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.174.242.157] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpemm500008.china.huawei.com (7.185.36.136) X-CFilter-Loop: Reflected X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org After the memzone is freed, it is not removed from the 'rte_ring_tailq'. If rte_ring_lookup is called at this time, it will cause a use-after-free problem. This change prevents that from happening. Fixes: 4e32101f9b01 ("ring: support freeing") Cc: stable@dpdk.org Suggested-by: Honnappa Nagarahalli Signed-off-by: Yunjian Wang --- v2: update code suggested by Honnappa Nagarahalli --- lib/ring/rte_ring.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index 8ed455043d..2755323b8a 100644 --- a/lib/ring/rte_ring.c +++ b/lib/ring/rte_ring.c @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r) return; } - if (rte_memzone_free(r->memzone) != 0) { - RTE_LOG(ERR, RING, "Cannot free memory\n"); - return; - } - ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list); rte_mcfg_tailq_write_lock(); @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r) TAILQ_REMOVE(ring_list, te, next); + if (rte_memzone_free(r->memzone) != 0) + RTE_LOG(ERR, RING, "Cannot free memory\n"); + rte_mcfg_tailq_write_unlock(); rte_free(te); -- 2.33.0