From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id EBC8CA0544 for ; Fri, 23 Sep 2022 11:31:47 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id E40F5400D7; Fri, 23 Sep 2022 11:31:47 +0200 (CEST) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by mails.dpdk.org (Postfix) with ESMTP id 9FA934003C; Fri, 23 Sep 2022 11:31:45 +0200 (CEST) Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4MYmym123vzWgvT; Fri, 23 Sep 2022 17:27:44 +0800 (CST) Received: from dggpemm100015.china.huawei.com (7.185.36.61) by dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 23 Sep 2022 17:31:42 +0800 Received: from dggpemm500008.china.huawei.com (7.185.36.136) by dggpemm100015.china.huawei.com (7.185.36.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 23 Sep 2022 17:31:42 +0800 Received: from dggpemm500008.china.huawei.com ([7.185.36.136]) by dggpemm500008.china.huawei.com ([7.185.36.136]) with mapi id 15.01.2375.031; Fri, 23 Sep 2022 17:31:42 +0800 From: wangyunjian To: "dev@dpdk.org" CC: "matan@nvidia.com" , "rasland@nvidia.com" , "viacheslavo@nvidia.com" , "dkozlyuk@nvidia.com" , Huangshaozhang , "stable@dpdk.org" Subject: RE: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing tx queues Thread-Topic: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing tx queues Thread-Index: AQHYtrv9vx3Amo9BYkaVjrQDCHydcq3s8EqQ Date: Fri, 23 Sep 2022 09:31:42 +0000 Message-ID: References: <952a177cf4cc074101bb13773326b7107f496290.1661223500.git.wangyunjian@huawei.com> In-Reply-To: <952a177cf4cc074101bb13773326b7107f496290.1661223500.git.wangyunjian@huawei.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.174.242.157] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Friendly ping. > -----Original Message----- > From: wangyunjian > Sent: Tuesday, August 23, 2022 2:46 PM > To: dev@dpdk.org > Cc: matan@nvidia.com; rasland@nvidia.com; viacheslavo@nvidia.com; > dkozlyuk@nvidia.com; Huangshaozhang ; > wangyunjian ; stable@dpdk.org > Subject: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when rele= asing > tx queues >=20 > The bonding slave remove function was calling the eth_dev_tx_queue_config > function, which frees dev->data->tx_queues, and then tries to free > priv->txqs[idx] in mlx5_txq_release function, which causes the heap use > after free issue. Add checks whether dev->data->tx_queues is not NULL. >=20 > Fixes: 94e257ec8ca ("net/mlx5: fix Rx/Tx queue checks") > Cc: stable@dpdk.org >=20 > Signed-off-by: Yunjian Wang > --- > drivers/net/mlx5/mlx5_txq.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) >=20 > diff --git a/drivers/net/mlx5/mlx5_txq.c b/drivers/net/mlx5/mlx5_txq.c in= dex > 0140f8b3b2..cb2c33a060 100644 > --- a/drivers/net/mlx5/mlx5_txq.c > +++ b/drivers/net/mlx5/mlx5_txq.c > @@ -1198,7 +1198,8 @@ mlx5_txq_release(struct rte_eth_dev *dev, uint16_t > idx) > struct mlx5_priv *priv =3D dev->data->dev_private; > struct mlx5_txq_ctrl *txq_ctrl; >=20 > - if (priv->txqs =3D=3D NULL || (*priv->txqs)[idx] =3D=3D NULL) > + if (dev->data->tx_queues =3D=3D NULL || priv->txqs =3D=3D NULL || > + (*priv->txqs)[idx] =3D=3D NULL) > return 0; > txq_ctrl =3D container_of((*priv->txqs)[idx], struct mlx5_txq_ctrl, txq= ); > if (__atomic_sub_fetch(&txq_ctrl->refcnt, 1, __ATOMIC_RELAXED) > 1) > -- > 2.27.0