* [PATCH 00/16] Fix allocation issues and add hardening
@ 2024-09-27 20:45 Stephen Hemminger
2024-09-27 20:45 ` [PATCH 01/16] eal: add function attributes for allocation functions Stephen Hemminger
` (23 more replies)
0 siblings, 24 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of GCC have some additional function attributes that can
help with DPDK performance and stability.
The alloc_align attribute can tell the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in GCC 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
This patch set is structured with:
- add macros for enable the macros
- fix any new warnings that were discovered
- enable the attributes
The same attributes could be added to lots more functions in DPDK,
but this patch set focuses on the key ones, and where problems
exist in current code base.
The fixes should be backported to stable (they are real bugs),
but the macros common and the annotation in malloc should not.
Stephen Hemminger (16):
eal: add function attributes for allocation functions
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix pointer mismatch in cleanup
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
eal: add alloc_function attribute to rte_malloc
mempool: annotate mempool create
drivers/common/qat/qat_device.c | 6 +--
drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 4 +-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 +-
drivers/net/sfc/sfc_flow_rss.c | 4 +-
drivers/net/sfc/sfc_mae.c | 23 ++++-----
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++-
drivers/raw/ifpga/ifpga_rawdev.c | 8 +--
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 +-
lib/eal/include/rte_common.h | 30 +++++++++++
lib/eal/include/rte_malloc.h | 63 ++++++++++++++---------
lib/mempool/rte_mempool.h | 41 ++++++++-------
17 files changed, 130 insertions(+), 80 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 01/16] eal: add function attributes for allocation functions
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 22:09 ` David Marchand
2024-09-27 20:45 ` [PATCH 02/16] memzone: fix use after free in tracing Stephen Hemminger
` (22 subsequent siblings)
23 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Tyler Retzlaff, Anatoly Burakov
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer.
This is supported by Gcc and Clang but only useful with
Gcc because Clang gives warning if alignment is 0.
Recent versions of GCC have a malloc attribute that can
be used to find mismatches between allocation and free;
the typical problem caught is a pointer allocated with
rte_malloc() that is then incorrectly freed using free().
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/eal/include/rte_common.h | 30 ++++++++++++++++++++++++++++++
lib/eal/include/rte_malloc.h | 24 ++++++++++++++++--------
2 files changed, 46 insertions(+), 8 deletions(-)
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index eec0400dad..1b3781274d 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -228,6 +228,36 @@ typedef uint16_t unaligned_uint16_t;
#define __rte_alloc_size(...)
#endif
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ * Not enabled on clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(align_arg) \
+ __attribute__((alloc_align(align_arg)))
+#else
+#define __rte_alloc_align(...)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ *
+ * Also, with recent GCC versions also able to track that proper
+ * dealloctor function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_alloc_func(free_func) \
+ __attribute__((malloc, malloc(free_func)))
+
+#elif defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_alloc_func(free_func) \
+ __attribute__((malloc))
+#else
+#define __rte_alloc_func(free_func)
+#endif
+
#define RTE_PRIORITY_LOG 101
#define RTE_PRIORITY_BUS 110
#define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index 1f91e7bdde..cf3c174022 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -54,7 +54,8 @@ struct rte_malloc_socket_stats {
*/
void *
rte_malloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Allocate zeroed memory from the heap.
@@ -81,7 +82,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
*/
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +110,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
*/
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3)
+ __rte_alloc_align(4);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +135,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
*/
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +162,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
*/
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +190,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
*/
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Allocate zeroed memory from the heap.
@@ -214,7 +220,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,7 +250,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3)
+ __rte_alloc_align(4);
/**
* Frees the memory space pointed to by the provided pointer.
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 02/16] memzone: fix use after free in tracing
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
2024-09-27 20:45 ` [PATCH 01/16] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (21 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
2024-09-27 20:45 ` [PATCH 01/16] eal: add function attributes for allocation functions Stephen Hemminger
2024-09-27 20:45 ` [PATCH 02/16] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (20 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde,
Raveendra Padasalagi, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: vikas.gupta@broadcom.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (2 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (19 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 05/16] event/cnxk: fix pointer mismatch in cleanup
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (3 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
` (18 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 06/16] examples/vhost: fix free function mismatch
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (4 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger
` (17 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: jin.yu@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 07/16] net/cnxk: fix use-after-free
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (5 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
` (16 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 08/16] bpf: fix free mismatch if convert fails
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (6 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger
` (15 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 09/16] net/e1000: fix use-after-free
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (7 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 10/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (14 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: wei.zhao1@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 10/16] net/sfc: fix use-after-free warning messages
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (8 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-28 11:52 ` Ivan Malov
2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
` (13 subsequent siblings)
23 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, ivan.malov, Andrew Rybchenko, Ivan Malov,
Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Cc: ivan.malov@oktetlabs.ru
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 11/16] net/cpfl: fix free of nonheap object
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (9 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 10/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
` (12 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 12/16] raw/ifpga/base: fix use after free
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (10 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 13/16] common/qat: " Stephen Hemminger
` (11 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: tianfei.zhang@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 13/16] common/qat: fix use after free
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (11 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (10 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 14/16] drivers/ifpga: fix free function mismatch
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (12 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 13/16] common/qat: " Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 15/16] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
` (9 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 15/16] eal: add alloc_function attribute to rte_malloc
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (13 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 16/16] mempool: annotate mempool create Stephen Hemminger
` (8 subsequent siblings)
23 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Anatoly Burakov, Tyler Retzlaff
Use the GCC function attribute to detect cases where
memory is allocated with rte_malloc and freed incorrectly
with libc version of free (and vice versa). Also will detect
some other pointer mismatches.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/eal/include/rte_malloc.h | 55 +++++++++++++++++++++---------------
1 file changed, 32 insertions(+), 23 deletions(-)
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index cf3c174022..9e60a36476 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,22 @@ struct rte_malloc_socket_stats {
size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
};
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ * The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
/**
* This function allocates memory from the huge-page area of memory. The memory
* is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -55,7 +71,8 @@ struct rte_malloc_socket_stats {
void *
rte_malloc(const char *type, size_t size, unsigned align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free);
/**
* Allocate zeroed memory from the heap.
@@ -83,7 +100,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -111,7 +129,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
__rte_alloc_size(2, 3)
- __rte_alloc_align(4);
+ __rte_alloc_align(4)
+ __rte_alloc_func(rte_free);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -136,7 +155,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -163,7 +183,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free);
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -191,7 +212,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free);
/**
* Allocate zeroed memory from the heap.
@@ -221,7 +243,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -251,22 +274,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
__rte_alloc_size(2, 3)
- __rte_alloc_align(4);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- * The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+ __rte_alloc_align(4)
+ __rte_alloc_func(rte_free);
/**
* If malloc debug is enabled, check a memory block for header
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 16/16] mempool: annotate mempool create
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (14 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 15/16] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
@ 2024-09-27 20:45 ` Stephen Hemminger
2024-09-28 11:49 ` Morten Brørup
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (7 subsequent siblings)
23 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Andrew Rybchenko, Morten Brørup
Use rte_alloc_function annotation to catch mismatch errors
on memzone handling.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/mempool/rte_mempool.h | 41 +++++++++++++++++++++------------------
1 file changed, 22 insertions(+), 19 deletions(-)
diff --git a/lib/mempool/rte_mempool.h b/lib/mempool/rte_mempool.h
index 7bdc92b812..912500ce4c 100644
--- a/lib/mempool/rte_mempool.h
+++ b/lib/mempool/rte_mempool.h
@@ -1012,6 +1012,20 @@ typedef void (rte_mempool_mem_cb_t)(struct rte_mempool *mp,
*/
typedef void (rte_mempool_ctor_t)(struct rte_mempool *, void *);
+/**
+ * Free a mempool
+ *
+ * Unlink the mempool from global list, free the memory chunks, and all
+ * memory referenced by the mempool. The objects must not be used by
+ * other cores as they will be freed.
+ *
+ * @param mp
+ * A pointer to the mempool structure.
+ * If NULL then, the function does nothing.
+ */
+void
+rte_mempool_free(struct rte_mempool *mp);
+
/**
* Create a new mempool named *name* in memory.
*
@@ -1091,11 +1105,12 @@ typedef void (rte_mempool_ctor_t)(struct rte_mempool *, void *);
* - ENOMEM - no appropriate memory area found in which to create memzone
*/
struct rte_mempool *
-rte_mempool_create(const char *name, unsigned n, unsigned elt_size,
- unsigned cache_size, unsigned private_data_size,
+rte_mempool_create(const char *name, unsigned int n, unsigned int elt_size,
+ unsigned int cache_size, unsigned int private_data_size,
rte_mempool_ctor_t *mp_init, void *mp_init_arg,
rte_mempool_obj_cb_t *obj_init, void *obj_init_arg,
- int socket_id, unsigned flags);
+ int socket_id, unsigned int flags)
+ __rte_alloc_func(rte_mempool_free);
/**
* Create an empty mempool
@@ -1132,22 +1147,10 @@ rte_mempool_create(const char *name, unsigned n, unsigned elt_size,
* with rte_errno set appropriately. See rte_mempool_create() for details.
*/
struct rte_mempool *
-rte_mempool_create_empty(const char *name, unsigned n, unsigned elt_size,
- unsigned cache_size, unsigned private_data_size,
- int socket_id, unsigned flags);
-/**
- * Free a mempool
- *
- * Unlink the mempool from global list, free the memory chunks, and all
- * memory referenced by the mempool. The objects must not be used by
- * other cores as they will be freed.
- *
- * @param mp
- * A pointer to the mempool structure.
- * If NULL then, the function does nothing.
- */
-void
-rte_mempool_free(struct rte_mempool *mp);
+rte_mempool_create_empty(const char *name, unsigned int n, unsigned int elt_size,
+ unsigned int cache_size, unsigned int private_data_size,
+ int socket_id, unsigned int flags)
+ __rte_alloc_func(rte_mempool_free);
/**
* Add physically contiguous memory for objects in the pool at init
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH 01/16] eal: add function attributes for allocation functions
2024-09-27 20:45 ` [PATCH 01/16] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-09-27 22:09 ` David Marchand
2024-09-27 23:10 ` Stephen Hemminger
0 siblings, 1 reply; 196+ messages in thread
From: David Marchand @ 2024-09-27 22:09 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev, Tyler Retzlaff, Anatoly Burakov
On Fri, Sep 27, 2024 at 4:48 PM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> The allocation functions take a alignment argument that
> can be useful to hint the compiler optimizer.
>
> This is supported by Gcc and Clang but only useful with
> Gcc because Clang gives warning if alignment is 0.
>
> Recent versions of GCC have a malloc attribute that can
> be used to find mismatches between allocation and free;
> the typical problem caught is a pointer allocated with
> rte_malloc() that is then incorrectly freed using free().
Interesting tool.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> lib/eal/include/rte_common.h | 30 ++++++++++++++++++++++++++++++
> lib/eal/include/rte_malloc.h | 24 ++++++++++++++++--------
> 2 files changed, 46 insertions(+), 8 deletions(-)
>
> diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
> index eec0400dad..1b3781274d 100644
> --- a/lib/eal/include/rte_common.h
> +++ b/lib/eal/include/rte_common.h
> @@ -228,6 +228,36 @@ typedef uint16_t unaligned_uint16_t;
> #define __rte_alloc_size(...)
> #endif
>
> +/**
> + * Tells the compiler that the function returns a value that points to
> + * memory aligned by a function argument.
> + * Not enabled on clang because it warns if align argument is zero.
> + */
> +#if defined(RTE_CC_GCC)
> +#define __rte_alloc_align(align_arg) \
> + __attribute__((alloc_align(align_arg)))
> +#else
> +#define __rte_alloc_align(...)
> +#endif
> +
> +/**
> + * Tells the compiler this is a function like malloc and that the pointer
> + * returned cannot alias any other pointer (ie new memory).
> + *
> + * Also, with recent GCC versions also able to track that proper
> + * dealloctor function is used for this pointer.
> + */
> +#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
Even though it is probably equivalent, GCC_VERSION is set with RTE_CC_GCC.
> +#define __rte_alloc_func(free_func) \
> + __attribute__((malloc, malloc(free_func)))
I read that this malloc attribute can also make use of the arg index
to assume the pointer is freed.
Did you try this feature?
Something like:
@@ -248,14 +248,13 @@ typedef uint16_t unaligned_uint16_t;
* dealloctor function is used for this pointer.
*/
#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
-#define __rte_alloc_func(free_func) \
- __attribute__((malloc, malloc(free_func)))
-
+#define __rte_alloc_func(...) \
+ __attribute__((malloc, malloc(__VA_ARGS__)))
#elif defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
-#define __rte_alloc_func(free_func) \
+#define __rte_alloc_func(...) \
__attribute__((malloc))
#else
-#define __rte_alloc_func(free_func)
+#define __rte_alloc_func(...)
#endif
#define RTE_PRIORITY_LOG 101
> +
> +#elif defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
> +#define __rte_alloc_func(free_func) \
> + __attribute__((malloc))
> +#else
> +#define __rte_alloc_func(free_func)
> +#endif
> +
> #define RTE_PRIORITY_LOG 101
> #define RTE_PRIORITY_BUS 110
> #define RTE_PRIORITY_CLASS 120
--
David Marchand
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH 01/16] eal: add function attributes for allocation functions
2024-09-27 22:09 ` David Marchand
@ 2024-09-27 23:10 ` Stephen Hemminger
0 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-27 23:10 UTC (permalink / raw)
To: David Marchand; +Cc: dev, Tyler Retzlaff, Anatoly Burakov
On Fri, 27 Sep 2024 18:09:22 -0400
David Marchand <david.marchand@redhat.com> wrote:
> On Fri, Sep 27, 2024 at 4:48 PM Stephen Hemminger
> <stephen@networkplumber.org> wrote:
> >
> > The allocation functions take a alignment argument that
> > can be useful to hint the compiler optimizer.
> >
> > This is supported by Gcc and Clang but only useful with
> > Gcc because Clang gives warning if alignment is 0.
> >
> > Recent versions of GCC have a malloc attribute that can
> > be used to find mismatches between allocation and free;
> > the typical problem caught is a pointer allocated with
> > rte_malloc() that is then incorrectly freed using free().
>
> Interesting tool.
>
> >
> > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> > ---
> > lib/eal/include/rte_common.h | 30 ++++++++++++++++++++++++++++++
> > lib/eal/include/rte_malloc.h | 24 ++++++++++++++++--------
> > 2 files changed, 46 insertions(+), 8 deletions(-)
> >
> > diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
> > index eec0400dad..1b3781274d 100644
> > --- a/lib/eal/include/rte_common.h
> > +++ b/lib/eal/include/rte_common.h
> > @@ -228,6 +228,36 @@ typedef uint16_t unaligned_uint16_t;
> > #define __rte_alloc_size(...)
> > #endif
> >
> > +/**
> > + * Tells the compiler that the function returns a value that points to
> > + * memory aligned by a function argument.
> > + * Not enabled on clang because it warns if align argument is zero.
> > + */
> > +#if defined(RTE_CC_GCC)
> > +#define __rte_alloc_align(align_arg) \
> > + __attribute__((alloc_align(align_arg)))
> > +#else
> > +#define __rte_alloc_align(...)
> > +#endif
> > +
> > +/**
> > + * Tells the compiler this is a function like malloc and that the pointer
> > + * returned cannot alias any other pointer (ie new memory).
> > + *
> > + * Also, with recent GCC versions also able to track that proper
> > + * dealloctor function is used for this pointer.
> > + */
> > +#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
>
> Even though it is probably equivalent, GCC_VERSION is set with RTE_CC_GCC.
>
> > +#define __rte_alloc_func(free_func) \
> > + __attribute__((malloc, malloc(free_func)))
>
> I read that this malloc attribute can also make use of the arg index
> to assume the pointer is freed.
>
> Did you try this feature?
Yes, but all DPDK functions use first arg, so not really that relevant
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [PATCH 16/16] mempool: annotate mempool create
2024-09-27 20:45 ` [PATCH 16/16] mempool: annotate mempool create Stephen Hemminger
@ 2024-09-28 11:49 ` Morten Brørup
0 siblings, 0 replies; 196+ messages in thread
From: Morten Brørup @ 2024-09-28 11:49 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Andrew Rybchenko
> From: Stephen Hemminger [mailto:stephen@networkplumber.org]
> Sent: Friday, 27 September 2024 22.46
>
> Use rte_alloc_function annotation to catch mismatch errors
> on memzone handling.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
Note for other reviewers:
rte_mempool_free() was intentionally moved up,
so __rte_alloc_func attribute can refer to it.
Reviewed-by: Morten Brørup <mb@smartsharesystems.com>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH 10/16] net/sfc: fix use-after-free warning messages
2024-09-27 20:45 ` [PATCH 10/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-09-28 11:52 ` Ivan Malov
0 siblings, 0 replies; 196+ messages in thread
From: Ivan Malov @ 2024-09-28 11:52 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev, ivan.malov, Andrew Rybchenko, Andy Moreton
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
Thank you.
On Fri, 27 Sep 2024, Stephen Hemminger wrote:
> If compiler detection of use-after-free is enabled then this drivers
> debug messages will cause warnings. Change to move debug message
> before the object is freed.
>
> Bugzilla ID: 1551
> Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
> Cc: ivan.malov@oktetlabs.ru
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> drivers/net/sfc/sfc_flow_rss.c | 4 ++--
> drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
> 2 files changed, 11 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
> index e28c943335..8e2749833b 100644
> --- a/drivers/net/sfc/sfc_flow_rss.c
> +++ b/drivers/net/sfc/sfc_flow_rss.c
> @@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
>
> TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
> rte_free(ctx->qid_offsets);
> - rte_free(ctx);
> -
> sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
> +
> + rte_free(ctx);
> }
>
> static int
> diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
> index 60ff6d2181..8f74f10390 100644
> --- a/drivers/net/sfc/sfc_mae.c
> +++ b/drivers/net/sfc/sfc_mae.c
> @@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
> efx_mae_match_spec_fini(sa->nic, rule->match_spec);
>
> TAILQ_REMOVE(&mae->outer_rules, rule, entries);
> - rte_free(rule);
> -
> sfc_dbg(sa, "deleted outer_rule=%p", rule);
> + rte_free(rule);
> }
>
> static int
> @@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
> }
>
> TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
> - rte_free(mac_addr);
> -
> sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
> + rte_free(mac_addr);
> }
>
> enum sfc_mae_mac_addr_type {
> @@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
> }
>
> TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
> + sfc_dbg(sa, "deleted encap_header=%p", encap_header);
> +
> rte_free(encap_header->buf);
> rte_free(encap_header);
> -
> - sfc_dbg(sa, "deleted encap_header=%p", encap_header);
> }
>
> static int
> @@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
> }
>
> TAILQ_REMOVE(&mae->counters, counter, entries);
> - rte_free(counter);
> -
> sfc_dbg(sa, "deleted counter=%p", counter);
> + rte_free(counter);
> }
>
> static int
> @@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
> sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
> sfc_mae_counter_del(sa, action_set->counter);
> TAILQ_REMOVE(&mae->action_sets, action_set, entries);
> - rte_free(action_set);
> -
> sfc_dbg(sa, "deleted action_set=%p", action_set);
> + rte_free(action_set);
> }
>
> static int
> @@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
> sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
>
> TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
> + sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
> +
> rte_free(action_set_list->action_sets);
> rte_free(action_set_list);
> -
> - sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
> }
>
> static int
> @@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
> sfc_mae_outer_rule_del(sa, rule->outer_rule);
>
> TAILQ_REMOVE(&mae->action_rules, rule, entries);
> - rte_free(rule);
> -
> sfc_dbg(sa, "deleted action_rule=%p", rule);
> + rte_free(rule);
> }
>
> static int
> --
> 2.45.2
>
>
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 00/16] Fix allocation bugs and add malloc hardening
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (15 preceding siblings ...)
2024-09-27 20:45 ` [PATCH 16/16] mempool: annotate mempool create Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 01/16] eal: add function attributes for allocation functions Stephen Hemminger
` (15 more replies)
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (6 subsequent siblings)
23 siblings, 16 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of Gcc have some additonal function attributes tha can
help with DPDK performance and stability.
The alloc_align attribute can tell the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in Gcc 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
This patch set is structured with:
- add macros for enable the macros
- fix any new warnings that were discovered
- enable the attributes
In order to use the malloc attribute the free function prototype
needs to be moved before the allocator/create function prototype
so that the malloc attribute can refer to it.
The same attributes could be added to lots more functions in DPDK,
but this patchset focuses on the key ones, and where problems
exist in current code base.
The fixes should be backported to stable (they are real bugs),
but the macros common and the annotation in malloc should not.
v2 - add release note
- add fix for nfp device
- drop mempool (will pick it up in later series)
Stephen Hemminger (16):
eal: add function attributes for allocation functions
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix pointer mismatch in cleanup
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
net/nfp: fix duplicate call to rte_free
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
eal: add alloc_function attribute to rte_malloc
doc/guides/rel_notes/release_24_11.rst | 8 +++
drivers/common/qat/qat_device.c | 6 +--
drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 4 +-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 +-
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
drivers/net/sfc/sfc_flow_rss.c | 4 +-
drivers/net/sfc/sfc_mae.c | 23 ++++-----
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++-
drivers/raw/ifpga/ifpga_rawdev.c | 8 +--
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 +-
lib/eal/include/rte_common.h | 30 +++++++++++
lib/eal/include/rte_malloc.h | 63 ++++++++++++++---------
18 files changed, 116 insertions(+), 62 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 01/16] eal: add function attributes for allocation functions
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 02/16] memzone: fix use after free in tracing Stephen Hemminger
` (14 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Tyler Retzlaff, Anatoly Burakov
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer.
This is supported by Gcc and Clang but only useful with
Gcc because Clang gives warning if alignment is 0.
Recent versions of GCC have a malloc attribute that can
be used to find mismatches between allocation and free;
the typical problem caught is a pointer allocated with
rte_malloc() that is then incorrectly freed using free().
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/eal/include/rte_common.h | 30 ++++++++++++++++++++++++++++++
lib/eal/include/rte_malloc.h | 24 ++++++++++++++++--------
2 files changed, 46 insertions(+), 8 deletions(-)
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index eec0400dad..e73c9f2aef 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -228,6 +228,36 @@ typedef uint16_t unaligned_uint16_t;
#define __rte_alloc_size(...)
#endif
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ * Not enabled on clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(align_arg) \
+ __attribute__((alloc_align(align_arg)))
+#else
+#define __rte_alloc_align(...)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ *
+ * Also, with recent GCC versions also able to track that proper
+ * dealloctor function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_alloc_func(...) \
+ __attribute__((malloc, malloc(__VA_ARGS__)))
+
+#elif defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_alloc_func(...) \
+ __attribute__((malloc))
+#else
+#define __rte_alloc_func(...)
+#endif
+
#define RTE_PRIORITY_LOG 101
#define RTE_PRIORITY_BUS 110
#define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index 1f91e7bdde..cf3c174022 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -54,7 +54,8 @@ struct rte_malloc_socket_stats {
*/
void *
rte_malloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Allocate zeroed memory from the heap.
@@ -81,7 +82,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
*/
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +110,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
*/
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3)
+ __rte_alloc_align(4);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +135,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
*/
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +162,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
*/
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +190,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
*/
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Allocate zeroed memory from the heap.
@@ -214,7 +220,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,7 +250,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3)
+ __rte_alloc_align(4);
/**
* Frees the memory space pointed to by the provided pointer.
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 02/16] memzone: fix use after free in tracing
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 01/16] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (13 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 01/16] eal: add function attributes for allocation functions Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 02/16] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (12 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde,
Raveendra Padasalagi, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: vikas.gupta@broadcom.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (2 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (11 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 05/16] event/cnxk: fix pointer mismatch in cleanup
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (3 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
` (10 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 06/16] examples/vhost: fix free function mismatch
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (4 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger
` (9 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: jin.yu@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 07/16] net/cnxk: fix use-after-free
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (5 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
` (8 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 08/16] bpf: fix free mismatch if convert fails
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (6 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger
` (7 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 09/16] net/e1000: fix use-after-free
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (7 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 10/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (6 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: wei.zhao1@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 10/16] net/sfc: fix use-after-free warning messages
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (8 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
` (5 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Ivan Malov, Andrew Rybchenko, Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 11/16] net/cpfl: fix free of nonheap object
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (9 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 10/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 12/16] net/nfp: fix duplicate call to rte_free Stephen Hemminger
` (4 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 12/16] net/nfp: fix duplicate call to rte_free
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (10 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger
` (3 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, chaoyong.he, Niklas Söderlund
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at ../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9: error: pointer 'entry' used after 'rte_free' [-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9: note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Cc: chaoyong.he@corigine.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
index 0078455658..64a0062c8b 100644
--- a/drivers/net/nfp/flower/nfp_flower_flow.c
+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 13/16] raw/ifpga/base: fix use after free
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (11 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 12/16] net/nfp: fix duplicate call to rte_free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 14/16] common/qat: " Stephen Hemminger
` (2 subsequent siblings)
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: tianfei.zhang@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 14/16] common/qat: fix use after free
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (12 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 16/16] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 15/16] drivers/ifpga: fix free function mismatch
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (13 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 14/16] common/qat: " Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 16/16] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v2 16/16] eal: add alloc_function attribute to rte_malloc
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (14 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-09-28 16:47 ` Stephen Hemminger
15 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Anatoly Burakov, Tyler Retzlaff
Use the GCC function attribute to detect cases where
memory is allocated with rte_malloc and freed incorrectly
with libc version of free (and vice versa). Also will detect
some other pointer mismatches.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
doc/guides/rel_notes/release_24_11.rst | 8 ++++
lib/eal/include/rte_malloc.h | 55 +++++++++++++++-----------
2 files changed, 40 insertions(+), 23 deletions(-)
diff --git a/doc/guides/rel_notes/release_24_11.rst b/doc/guides/rel_notes/release_24_11.rst
index 0ff70d9057..f27a37eac4 100644
--- a/doc/guides/rel_notes/release_24_11.rst
+++ b/doc/guides/rel_notes/release_24_11.rst
@@ -55,6 +55,14 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Hardened rte_malloc and related functions.**
+
+ * Added function attributes to ``rte_malloc`` and similar functions
+ that can catch some obvious bugs at compile time (with GCC 11.0 or later).
+ Examples: calling ``free()`` on pointer that was allocated with ``rte_malloc``
+ (and vice versa); freeing the same pointer twice in the same routine;
+ freeing an object that was not created by allocation; etc.
+
Removed Items
-------------
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index cf3c174022..c7af96fcba 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,22 @@ struct rte_malloc_socket_stats {
size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
};
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ * The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
/**
* This function allocates memory from the huge-page area of memory. The memory
* is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -55,7 +71,8 @@ struct rte_malloc_socket_stats {
void *
rte_malloc(const char *type, size_t size, unsigned align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Allocate zeroed memory from the heap.
@@ -83,7 +100,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -111,7 +129,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
__rte_alloc_size(2, 3)
- __rte_alloc_align(4);
+ __rte_alloc_align(4)
+ __rte_alloc_func(rte_free, 1);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -136,7 +155,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -163,7 +183,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -191,7 +212,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Allocate zeroed memory from the heap.
@@ -221,7 +243,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -251,22 +274,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
__rte_alloc_size(2, 3)
- __rte_alloc_align(4);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- * The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+ __rte_alloc_align(4)
+ __rte_alloc_func(rte_free, 1);
/**
* If malloc debug is enabled, check a memory block for header
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 00/18] Fix allocation bugs and add malloc hardening
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (16 preceding siblings ...)
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 01/18] memzone: fix use after free in tracing Stephen Hemminger
` (17 more replies)
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (5 subsequent siblings)
23 siblings, 18 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of Gcc have some additonal function attributes that can
help with DPDK performance and stability.
The alloc_align attribute tells the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in Gcc 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
In order to use the malloc attribute the free function prototype
needs to be moved before the allocator/create function prototype
so that the malloc attribute can refer to it.
This uncovered at least 16 pre-existing bugs in DPDK, these
should go to stable. This patch set is structured with:
- fix any new warnings that were discovered
- add macros for enable the macros
- enable the attributes
The same attributes could be added to lots more functions in DPDK,
but this patchset focuses on the key ones, and where problems
exist in current code base.
v3 - fix more broken devices
- reorder patches
Stephen Hemminger (18):
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix pointer mismatch in cleanup
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
net/nfp: fix duplicate call to rte_free
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
baseband/la12xx: prevent use after free
common/ipdf: fix use after free due
eal: add function attributes for allocation functions
eal: add alloc_function attribute to rte_malloc
doc/guides/rel_notes/release_24_11.rst | 8 +++
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
drivers/common/idpf/base/idpf_osdep.h | 10 +++-
drivers/common/idpf/idpf_common_device.c | 3 +-
drivers/common/qat/qat_device.c | 6 +--
drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 4 +-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 +-
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
drivers/net/sfc/sfc_flow_rss.c | 4 +-
drivers/net/sfc/sfc_mae.c | 23 ++++-----
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++-
drivers/raw/ifpga/ifpga_rawdev.c | 8 +--
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 +-
lib/eal/include/rte_common.h | 30 +++++++++++
lib/eal/include/rte_malloc.h | 63 ++++++++++++++---------
21 files changed, 126 insertions(+), 66 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 01/18] memzone: fix use after free in tracing
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-30 9:15 ` fengchengwen
2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (16 subsequent siblings)
17 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 01/18] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (15 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde,
Raveendra Padasalagi, Akhil Goyal
The device structure is allocated with rte_malloc() and then
incorrectly freed with free(). This will lead to corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: vikas.gupta@broadcom.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 01/18] memzone: fix use after free in tracing Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (14 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 04/18] event/cnxk: fix pointer mismatch in cleanup
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (2 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
` (13 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 05/18] examples/vhost: fix free function mismatch
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (3 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-30 9:16 ` fengchengwen
2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger
` (12 subsequent siblings)
17 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: jin.yu@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 06/18] net/cnxk: fix use-after-free
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (4 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger
` (11 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 07/18] bpf: fix free mismatch if convert fails
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (5 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger
` (10 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 08/18] net/e1000: fix use-after-free
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (6 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 09/18] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (9 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: wei.zhao1@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 09/18] net/sfc: fix use-after-free warning messages
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (7 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-30 5:53 ` Andrew Rybchenko
2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger
` (8 subsequent siblings)
17 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Ivan Malov, Andrew Rybchenko, Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 10/18] net/cpfl: fix free of nonheap object
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (8 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 09/18] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 11/18] net/nfp: fix duplicate call to rte_free Stephen Hemminger
` (7 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 11/18] net/nfp: fix duplicate call to rte_free
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (9 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger
` (6 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, chaoyong.he, Niklas Söderlund
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at ../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9: error: pointer 'entry' used after 'rte_free' [-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9: note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Cc: chaoyong.he@corigine.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
index 0078455658..64a0062c8b 100644
--- a/drivers/net/nfp/flower/nfp_flower_flow.c
+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 12/18] raw/ifpga/base: fix use after free
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (10 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 11/18] net/nfp: fix duplicate call to rte_free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 13/18] common/qat: " Stephen Hemminger
` (5 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: tianfei.zhang@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 13/18] common/qat: fix use after free
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (11 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (4 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 14/18] drivers/ifpga: fix free function mismatch
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (12 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 13/18] common/qat: " Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
` (3 subsequent siblings)
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, David Marchand,
Hyong Youb Kim
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 15/18] baseband/la12xx: prevent use after free
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (13 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-30 8:25 ` Hemant Agrawal
2024-09-29 15:34 ` [PATCH v3 16/18] common/ipdf: fix use after free due Stephen Hemminger
` (2 subsequent siblings)
17 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hemant.agrawal, stable, Gagandeep Singh,
Nipun Gupta, Nicolas Chautru, Akhil Goyal
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: hemant.agrawal@nxp.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 16/18] common/ipdf: fix use after free due
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (14 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 17/18] eal: add function attributes for allocation functions Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 18/18] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
17 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, junfeng.guo, Jingjing Wu, Xiao Wang, Beilei Xing
The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
as a simple LIST_FOR_EACH macro. But they are not the same
the _SAFE variant guarantees that there will not be use after free.
One other place was using LIST_FOR_EACH_ENTRY_SAFE() incorrectly.
Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
Cc: junfeng.guo@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
drivers/common/idpf/idpf_common_device.c | 3 +--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/common/idpf/base/idpf_osdep.h b/drivers/common/idpf/base/idpf_osdep.h
index b2af8f443d..1491e2bd0d 100644
--- a/drivers/common/idpf/base/idpf_osdep.h
+++ b/drivers/common/idpf/base/idpf_osdep.h
@@ -341,10 +341,16 @@ idpf_hweight32(u32 num)
#define LIST_ENTRY_TYPE(type) LIST_ENTRY(type)
#endif
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#ifndef LIST_FOR_EACH_ENTRY_SAFE
#define LIST_FOR_EACH_ENTRY_SAFE(pos, temp, head, entry_type, list) \
- LIST_FOREACH(pos, head, list)
-
+ LIST_FOREACH_SAFE(pos, head, list, temp)
#endif
#ifndef LIST_FOR_EACH_ENTRY
diff --git a/drivers/common/idpf/idpf_common_device.c b/drivers/common/idpf/idpf_common_device.c
index 8403ed83f9..e9fa024850 100644
--- a/drivers/common/idpf/idpf_common_device.c
+++ b/drivers/common/idpf/idpf_common_device.c
@@ -136,8 +136,7 @@ idpf_init_mbx(struct idpf_hw *hw)
if (ret != 0)
return ret;
- LIST_FOR_EACH_ENTRY_SAFE(ctlq, NULL, &hw->cq_list_head,
- struct idpf_ctlq_info, cq_list) {
+ LIST_FOR_EACH_ENTRY(ctlq, &hw->cq_list_head, struct idpf_ctlq_info, cq_list) {
if (ctlq->q_id == IDPF_CTLQ_ID &&
ctlq->cq_type == IDPF_CTLQ_TYPE_MAILBOX_TX)
hw->asq = ctlq;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 17/18] eal: add function attributes for allocation functions
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (15 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 16/18] common/ipdf: fix use after free due Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-30 9:19 ` fengchengwen
2024-10-08 8:29 ` Morten Brørup
2024-09-29 15:34 ` [PATCH v3 18/18] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
17 siblings, 2 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Tyler Retzlaff, Anatoly Burakov
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer.
This is supported by Gcc and Clang but only useful with
Gcc because Clang gives warning if alignment is 0.
Recent versions of GCC have a malloc attribute that can
be used to find mismatches between allocation and free;
the typical problem caught is a pointer allocated with
rte_malloc() that is then incorrectly freed using free().
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/eal/include/rte_common.h | 30 ++++++++++++++++++++++++++++++
lib/eal/include/rte_malloc.h | 24 ++++++++++++++++--------
2 files changed, 46 insertions(+), 8 deletions(-)
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index eec0400dad..e73c9f2aef 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -228,6 +228,36 @@ typedef uint16_t unaligned_uint16_t;
#define __rte_alloc_size(...)
#endif
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ * Not enabled on clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(align_arg) \
+ __attribute__((alloc_align(align_arg)))
+#else
+#define __rte_alloc_align(...)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ *
+ * Also, with recent GCC versions also able to track that proper
+ * dealloctor function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_alloc_func(...) \
+ __attribute__((malloc, malloc(__VA_ARGS__)))
+
+#elif defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_alloc_func(...) \
+ __attribute__((malloc))
+#else
+#define __rte_alloc_func(...)
+#endif
+
#define RTE_PRIORITY_LOG 101
#define RTE_PRIORITY_BUS 110
#define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index 1f91e7bdde..cf3c174022 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -54,7 +54,8 @@ struct rte_malloc_socket_stats {
*/
void *
rte_malloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Allocate zeroed memory from the heap.
@@ -81,7 +82,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
*/
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +110,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
*/
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3)
+ __rte_alloc_align(4);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +135,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
*/
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +162,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
*/
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +190,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
*/
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Allocate zeroed memory from the heap.
@@ -214,7 +220,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2)
+ __rte_alloc_align(3);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,7 +250,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3)
+ __rte_alloc_align(4);
/**
* Frees the memory space pointed to by the provided pointer.
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v3 18/18] eal: add alloc_function attribute to rte_malloc
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
` (16 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 17/18] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-09-29 15:34 ` Stephen Hemminger
2024-09-30 9:20 ` fengchengwen
17 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Anatoly Burakov, Tyler Retzlaff
Use the GCC function attribute to detect cases where
memory is allocated with rte_malloc and freed incorrectly
with libc version of free (and vice versa). Also will detect
some other pointer mismatches.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
doc/guides/rel_notes/release_24_11.rst | 8 ++++
lib/eal/include/rte_malloc.h | 55 +++++++++++++++-----------
2 files changed, 40 insertions(+), 23 deletions(-)
diff --git a/doc/guides/rel_notes/release_24_11.rst b/doc/guides/rel_notes/release_24_11.rst
index 0ff70d9057..f27a37eac4 100644
--- a/doc/guides/rel_notes/release_24_11.rst
+++ b/doc/guides/rel_notes/release_24_11.rst
@@ -55,6 +55,14 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Hardened rte_malloc and related functions.**
+
+ * Added function attributes to ``rte_malloc`` and similar functions
+ that can catch some obvious bugs at compile time (with GCC 11.0 or later).
+ Examples: calling ``free()`` on pointer that was allocated with ``rte_malloc``
+ (and vice versa); freeing the same pointer twice in the same routine;
+ freeing an object that was not created by allocation; etc.
+
Removed Items
-------------
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index cf3c174022..c7af96fcba 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,22 @@ struct rte_malloc_socket_stats {
size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
};
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ * The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
/**
* This function allocates memory from the huge-page area of memory. The memory
* is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -55,7 +71,8 @@ struct rte_malloc_socket_stats {
void *
rte_malloc(const char *type, size_t size, unsigned align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Allocate zeroed memory from the heap.
@@ -83,7 +100,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -111,7 +129,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
__rte_alloc_size(2, 3)
- __rte_alloc_align(4);
+ __rte_alloc_align(4)
+ __rte_alloc_func(rte_free, 1);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -136,7 +155,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -163,7 +183,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -191,7 +212,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Allocate zeroed memory from the heap.
@@ -221,7 +243,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
__rte_alloc_size(2)
- __rte_alloc_align(3);
+ __rte_alloc_align(3)
+ __rte_alloc_func(rte_free, 1);
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -251,22 +274,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
__rte_alloc_size(2, 3)
- __rte_alloc_align(4);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- * The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+ __rte_alloc_align(4)
+ __rte_alloc_func(rte_free, 1);
/**
* If malloc debug is enabled, check a memory block for header
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v3 09/18] net/sfc: fix use-after-free warning messages
2024-09-29 15:34 ` [PATCH v3 09/18] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-09-30 5:53 ` Andrew Rybchenko
0 siblings, 0 replies; 196+ messages in thread
From: Andrew Rybchenko @ 2024-09-30 5:53 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Ivan Malov, Andy Moreton
On 9/29/24 18:34, Stephen Hemminger wrote:
> If compiler detection of use-after-free is enabled then this drivers
> debug messages will cause warnings. Change to move debug message
> before the object is freed.
>
> Bugzilla ID: 1551
> Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v3 15/18] baseband/la12xx: prevent use after free
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-09-30 8:25 ` Hemant Agrawal
0 siblings, 0 replies; 196+ messages in thread
From: Hemant Agrawal @ 2024-09-30 8:25 UTC (permalink / raw)
To: Stephen Hemminger, dev
Cc: hemant.agrawal, stable, Gagandeep Singh, Nipun Gupta,
Nicolas Chautru, Akhil Goyal
On 29-09-2024 21:04, Stephen Hemminger wrote:
> It is possible that the info pointer (hp) could get freed twice.
> Fix by nulling after free.
>
> In function 'setup_la12xx_dev',
> inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
> inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
> ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
> 901 | rte_free(hp);
> | ^~~~~~~~~~~~
> ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
> 791 | rte_free(hp);
> | ^~~~~~~~~~~~
>
> Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
> Cc: hemant.agrawal@nxp.com
> Cc: stable@dpdk.org
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
> index 1a56e73abd..cad6f9490e 100644
> --- a/drivers/baseband/la12xx/bbdev_la12xx.c
> +++ b/drivers/baseband/la12xx/bbdev_la12xx.c
> @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
> ipc_priv->hugepg_start.size = hp->len;
>
> rte_free(hp);
> + hp = NULL;
> }
>
> dev_ipc = open_ipc_dev(priv->modem_id);
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v3 01/18] memzone: fix use after free in tracing
2024-09-29 15:34 ` [PATCH v3 01/18] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-09-30 9:15 ` fengchengwen
0 siblings, 0 replies; 196+ messages in thread
From: fengchengwen @ 2024-09-30 9:15 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Anatoly Burakov, Tyler Retzlaff
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
On 2024/9/29 23:34, Stephen Hemminger wrote:
> Using the freed value for tracing is not a good idea.
> Although it is harmless for tracing, it will cause analyzers to flag
> this as unsafe.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v3 05/18] examples/vhost: fix free function mismatch
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-30 9:16 ` fengchengwen
0 siblings, 0 replies; 196+ messages in thread
From: fengchengwen @ 2024-09-30 9:16 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: jin.yu, stable, Maxime Coquelin, Chenbo Xia
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
On 2024/9/29 23:34, Stephen Hemminger wrote:
> The pointer bdev is allocated with rte_zmalloc() and then
> incorrectly freed with free() which will lead pool corruption.
>
> Bugzilla ID: 1553
> Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
> Cc: jin.yu@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v3 17/18] eal: add function attributes for allocation functions
2024-09-29 15:34 ` [PATCH v3 17/18] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-09-30 9:19 ` fengchengwen
2024-10-08 8:29 ` Morten Brørup
1 sibling, 0 replies; 196+ messages in thread
From: fengchengwen @ 2024-09-30 9:19 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Tyler Retzlaff, Anatoly Burakov
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
On 2024/9/29 23:34, Stephen Hemminger wrote:
> The allocation functions take a alignment argument that
> can be useful to hint the compiler optimizer.
>
> This is supported by Gcc and Clang but only useful with
> Gcc because Clang gives warning if alignment is 0.
>
> Recent versions of GCC have a malloc attribute that can
> be used to find mismatches between allocation and free;
> the typical problem caught is a pointer allocated with
> rte_malloc() that is then incorrectly freed using free().
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v3 18/18] eal: add alloc_function attribute to rte_malloc
2024-09-29 15:34 ` [PATCH v3 18/18] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
@ 2024-09-30 9:20 ` fengchengwen
0 siblings, 0 replies; 196+ messages in thread
From: fengchengwen @ 2024-09-30 9:20 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Anatoly Burakov, Tyler Retzlaff
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
On 2024/9/29 23:34, Stephen Hemminger wrote:
> Use the GCC function attribute to detect cases where
> memory is allocated with rte_malloc and freed incorrectly
> with libc version of free (and vice versa). Also will detect
> some other pointer mismatches.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (17 preceding siblings ...)
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 01/17] memzone: fix use after free in tracing Stephen Hemminger
` (16 more replies)
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (4 subsequent siblings)
23 siblings, 17 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of GCC have some additional function attributes that can
help with DPDK performance and stability.
The alloc_align attribute tells the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in GCC 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
In order to use the malloc attribute the free function prototype
needs to be moved before the allocator/create function prototype
so that the malloc attribute can refer to it.
This uncovered at least 16 pre-existing bugs in DPDK, these
should go to stable.
This patch set is structured with:
- fix any new warnings that were discovered
- add macros for enable the macros
- enable the attributes
The same attributes could be added to lots more functions in DPDK,
but this patch set focuses on the key ones, and where problems
exist in current code base.
v4 - rename the malloc attributes to align with what glibc uses in cdefs.h
combine the attribute and rte_malloc patches
Stephen Hemminger (17):
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix pointer mismatch in cleanup
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
net/nfp: fix duplicate call to rte_free
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
baseband/la12xx: prevent use after free
common/idpf: fix use after free due
eal: add function attributes for allocation functions
doc/guides/rel_notes/release_24_11.rst | 8 ++++
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
drivers/common/idpf/base/idpf_osdep.h | 10 ++++-
drivers/common/idpf/idpf_common_device.c | 3 +-
drivers/common/qat/qat_device.c | 6 +--
drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 4 +-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 +-
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
drivers/net/sfc/sfc_flow_rss.c | 4 +-
drivers/net/sfc/sfc_mae.c | 23 ++++------
drivers/raw/ifpga/base/opae_intel_max10.c | 11 ++++-
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++--
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 +-
lib/eal/include/rte_common.h | 36 +++++++++++++++
lib/eal/include/rte_malloc.h | 55 +++++++++++++----------
21 files changed, 124 insertions(+), 66 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 01/17] memzone: fix use after free in tracing
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-10-01 12:17 ` Burakov, Anatoly
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (15 subsequent siblings)
16 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 01/17] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-09-30 20:06 ` Ajit Khaparde
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (14 subsequent siblings)
16 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi,
Vikas Gupta, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-10-01 12:41 ` Bruce Richardson
2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (13 subsequent siblings)
16 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 04/17] event/cnxk: fix pointer mismatch in cleanup
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (2 preceding siblings ...)
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
` (12 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 05/17] examples/vhost: fix free function mismatch
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (3 preceding siblings ...)
2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-09-30 18:43 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger
` (11 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 06/17] net/cnxk: fix use-after-free
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (4 preceding siblings ...)
2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
` (10 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 07/17] bpf: fix free mismatch if convert fails
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (5 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger
` (9 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 08/17] net/e1000: fix use-after-free
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (6 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (8 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 09/17] net/sfc: fix use-after-free warning messages
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (7 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
` (7 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Ivan Malov, Andrew Rybchenko, Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 10/17] net/cpfl: fix free of nonheap object
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (8 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
` (6 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 11/17] net/nfp: fix duplicate call to rte_free
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (9 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
` (5 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, chaoyong.he, Niklas Söderlund
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at ../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9: error: pointer 'entry' used after 'rte_free' [-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9: note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Cc: chaoyong.he@corigine.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
index 0078455658..64a0062c8b 100644
--- a/drivers/net/nfp/flower/nfp_flower_flow.c
+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 12/17] raw/ifpga/base: fix use after free
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (10 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 13/17] common/qat: " Stephen Hemminger
` (4 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 13/17] common/qat: fix use after free
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (11 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (3 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 14/17] drivers/ifpga: fix free function mismatch
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (12 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 13/17] common/qat: " Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
` (2 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 15/17] baseband/la12xx: prevent use after free
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (13 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 17/17] eal: add function attributes for allocation functions Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Nicolas Chautru, Nipun Gupta, Akhil Goyal
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 16/17] common/idpf: fix use after free due
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (14 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 17/17] eal: add function attributes for allocation functions Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, junfeng.guo, Jingjing Wu, Xiao Wang, Beilei Xing
The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
as a simple LIST_FOR_EACH macro. But they are not the same
the _SAFE variant guarantees that there will not be use after free.
Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
Cc: junfeng.guo@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
drivers/common/idpf/idpf_common_device.c | 3 +--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/common/idpf/base/idpf_osdep.h b/drivers/common/idpf/base/idpf_osdep.h
index b2af8f443d..7dff9bc79c 100644
--- a/drivers/common/idpf/base/idpf_osdep.h
+++ b/drivers/common/idpf/base/idpf_osdep.h
@@ -341,10 +341,16 @@ idpf_hweight32(u32 num)
#define LIST_ENTRY_TYPE(type) LIST_ENTRY(type)
#endif
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#ifndef LIST_FOR_EACH_ENTRY_SAFE
#define LIST_FOR_EACH_ENTRY_SAFE(pos, temp, head, entry_type, list) \
- LIST_FOREACH(pos, head, list)
-
+ LIST_FOREACH_SAFE(pos, head, list, temp)
#endif
#ifndef LIST_FOR_EACH_ENTRY
diff --git a/drivers/common/idpf/idpf_common_device.c b/drivers/common/idpf/idpf_common_device.c
index 8403ed83f9..e9fa024850 100644
--- a/drivers/common/idpf/idpf_common_device.c
+++ b/drivers/common/idpf/idpf_common_device.c
@@ -136,8 +136,7 @@ idpf_init_mbx(struct idpf_hw *hw)
if (ret != 0)
return ret;
- LIST_FOR_EACH_ENTRY_SAFE(ctlq, NULL, &hw->cq_list_head,
- struct idpf_ctlq_info, cq_list) {
+ LIST_FOR_EACH_ENTRY(ctlq, &hw->cq_list_head, struct idpf_ctlq_info, cq_list) {
if (ctlq->q_id == IDPF_CTLQ_ID &&
ctlq->cq_type == IDPF_CTLQ_TYPE_MAILBOX_TX)
hw->asq = ctlq;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v4 17/17] eal: add function attributes for allocation functions
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
` (15 preceding siblings ...)
2024-09-30 18:44 ` [PATCH v4 16/17] common/idpf: fix use after free due Stephen Hemminger
@ 2024-09-30 18:44 ` Stephen Hemminger
2024-10-01 12:21 ` Burakov, Anatoly
16 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Tyler Retzlaff, Anatoly Burakov
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer.
This is supported by Gcc and Clang but only useful with
Gcc because Clang gives warning if alignment is 0.
Recent versions of GCC have a malloc attribute that can
be used to find mismatches between allocation and free;
the typical problem caught is a pointer allocated with
rte_malloc() that is then incorrectly freed using free().
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
doc/guides/rel_notes/release_24_11.rst | 8 ++++
lib/eal/include/rte_common.h | 36 +++++++++++++++++
lib/eal/include/rte_malloc.h | 55 +++++++++++++++-----------
3 files changed, 76 insertions(+), 23 deletions(-)
diff --git a/doc/guides/rel_notes/release_24_11.rst b/doc/guides/rel_notes/release_24_11.rst
index 0ff70d9057..f27a37eac4 100644
--- a/doc/guides/rel_notes/release_24_11.rst
+++ b/doc/guides/rel_notes/release_24_11.rst
@@ -55,6 +55,14 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Hardened rte_malloc and related functions.**
+
+ * Added function attributes to ``rte_malloc`` and similar functions
+ that can catch some obvious bugs at compile time (with GCC 11.0 or later).
+ Examples: calling ``free()`` on pointer that was allocated with ``rte_malloc``
+ (and vice versa); freeing the same pointer twice in the same routine;
+ freeing an object that was not created by allocation; etc.
+
Removed Items
-------------
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index eec0400dad..d94d2b9a12 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -228,6 +228,42 @@ typedef uint16_t unaligned_uint16_t;
#define __rte_alloc_size(...)
#endif
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ *
+ * Note: not enabled on Clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(argno) \
+ __attribute__((alloc_align(argno)))
+#else
+#define __rte_alloc_align(argno)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ */
+#if defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_malloc __attribute__((__malloc__))
+#else
+#define __rte_malloc
+#endif
+
+/**
+ * With recent GCC versions also able to track that proper
+ * dealloctor function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_dealloc(dealloc, argno) \
+ __attribute__((malloc(dealloc, argno)))
+#define __rte_dealloc_free __rte_dealloc(rte_free, 1)
+#else
+#define __rte_dealloc(dealloc, argno)
+#define __rte_dealloc_free
+#endif
+
#define RTE_PRIORITY_LOG 101
#define RTE_PRIORITY_BUS 110
#define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index 1f91e7bdde..9261605939 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,22 @@ struct rte_malloc_socket_stats {
size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
};
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ * The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
/**
* This function allocates memory from the huge-page area of memory. The memory
* is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -54,7 +70,8 @@ struct rte_malloc_socket_stats {
*/
void *
rte_malloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -81,7 +98,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
*/
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +126,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
*/
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +151,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
*/
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +178,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
*/
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +206,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
*/
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -214,7 +236,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,22 +266,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
- __rte_alloc_size(2, 3);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- * The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* If malloc debug is enabled, check a memory block for header
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-09-30 20:06 ` Ajit Khaparde
0 siblings, 0 replies; 196+ messages in thread
From: Ajit Khaparde @ 2024-09-30 20:06 UTC (permalink / raw)
To: Stephen Hemminger
Cc: dev, stable, Raveendra Padasalagi, Vikas Gupta, Akhil Goyal
[-- Attachment #1: Type: text/plain, Size: 1242 bytes --]
On Mon, Sep 30, 2024 at 11:46 AM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> The device structure is allocated with rte_malloc() and
> then incorrectly freed with free(). This will lead to
> corrupt malloc pool.
>
> Bugzilla ID: 1552
> Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
> ---
> drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
> index ada7ba342c..46522970d5 100644
> --- a/drivers/crypto/bcmfs/bcmfs_device.c
> +++ b/drivers/crypto/bcmfs/bcmfs_device.c
> @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
> return fsdev;
>
> cleanup:
> - free(fsdev);
> + rte_free(fsdev);
>
> return NULL;
> }
> @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
> return;
>
> TAILQ_REMOVE(&fsdev_list, fsdev, next);
> - free(fsdev);
> + rte_free(fsdev);
> }
>
> static int
> --
> 2.45.2
>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4218 bytes --]
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v4 01/17] memzone: fix use after free in tracing
2024-09-30 18:43 ` [PATCH v4 01/17] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-10-01 12:17 ` Burakov, Anatoly
0 siblings, 0 replies; 196+ messages in thread
From: Burakov, Anatoly @ 2024-10-01 12:17 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Chengwen Feng, Tyler Retzlaff
On 9/30/2024 8:43 PM, Stephen Hemminger wrote:
> Using the freed value for tracing is not a good idea.
> Although it is harmless for tracing, it will cause analyzers to flag
> this as unsafe.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Chengwen Feng <fengchengwen@huawei.com>
> ---
> lib/eal/common/eal_common_memzone.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
> index 2d9b6aa3e3..90efbb621d 100644
> --- a/lib/eal/common/eal_common_memzone.c
> +++ b/lib/eal/common/eal_common_memzone.c
> @@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
>
> rte_rwlock_write_unlock(&mcfg->mlock);
>
> + rte_eal_trace_memzone_free(name, addr, ret);
> +
> rte_free(addr);
>
> - rte_eal_trace_memzone_free(name, addr, ret);
> return ret;
> }
>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
--
Thanks,
Anatoly
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v4 17/17] eal: add function attributes for allocation functions
2024-09-30 18:44 ` [PATCH v4 17/17] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-10-01 12:21 ` Burakov, Anatoly
2024-10-01 12:25 ` David Marchand
0 siblings, 1 reply; 196+ messages in thread
From: Burakov, Anatoly @ 2024-10-01 12:21 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Chengwen Feng, Tyler Retzlaff
On 9/30/2024 8:44 PM, Stephen Hemminger wrote:
> The allocation functions take a alignment argument that
> can be useful to hint the compiler optimizer.
>
> This is supported by Gcc and Clang but only useful with
> Gcc because Clang gives warning if alignment is 0.
>
> Recent versions of GCC have a malloc attribute that can
> be used to find mismatches between allocation and free;
> the typical problem caught is a pointer allocated with
> rte_malloc() that is then incorrectly freed using free().
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Chengwen Feng <fengchengwen@huawei.com>
> ---
<snip>
>
> +
> +/**
> + * Frees the memory space pointed to by the provided pointer.
> + *
> + * This pointer must have been returned by a previous call to
> + * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
> + * rte_free() is undefined if the pointer does not match this requirement.
> + *
> + * If the pointer is NULL, the function does nothing.
> + *
> + * @param ptr
> + * The pointer to memory to be freed.
> + */
> +void
> +rte_free(void *ptr);
> +
Is there any particular reason why rte_free was moved?
Otherwise,
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
--
Thanks,
Anatoly
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v4 17/17] eal: add function attributes for allocation functions
2024-10-01 12:21 ` Burakov, Anatoly
@ 2024-10-01 12:25 ` David Marchand
2024-10-01 15:25 ` Stephen Hemminger
0 siblings, 1 reply; 196+ messages in thread
From: David Marchand @ 2024-10-01 12:25 UTC (permalink / raw)
To: Burakov, Anatoly; +Cc: Stephen Hemminger, dev, Chengwen Feng, Tyler Retzlaff
On Tue, Oct 1, 2024 at 2:21 PM Burakov, Anatoly
<anatoly.burakov@intel.com> wrote:
> > +
> > +/**
> > + * Frees the memory space pointed to by the provided pointer.
> > + *
> > + * This pointer must have been returned by a previous call to
> > + * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
> > + * rte_free() is undefined if the pointer does not match this requirement.
> > + *
> > + * If the pointer is NULL, the function does nothing.
> > + *
> > + * @param ptr
> > + * The pointer to memory to be freed.
> > + */
> > +void
> > +rte_free(void *ptr);
> > +
>
> Is there any particular reason why rte_free was moved?
>
> Otherwise,
>
> Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
I guess this is for the added annotation which points at rte_free symbol.
A forward declaration would be another option.
--
David Marchand
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-01 12:41 ` Bruce Richardson
0 siblings, 0 replies; 196+ messages in thread
From: Bruce Richardson @ 2024-10-01 12:41 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev, kevin.laatz, stable, Conor Walsh
On Mon, Sep 30, 2024 at 11:43:57AM -0700, Stephen Hemminger wrote:
> The data structure is allocated with rte_malloc and incorrectly
> freed in cleanup logic using free.
>
> Bugzilla ID: 1549
> Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
> Cc: kevin.laatz@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
> ---
> drivers/dma/idxd/idxd_pci.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
> index 81637d9420..f89e2b41ff 100644
> --- a/drivers/dma/idxd/idxd_pci.c
> +++ b/drivers/dma/idxd/idxd_pci.c
> @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
> return nb_wqs;
>
> err:
> - free(pci);
> + rte_free(pci);
> return err_code;
> }
>
> --
> 2.45.2
>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v4 17/17] eal: add function attributes for allocation functions
2024-10-01 12:25 ` David Marchand
@ 2024-10-01 15:25 ` Stephen Hemminger
2024-10-02 8:42 ` Burakov, Anatoly
0 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 15:25 UTC (permalink / raw)
To: David Marchand; +Cc: Burakov, Anatoly, dev, Chengwen Feng, Tyler Retzlaff
On Tue, 1 Oct 2024 14:25:46 +0200
David Marchand <david.marchand@redhat.com> wrote:
> On Tue, Oct 1, 2024 at 2:21 PM Burakov, Anatoly
> <anatoly.burakov@intel.com> wrote:
> > > +
> > > +/**
> > > + * Frees the memory space pointed to by the provided pointer.
> > > + *
> > > + * This pointer must have been returned by a previous call to
> > > + * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
> > > + * rte_free() is undefined if the pointer does not match this requirement.
> > > + *
> > > + * If the pointer is NULL, the function does nothing.
> > > + *
> > > + * @param ptr
> > > + * The pointer to memory to be freed.
> > > + */
> > > +void
> > > +rte_free(void *ptr);
> > > +
> >
> > Is there any particular reason why rte_free was moved?
> >
> > Otherwise,
> >
> > Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
>
> I guess this is for the added annotation which points at rte_free symbol.
> A forward declaration would be another option.
Right, compiler now needs to know about the free function.
Moving it was the clean solution and avoids duplication.
If rte_free prototype is not moved...
In file included from ../lib/eal/include/rte_string_fns.h:22,
from ../lib/eal/common/eal_common_config.c:5:
../lib/eal/include/rte_common.h:261:42: error: ‘rte_free’ undeclared here (not in a function)
261 | #define __rte_dealloc_free __rte_dealloc(rte_free, 1)
| ^~~~~~~~
../lib/eal/include/rte_common.h:260:31: note: in definition of macro ‘__rte_dealloc’
260 | __attribute__((malloc(dealloc, argno)))
| ^~~~~~~
../lib/eal/include/rte_malloc.h:58:22: note: in expansion of macro ‘__rte_dealloc_free’
58 | __rte_malloc __rte_dealloc_free;
| ^~~~~~~~~~~~~~~~~~
[16/3024] Compiling C object lib/librte_telemetry.a.p/telemetry_telemetry.c.o
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 00/17] Fix allocation related bugs and add attributes
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (18 preceding siblings ...)
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 01/17] memzone: fix use after free in tracing Stephen Hemminger
` (16 more replies)
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (3 subsequent siblings)
23 siblings, 17 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of GCC have some additional function attributes that can
help with DPDK performance and stability.
The alloc_align attribute tells the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in GCC 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
In order to use the malloc attribute the free function prototype
needs to be moved before the allocator/create function prototype
so that the malloc attribute can refer to it.
This uncovered at least 16 pre-existing bugs in DPDK, these
should go to stable. This patch set is structured with:
- fix any new warnings that were discovered
- add macros for enable the macros
- enable the attributes
The same attributes could be added to lots more functions in DPDK,
but this patch set focuses on the key ones, and where problems
exist in current code base.
v5 - minor touchup to the function attribute wrappers
Stephen Hemminger (17):
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix pointer mismatch in cleanup
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
net/nfp: fix duplicate call to rte_free
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
baseband/la12xx: prevent use after free
common/idpf: fix use after free due
eal: add function attributes for allocation functions
doc/guides/rel_notes/release_24_11.rst | 8 ++++
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
drivers/common/idpf/base/idpf_osdep.h | 10 ++++-
drivers/common/idpf/idpf_common_device.c | 3 +-
drivers/common/qat/qat_device.c | 6 +--
drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 4 +-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 +-
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
drivers/net/sfc/sfc_flow_rss.c | 4 +-
drivers/net/sfc/sfc_mae.c | 23 ++++------
drivers/raw/ifpga/base/opae_intel_max10.c | 11 ++++-
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++--
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 +-
lib/eal/include/rte_common.h | 34 ++++++++++++++
lib/eal/include/rte_malloc.h | 55 +++++++++++++----------
21 files changed, 122 insertions(+), 66 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 01/17] memzone: fix use after free in tracing
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (15 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 01/17] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (14 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi,
Vikas Gupta, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 17:04 ` Bruce Richardson
2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (13 subsequent siblings)
16 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 04/17] event/cnxk: fix pointer mismatch in cleanup
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (2 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
` (12 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 05/17] examples/vhost: fix free function mismatch
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (3 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger
` (11 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 06/17] net/cnxk: fix use-after-free
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (4 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
` (10 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 07/17] bpf: fix free mismatch if convert fails
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (5 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger
` (9 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 08/17] net/e1000: fix use-after-free
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (6 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (8 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 09/17] net/sfc: fix use-after-free warning messages
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (7 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
` (7 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Ivan Malov, Andrew Rybchenko, Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 10/17] net/cpfl: fix free of nonheap object
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (8 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
` (6 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 11/17] net/nfp: fix duplicate call to rte_free
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (9 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
` (5 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, chaoyong.he, Niklas Söderlund
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at ../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9: error: pointer 'entry' used after 'rte_free' [-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9: note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Cc: chaoyong.he@corigine.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
index 0078455658..64a0062c8b 100644
--- a/drivers/net/nfp/flower/nfp_flower_flow.c
+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 12/17] raw/ifpga/base: fix use after free
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (10 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 13/17] common/qat: " Stephen Hemminger
` (4 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 13/17] common/qat: fix use after free
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (11 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (3 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 14/17] drivers/ifpga: fix free function mismatch
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (12 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 13/17] common/qat: " Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
` (2 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 15/17] baseband/la12xx: prevent use after free
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (13 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 17/17] eal: add function attributes for allocation functions Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Nipun Gupta, Akhil Goyal, Nicolas Chautru
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 16/17] common/idpf: fix use after free due
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (14 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 17/17] eal: add function attributes for allocation functions Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, junfeng.guo, Jingjing Wu, Beilei Xing, Xiao Wang
The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
as a simple LIST_FOR_EACH macro. But they are not the same
the _SAFE variant guarantees that there will not be use after free.
Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
Cc: junfeng.guo@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
drivers/common/idpf/idpf_common_device.c | 3 +--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/common/idpf/base/idpf_osdep.h b/drivers/common/idpf/base/idpf_osdep.h
index b2af8f443d..7dff9bc79c 100644
--- a/drivers/common/idpf/base/idpf_osdep.h
+++ b/drivers/common/idpf/base/idpf_osdep.h
@@ -341,10 +341,16 @@ idpf_hweight32(u32 num)
#define LIST_ENTRY_TYPE(type) LIST_ENTRY(type)
#endif
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#ifndef LIST_FOR_EACH_ENTRY_SAFE
#define LIST_FOR_EACH_ENTRY_SAFE(pos, temp, head, entry_type, list) \
- LIST_FOREACH(pos, head, list)
-
+ LIST_FOREACH_SAFE(pos, head, list, temp)
#endif
#ifndef LIST_FOR_EACH_ENTRY
diff --git a/drivers/common/idpf/idpf_common_device.c b/drivers/common/idpf/idpf_common_device.c
index 8403ed83f9..e9fa024850 100644
--- a/drivers/common/idpf/idpf_common_device.c
+++ b/drivers/common/idpf/idpf_common_device.c
@@ -136,8 +136,7 @@ idpf_init_mbx(struct idpf_hw *hw)
if (ret != 0)
return ret;
- LIST_FOR_EACH_ENTRY_SAFE(ctlq, NULL, &hw->cq_list_head,
- struct idpf_ctlq_info, cq_list) {
+ LIST_FOR_EACH_ENTRY(ctlq, &hw->cq_list_head, struct idpf_ctlq_info, cq_list) {
if (ctlq->q_id == IDPF_CTLQ_ID &&
ctlq->cq_type == IDPF_CTLQ_TYPE_MAILBOX_TX)
hw->asq = ctlq;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v5 17/17] eal: add function attributes for allocation functions
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
` (15 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 16/17] common/idpf: fix use after free due Stephen Hemminger
@ 2024-10-01 16:35 ` Stephen Hemminger
2024-10-02 7:06 ` David Marchand
16 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer. This is supported
by GCC and Clang but only useful with GCC because Clang gives
warning if alignment is 0.
Newer versions of GCC have a malloc attribute that can be used to find
mismatches between allocation and free; the typical problem caught is a
pointer allocated with rte_malloc() that is then incorrectly freed using
free(). The name of the DPDK wrapper macros for these attributes
are chosen to be similar to what GLIBC is using in cdefs.h.
Note: The rte_free function prototype was moved ahead of the allocation
functions since the dealloc attribute now refers to it.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
doc/guides/rel_notes/release_24_11.rst | 8 ++++
lib/eal/include/rte_common.h | 34 ++++++++++++++++
lib/eal/include/rte_malloc.h | 55 +++++++++++++++-----------
3 files changed, 74 insertions(+), 23 deletions(-)
diff --git a/doc/guides/rel_notes/release_24_11.rst b/doc/guides/rel_notes/release_24_11.rst
index 0ff70d9057..f27a37eac4 100644
--- a/doc/guides/rel_notes/release_24_11.rst
+++ b/doc/guides/rel_notes/release_24_11.rst
@@ -55,6 +55,14 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Hardened rte_malloc and related functions.**
+
+ * Added function attributes to ``rte_malloc`` and similar functions
+ that can catch some obvious bugs at compile time (with GCC 11.0 or later).
+ Examples: calling ``free()`` on pointer that was allocated with ``rte_malloc``
+ (and vice versa); freeing the same pointer twice in the same routine;
+ freeing an object that was not created by allocation; etc.
+
Removed Items
-------------
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index eec0400dad..595cadd5b8 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -228,6 +228,40 @@ typedef uint16_t unaligned_uint16_t;
#define __rte_alloc_size(...)
#endif
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ *
+ * Note: not enabled on Clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(argno) __attribute__((alloc_align(argno)))
+#else
+#define __rte_alloc_align(argno)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ */
+#if defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_malloc __attribute__((malloc))
+#else
+#define __rte_malloc
+#endif
+
+/**
+ * With recent GCC versions also able to track that proper
+ * dealloctor function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_dealloc(dealloc, argno) __attribute__((malloc(dealloc, argno)))
+#define __rte_dealloc_free __rte_dealloc(rte_free, 1)
+#else
+#define __rte_dealloc(dealloc, argno)
+#define __rte_dealloc_free
+#endif
+
#define RTE_PRIORITY_LOG 101
#define RTE_PRIORITY_BUS 110
#define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index 1f91e7bdde..9261605939 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,22 @@ struct rte_malloc_socket_stats {
size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
};
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ * The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
/**
* This function allocates memory from the huge-page area of memory. The memory
* is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -54,7 +70,8 @@ struct rte_malloc_socket_stats {
*/
void *
rte_malloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -81,7 +98,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
*/
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +126,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
*/
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +151,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
*/
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +178,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
*/
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +206,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
*/
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -214,7 +236,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,22 +266,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
- __rte_alloc_size(2, 3);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- * The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* If malloc debug is enabled, check a memory block for header
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-01 17:04 ` Bruce Richardson
0 siblings, 0 replies; 196+ messages in thread
From: Bruce Richardson @ 2024-10-01 17:04 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev, kevin.laatz, stable, Conor Walsh
On Tue, Oct 01, 2024 at 09:35:26AM -0700, Stephen Hemminger wrote:
> The data structure is allocated with rte_malloc and incorrectly
> freed in cleanup logic using free.
>
> Bugzilla ID: 1549
> Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
> Cc: kevin.laatz@intel.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
From previous revision:
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v5 17/17] eal: add function attributes for allocation functions
2024-10-01 16:35 ` [PATCH v5 17/17] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-10-02 7:06 ` David Marchand
0 siblings, 0 replies; 196+ messages in thread
From: David Marchand @ 2024-10-02 7:06 UTC (permalink / raw)
To: Stephen Hemminger
Cc: dev, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff, Morten Brørup
On Tue, Oct 1, 2024 at 6:39 PM Stephen Hemminger
<stephen@networkplumber.org> wrote:
> diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
> index eec0400dad..595cadd5b8 100644
> --- a/lib/eal/include/rte_common.h
> +++ b/lib/eal/include/rte_common.h
> @@ -228,6 +228,40 @@ typedef uint16_t unaligned_uint16_t;
> #define __rte_alloc_size(...)
> #endif
>
> +/**
> + * Tells the compiler that the function returns a value that points to
> + * memory aligned by a function argument.
> + *
> + * Note: not enabled on Clang because it warns if align argument is zero.
> + */
> +#if defined(RTE_CC_GCC)
> +#define __rte_alloc_align(argno) __attribute__((alloc_align(argno)))
> +#else
> +#define __rte_alloc_align(argno)
> +#endif
> +
> +/**
> + * Tells the compiler this is a function like malloc and that the pointer
> + * returned cannot alias any other pointer (ie new memory).
> + */
> +#if defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
> +#define __rte_malloc __attribute__((malloc))
> +#else
> +#define __rte_malloc
> +#endif
> +
> +/**
> + * With recent GCC versions also able to track that proper
> + * dealloctor function is used for this pointer.
deallocator*
> + */
> +#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
> +#define __rte_dealloc(dealloc, argno) __attribute__((malloc(dealloc, argno)))
> +#define __rte_dealloc_free __rte_dealloc(rte_free, 1)
__rte_dealloc_free should not be in rte_common.h but in rte_malloc.h.
> +#else
> +#define __rte_dealloc(dealloc, argno)
> +#define __rte_dealloc_free
> +#endif
> +
> #define RTE_PRIORITY_LOG 101
> #define RTE_PRIORITY_BUS 110
> #define RTE_PRIORITY_CLASS 120
> diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
> index 1f91e7bdde..9261605939 100644
> --- a/lib/eal/include/rte_malloc.h
> +++ b/lib/eal/include/rte_malloc.h
> @@ -31,6 +31,22 @@ struct rte_malloc_socket_stats {
> size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
> };
>
> +
Nit: no need for extra line.
> +/**
> + * Frees the memory space pointed to by the provided pointer.
> + *
> + * This pointer must have been returned by a previous call to
> + * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
> + * rte_free() is undefined if the pointer does not match this requirement.
> + *
--
David Marchand
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v4 17/17] eal: add function attributes for allocation functions
2024-10-01 15:25 ` Stephen Hemminger
@ 2024-10-02 8:42 ` Burakov, Anatoly
0 siblings, 0 replies; 196+ messages in thread
From: Burakov, Anatoly @ 2024-10-02 8:42 UTC (permalink / raw)
To: Stephen Hemminger, David Marchand; +Cc: dev, Chengwen Feng, Tyler Retzlaff
On 10/1/2024 5:25 PM, Stephen Hemminger wrote:
> On Tue, 1 Oct 2024 14:25:46 +0200
> David Marchand <david.marchand@redhat.com> wrote:
>
>> On Tue, Oct 1, 2024 at 2:21 PM Burakov, Anatoly
>> <anatoly.burakov@intel.com> wrote:
>>>> +
>>>> +/**
>>>> + * Frees the memory space pointed to by the provided pointer.
>>>> + *
>>>> + * This pointer must have been returned by a previous call to
>>>> + * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
>>>> + * rte_free() is undefined if the pointer does not match this requirement.
>>>> + *
>>>> + * If the pointer is NULL, the function does nothing.
>>>> + *
>>>> + * @param ptr
>>>> + * The pointer to memory to be freed.
>>>> + */
>>>> +void
>>>> +rte_free(void *ptr);
>>>> +
>>>
>>> Is there any particular reason why rte_free was moved?
>>>
>>> Otherwise,
>>>
>>> Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
>>
>> I guess this is for the added annotation which points at rte_free symbol.
>> A forward declaration would be another option.
>
> Right, compiler now needs to know about the free function.
> Moving it was the clean solution and avoids duplication.
>
> If rte_free prototype is not moved...
>
> In file included from ../lib/eal/include/rte_string_fns.h:22,
> from ../lib/eal/common/eal_common_config.c:5:
> ../lib/eal/include/rte_common.h:261:42: error: ‘rte_free’ undeclared here (not in a function)
> 261 | #define __rte_dealloc_free __rte_dealloc(rte_free, 1)
> | ^~~~~~~~
> ../lib/eal/include/rte_common.h:260:31: note: in definition of macro ‘__rte_dealloc’
> 260 | __attribute__((malloc(dealloc, argno)))
> | ^~~~~~~
> ../lib/eal/include/rte_malloc.h:58:22: note: in expansion of macro ‘__rte_dealloc_free’
> 58 | __rte_malloc __rte_dealloc_free;
> | ^~~~~~~~~~~~~~~~~~
> [16/3024] Compiling C object lib/librte_telemetry.a.p/telemetry_telemetry.c.o
Makes sense, let's move the function then.
--
Thanks,
Anatoly
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 00/17] Fix allocation related bugs and catch future bugs
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (19 preceding siblings ...)
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 01/17] memzone: fix use after free in tracing Stephen Hemminger
` (16 more replies)
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (2 subsequent siblings)
23 siblings, 17 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of GCC have some additional function attributes that can
help with DPDK performance and stability.
The alloc_align attribute tells the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in GCC 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
In order to use the malloc attribute the free function prototype
needs to be moved before the allocator/create function prototype
so that the malloc attribute can refer to it.
This uncovered at least 16 pre-existing bugs in DPDK, these
should go to stable. This patch set is structured with:
- fix any new warnings that were discovered
- add macros for enable the macros
- enable the attributes
The same attributes could be added to lots more functions in DPDK,
but this patch set focuses on the key ones, and where problems
exist in current code base.
v6 - more __rte_dealloc_free macro to rte_malloc.h
Stephen Hemminger (17):
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix pointer mismatch in cleanup
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
net/nfp: fix duplicate call to rte_free
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
baseband/la12xx: prevent use after free
common/idpf: fix use after free due
eal: add function attributes for allocation functions
doc/guides/rel_notes/release_24_11.rst | 8 +++
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
drivers/common/idpf/base/idpf_osdep.h | 10 +++-
drivers/common/idpf/idpf_common_device.c | 3 +-
drivers/common/qat/qat_device.c | 6 +--
drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 4 +-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 +-
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
drivers/net/sfc/sfc_flow_rss.c | 4 +-
drivers/net/sfc/sfc_mae.c | 23 ++++-----
drivers/raw/ifpga/base/opae_intel_max10.c | 11 ++++-
drivers/raw/ifpga/ifpga_rawdev.c | 8 +--
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 +-
lib/eal/include/rte_common.h | 34 +++++++++++++
lib/eal/include/rte_malloc.h | 59 ++++++++++++++---------
21 files changed, 126 insertions(+), 66 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 01/17] memzone: fix use after free in tracing
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (15 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 01/17] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (14 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi,
Vikas Gupta, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (13 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 04/17] event/cnxk: fix pointer mismatch in cleanup
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (2 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
` (12 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 05/17] examples/vhost: fix free function mismatch
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (3 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger
` (11 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 06/17] net/cnxk: fix use-after-free
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (4 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
` (10 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 07/17] bpf: fix free mismatch if convert fails
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (5 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger
` (9 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 08/17] net/e1000: fix use-after-free
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (6 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (8 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 09/17] net/sfc: fix use-after-free warning messages
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (7 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
` (7 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Ivan Malov, Andrew Rybchenko, Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 10/17] net/cpfl: fix free of nonheap object
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (8 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
` (6 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 11/17] net/nfp: fix duplicate call to rte_free
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (9 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
` (5 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, chaoyong.he, Niklas Söderlund
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at ../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9: error: pointer 'entry' used after 'rte_free' [-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9: note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Cc: chaoyong.he@corigine.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
index 0078455658..64a0062c8b 100644
--- a/drivers/net/nfp/flower/nfp_flower_flow.c
+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 12/17] raw/ifpga/base: fix use after free
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (10 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 13/17] common/qat: " Stephen Hemminger
` (4 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 13/17] common/qat: fix use after free
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (11 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (3 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 14/17] drivers/ifpga: fix free function mismatch
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (12 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 13/17] common/qat: " Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
` (2 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, David Marchand,
Hyong Youb Kim
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 15/17] baseband/la12xx: prevent use after free
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (13 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-10-02 15:42 ` Stephen Hemminger
2024-10-02 15:43 ` [PATCH v6 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-10-02 15:43 ` [PATCH v6 17/17] eal: add function attributes for allocation functions Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Nicolas Chautru, Nipun Gupta, Akhil Goyal
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 16/17] common/idpf: fix use after free due
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (14 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-10-02 15:43 ` Stephen Hemminger
2024-10-02 15:43 ` [PATCH v6 17/17] eal: add function attributes for allocation functions Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:43 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, junfeng.guo, Jingjing Wu, Beilei Xing, Xiao Wang
The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
as a simple LIST_FOR_EACH macro. But they are not the same
the _SAFE variant guarantees that there will not be use after free.
Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
Cc: junfeng.guo@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
drivers/common/idpf/idpf_common_device.c | 3 +--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/common/idpf/base/idpf_osdep.h b/drivers/common/idpf/base/idpf_osdep.h
index b2af8f443d..7dff9bc79c 100644
--- a/drivers/common/idpf/base/idpf_osdep.h
+++ b/drivers/common/idpf/base/idpf_osdep.h
@@ -341,10 +341,16 @@ idpf_hweight32(u32 num)
#define LIST_ENTRY_TYPE(type) LIST_ENTRY(type)
#endif
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#ifndef LIST_FOR_EACH_ENTRY_SAFE
#define LIST_FOR_EACH_ENTRY_SAFE(pos, temp, head, entry_type, list) \
- LIST_FOREACH(pos, head, list)
-
+ LIST_FOREACH_SAFE(pos, head, list, temp)
#endif
#ifndef LIST_FOR_EACH_ENTRY
diff --git a/drivers/common/idpf/idpf_common_device.c b/drivers/common/idpf/idpf_common_device.c
index 8403ed83f9..e9fa024850 100644
--- a/drivers/common/idpf/idpf_common_device.c
+++ b/drivers/common/idpf/idpf_common_device.c
@@ -136,8 +136,7 @@ idpf_init_mbx(struct idpf_hw *hw)
if (ret != 0)
return ret;
- LIST_FOR_EACH_ENTRY_SAFE(ctlq, NULL, &hw->cq_list_head,
- struct idpf_ctlq_info, cq_list) {
+ LIST_FOR_EACH_ENTRY(ctlq, &hw->cq_list_head, struct idpf_ctlq_info, cq_list) {
if (ctlq->q_id == IDPF_CTLQ_ID &&
ctlq->cq_type == IDPF_CTLQ_TYPE_MAILBOX_TX)
hw->asq = ctlq;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v6 17/17] eal: add function attributes for allocation functions
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
` (15 preceding siblings ...)
2024-10-02 15:43 ` [PATCH v6 16/17] common/idpf: fix use after free due Stephen Hemminger
@ 2024-10-02 15:43 ` Stephen Hemminger
2024-10-02 16:45 ` Wathsala Wathawana Vithanage
2024-10-08 9:03 ` Morten Brørup
16 siblings, 2 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 15:43 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer. This is supported
by GCC and Clang but only useful with GCC because Clang gives
warning if alignment is 0.
Newer versions of GCC have a malloc attribute that can be used to find
mismatches between allocation and free; the typical problem caught is a
pointer allocated with rte_malloc() that is then incorrectly freed using
free(). The name of the DPDK wrapper macros for these attributes
are chosen to be similar to what GLIBC is using in cdefs.h.
Note: The rte_free function prototype was moved ahead of the allocation
functions since the dealloc attribute now refers to it.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
doc/guides/rel_notes/release_24_11.rst | 8 ++++
lib/eal/include/rte_common.h | 34 +++++++++++++++
lib/eal/include/rte_malloc.h | 59 ++++++++++++++++----------
3 files changed, 78 insertions(+), 23 deletions(-)
diff --git a/doc/guides/rel_notes/release_24_11.rst b/doc/guides/rel_notes/release_24_11.rst
index 0ff70d9057..f27a37eac4 100644
--- a/doc/guides/rel_notes/release_24_11.rst
+++ b/doc/guides/rel_notes/release_24_11.rst
@@ -55,6 +55,14 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Hardened rte_malloc and related functions.**
+
+ * Added function attributes to ``rte_malloc`` and similar functions
+ that can catch some obvious bugs at compile time (with GCC 11.0 or later).
+ Examples: calling ``free()`` on pointer that was allocated with ``rte_malloc``
+ (and vice versa); freeing the same pointer twice in the same routine;
+ freeing an object that was not created by allocation; etc.
+
Removed Items
-------------
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index eec0400dad..a53051072e 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -228,6 +228,40 @@ typedef uint16_t unaligned_uint16_t;
#define __rte_alloc_size(...)
#endif
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ *
+ * Note: not enabled on Clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(argno) \
+ __attribute__((alloc_align(argno)))
+#else
+#define __rte_alloc_align(argno)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ */
+#if defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_malloc __attribute__((__malloc__))
+#else
+#define __rte_malloc
+#endif
+
+/**
+ * With recent GCC versions also able to track that proper
+ * deallocator function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_dealloc(dealloc, argno) \
+ __attribute__((malloc(dealloc, argno)))
+#else
+#define __rte_dealloc(dealloc, argno)
+#endif
+
#define RTE_PRIORITY_LOG 101
#define RTE_PRIORITY_BUS 110
#define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index 1f91e7bdde..176a94d1bf 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,26 @@ struct rte_malloc_socket_stats {
size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
};
+/**
+ * Function attribut for prototypes that expect to release memory with rte_free()
+ */
+#define __rte_dealloc_free __rte_dealloc(rte_free, 1)
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ * The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
/**
* This function allocates memory from the huge-page area of memory. The memory
* is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -54,7 +74,8 @@ struct rte_malloc_socket_stats {
*/
void *
rte_malloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -81,7 +102,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
*/
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +130,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
*/
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +155,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
*/
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +182,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
*/
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +210,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
*/
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -214,7 +240,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,22 +270,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
- __rte_alloc_size(2, 3);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- * The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* If malloc debug is enabled, check a memory block for header
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [PATCH v6 17/17] eal: add function attributes for allocation functions
2024-10-02 15:43 ` [PATCH v6 17/17] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-10-02 16:45 ` Wathsala Wathawana Vithanage
2024-10-02 18:23 ` Ajit Khaparde
2024-10-08 9:03 ` Morten Brørup
1 sibling, 1 reply; 196+ messages in thread
From: Wathsala Wathawana Vithanage @ 2024-10-02 16:45 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Chengwen Feng, Anatoly Burakov, Tyler Retzlaff, nd
> -----Original Message-----
> Subject: [PATCH v6 17/17] eal: add function attributes for allocation functions
>
> The allocation functions take a alignment argument that can be useful to hint
> the compiler optimizer. This is supported by GCC and Clang but only useful with
> GCC because Clang gives warning if alignment is 0.
>
> Newer versions of GCC have a malloc attribute that can be used to find
> mismatches between allocation and free; the typical problem caught is a
> pointer allocated with rte_malloc() that is then incorrectly freed using free().
> The name of the DPDK wrapper macros for these attributes are chosen to be
> similar to what GLIBC is using in cdefs.h.
> Note: The rte_free function prototype was moved ahead of the allocation
> functions since the dealloc attribute now refers to it.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Chengwen Feng <fengchengwen@huawei.com>
> Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
Acked-by: Wathsala Vithanage <wathsala.vithanage@arm.com>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v6 17/17] eal: add function attributes for allocation functions
2024-10-02 16:45 ` Wathsala Wathawana Vithanage
@ 2024-10-02 18:23 ` Ajit Khaparde
0 siblings, 0 replies; 196+ messages in thread
From: Ajit Khaparde @ 2024-10-02 18:23 UTC (permalink / raw)
To: Wathsala Wathawana Vithanage
Cc: Stephen Hemminger, dev, Chengwen Feng, Anatoly Burakov,
Tyler Retzlaff, nd
[-- Attachment #1: Type: text/plain, Size: 1268 bytes --]
On Wed, Oct 2, 2024 at 9:45 AM Wathsala Wathawana Vithanage
<wathsala.vithanage@arm.com> wrote:
>
>
>
> > -----Original Message-----
> > Subject: [PATCH v6 17/17] eal: add function attributes for allocation functions
> >
> > The allocation functions take a alignment argument that can be useful to hint
> > the compiler optimizer. This is supported by GCC and Clang but only useful with
> > GCC because Clang gives warning if alignment is 0.
> >
> > Newer versions of GCC have a malloc attribute that can be used to find
> > mismatches between allocation and free; the typical problem caught is a
> > pointer allocated with rte_malloc() that is then incorrectly freed using free().
> > The name of the DPDK wrapper macros for these attributes are chosen to be
> > similar to what GLIBC is using in cdefs.h.
> > Note: The rte_free function prototype was moved ahead of the allocation
> > functions since the dealloc attribute now refers to it.
> >
> > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> > Acked-by: Chengwen Feng <fengchengwen@huawei.com>
> > Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
>
> Acked-by: Wathsala Vithanage <wathsala.vithanage@arm.com>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4218 bytes --]
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 00/16] Fix allocation bugs and prevent future ones
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (20 preceding siblings ...)
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 01/16] memzone: fix use after free in tracing Stephen Hemminger
` (16 more replies)
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
23 siblings, 17 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of GCC have some additional function attributes that can
help with DPDK performance and stability.
The alloc_align attribute tells the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in GCC 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
In order to use the malloc attribute the free function prototype
needs to be moved before the allocator/create function prototype
so that the malloc attribute can refer to it.
This uncovered at least 16 pre-existing bugs in DPDK, these
should go to stable. This patch set is structured with:
- fix any new warnings that were discovered
- add macros for enable the macros
- enable the attributes
The same attributes could be added to lots more functions in DPDK,
but this patch set focuses on the key ones, and where problems
exist in current code base.
v7 - rebase and reword the release note
Stephen Hemminger (16):
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix pointer mismatch in cleanup
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
net/nfp: fix duplicate call to rte_free
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
baseband/la12xx: prevent use after free
common/idpf: fix use after free due
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
drivers/common/idpf/idpf_common_device.c | 3 +--
drivers/common/qat/qat_device.c | 6 +-----
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 ++--
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
drivers/net/sfc/sfc_flow_rss.c | 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 ++-
18 files changed, 48 insertions(+), 43 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 01/16] memzone: fix use after free in tracing
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (15 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 01/16] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (14 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Vikas Gupta,
Akhil Goyal, Raveendra Padasalagi
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 01/16] memzone: fix use after free in tracing Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (13 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 81637d9420..f89e2b41ff 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 04/16] event/cnxk: fix pointer mismatch in cleanup
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (2 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-03 5:52 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger
` (12 subsequent siblings)
16 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 05/16] examples/vhost: fix free function mismatch
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (3 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger
` (11 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 06/16] net/cnxk: fix use-after-free
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (4 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger
` (10 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 07/16] bpf: fix free mismatch if convert fails
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (5 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger
` (9 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 08/16] net/e1000: fix use-after-free
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (6 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 09/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (8 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 095be27b08..973d0d2407 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 09/16] net/sfc: fix use-after-free warning messages
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (7 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger
` (7 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Ivan Malov, Andrew Rybchenko, Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 10/16] net/cpfl: fix free of nonheap object
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (8 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 09/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 11/16] net/nfp: fix duplicate call to rte_free Stephen Hemminger
` (6 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 40569ddc6f..30abaad7c8 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 11/16] net/nfp: fix duplicate call to rte_free
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (9 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
` (5 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, chaoyong.he, Niklas Söderlund
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at ../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9: error: pointer 'entry' used after 'rte_free' [-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9: note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Cc: chaoyong.he@corigine.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
index 0078455658..64a0062c8b 100644
--- a/drivers/net/nfp/flower/nfp_flower_flow.c
+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 12/16] raw/ifpga/base: fix use after free
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (10 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 11/16] net/nfp: fix duplicate call to rte_free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 13/16] common/qat: " Stephen Hemminger
` (4 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Andy Pei, Tianfei Zhang
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 13/16] common/qat: fix use after free
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (11 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (3 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 14/16] drivers/ifpga: fix free function mismatch
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (12 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 13/16] common/qat: " Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger
` (2 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index a972b3b7a4..86558c7b9b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 15/16] baseband/la12xx: prevent use after free
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (13 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 16/16] common/idpf: fix use after free due Stephen Hemminger
2024-10-04 14:28 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones David Marchand
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Akhil Goyal, Nipun Gupta, Nicolas Chautru
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index 1a56e73abd..cad6f9490e 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v7 16/16] common/idpf: fix use after free due
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (14 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-10-02 18:37 ` Stephen Hemminger
2024-10-04 14:28 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones David Marchand
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, junfeng.guo, Jingjing Wu, Beilei Xing, Xiao Wang
The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
as a simple LIST_FOR_EACH macro. But they are not the same
the _SAFE variant guarantees that there will not be use after free.
Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
Cc: junfeng.guo@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
drivers/common/idpf/idpf_common_device.c | 3 +--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/common/idpf/base/idpf_osdep.h b/drivers/common/idpf/base/idpf_osdep.h
index b2af8f443d..7dff9bc79c 100644
--- a/drivers/common/idpf/base/idpf_osdep.h
+++ b/drivers/common/idpf/base/idpf_osdep.h
@@ -341,10 +341,16 @@ idpf_hweight32(u32 num)
#define LIST_ENTRY_TYPE(type) LIST_ENTRY(type)
#endif
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#ifndef LIST_FOR_EACH_ENTRY_SAFE
#define LIST_FOR_EACH_ENTRY_SAFE(pos, temp, head, entry_type, list) \
- LIST_FOREACH(pos, head, list)
-
+ LIST_FOREACH_SAFE(pos, head, list, temp)
#endif
#ifndef LIST_FOR_EACH_ENTRY
diff --git a/drivers/common/idpf/idpf_common_device.c b/drivers/common/idpf/idpf_common_device.c
index 8403ed83f9..e9fa024850 100644
--- a/drivers/common/idpf/idpf_common_device.c
+++ b/drivers/common/idpf/idpf_common_device.c
@@ -136,8 +136,7 @@ idpf_init_mbx(struct idpf_hw *hw)
if (ret != 0)
return ret;
- LIST_FOR_EACH_ENTRY_SAFE(ctlq, NULL, &hw->cq_list_head,
- struct idpf_ctlq_info, cq_list) {
+ LIST_FOR_EACH_ENTRY(ctlq, &hw->cq_list_head, struct idpf_ctlq_info, cq_list) {
if (ctlq->q_id == IDPF_CTLQ_ID &&
ctlq->cq_type == IDPF_CTLQ_TYPE_MAILBOX_TX)
hw->asq = ctlq;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [EXTERNAL] [PATCH v7 04/16] event/cnxk: fix pointer mismatch in cleanup
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-03 5:52 ` Pavan Nikhilesh Bhagavatula
0 siblings, 0 replies; 196+ messages in thread
From: Pavan Nikhilesh Bhagavatula @ 2024-10-03 5:52 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Shijith Thotton, stable, Jerin Jacob
> The code to cleanup in case of error was passing incorrect
> value to rte_free. The ports[] entry was allocated with
> rte_malloc and that should be used instead of the offset
> in that object.
>
> Fixes: 97a05c1fe634 ("event/cnxk: add port config")
> Cc: sthotton@marvell.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/event/cnxk/cnxk_eventdev.c
> b/drivers/event/cnxk/cnxk_eventdev.c
> index 4b2d6bffa6..08c6ce0c07 100644
> --- a/drivers/event/cnxk/cnxk_eventdev.c
> +++ b/drivers/event/cnxk/cnxk_eventdev.c
> @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev
> *event_dev,
> return 0;
> hws_fini:
> for (i = i - 1; i >= 0; i--) {
> + void *ws = event_dev->data->ports[i];
> +
> event_dev->data->ports[i] = NULL;
> - rte_free(cnxk_sso_hws_get_cookie(event_dev->data-
> >ports[i]));
> + rte_free(ws);
Hi Stephen,
The rte_zmalloc memory is pointing to the cookie[1], the memory assigned to
event_dev->data->ports[i] is rte_zmalloc + RTE_CACHE_LINE_SIZE.
There is still a bug in the code where we are assigning NULL before freeing memory.
The fix should be
rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
event_dev->data->ports[i] = NULL;
[1]
/* Allocate event port memory */
ws = rte_zmalloc("cn10k_ws",
sizeof(struct cn10k_sso_hws) + RTE_CACHE_LINE_SIZE,
RTE_CACHE_LINE_SIZE);
/* First cache line is reserved for cookie */
ws = (struct cn10k_sso_hws *)((uint8_t *)ws + RTE_CACHE_LINE_SIZE);
Thanks,
Pavan.
> }
> return -ENOMEM;
> }
> --
> 2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v7 00/16] Fix allocation bugs and prevent future ones
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
` (15 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 16/16] common/idpf: fix use after free due Stephen Hemminger
@ 2024-10-04 14:28 ` David Marchand
2024-10-04 14:57 ` David Marchand
16 siblings, 1 reply; 196+ messages in thread
From: David Marchand @ 2024-10-04 14:28 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev
On Wed, Oct 2, 2024 at 8:39 PM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> Recent versions of GCC have some additional function attributes that can
> help with DPDK performance and stability.
>
> The alloc_align attribute tells the compiler what the alignment
> of the allocation will be, and the optimizer can use this to produce
> better code (especially memcpy and structure copies).
>
> The malloc attribute tells compiler that object is not overlapping
> and potentially aliasing. It also as an additional variant in GCC 11
> or later that allows for detecting all sorts of common errors like
> calling free() on memory allocated with rte_malloc().
>
> In order to use the malloc attribute the free function prototype
> needs to be moved before the allocator/create function prototype
> so that the malloc attribute can refer to it.
>
> This uncovered at least 16 pre-existing bugs in DPDK, these
> should go to stable. This patch set is structured with:
> - fix any new warnings that were discovered
> - add macros for enable the macros
> - enable the attributes
It seems v7 lost the last patch that was introducing and using the
annotations in rte_malloc.
Was there an issue with this patch, or is it just a series submission issue?
--
David Marchand
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v7 00/16] Fix allocation bugs and prevent future ones
2024-10-04 14:28 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones David Marchand
@ 2024-10-04 14:57 ` David Marchand
2024-10-08 16:50 ` Stephen Hemminger
0 siblings, 1 reply; 196+ messages in thread
From: David Marchand @ 2024-10-04 14:57 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev
On Fri, Oct 4, 2024 at 4:28 PM David Marchand <david.marchand@redhat.com> wrote:
>
> On Wed, Oct 2, 2024 at 8:39 PM Stephen Hemminger
> <stephen@networkplumber.org> wrote:
> >
> > Recent versions of GCC have some additional function attributes that can
> > help with DPDK performance and stability.
> >
> > The alloc_align attribute tells the compiler what the alignment
> > of the allocation will be, and the optimizer can use this to produce
> > better code (especially memcpy and structure copies).
> >
> > The malloc attribute tells compiler that object is not overlapping
> > and potentially aliasing. It also as an additional variant in GCC 11
> > or later that allows for detecting all sorts of common errors like
> > calling free() on memory allocated with rte_malloc().
> >
> > In order to use the malloc attribute the free function prototype
> > needs to be moved before the allocator/create function prototype
> > so that the malloc attribute can refer to it.
> >
> > This uncovered at least 16 pre-existing bugs in DPDK, these
> > should go to stable. This patch set is structured with:
> > - fix any new warnings that were discovered
> > - add macros for enable the macros
> > - enable the attributes
>
> It seems v7 lost the last patch that was introducing and using the
> annotations in rte_malloc.
> Was there an issue with this patch, or is it just a series submission issue?
Btw, reading gcc documentation, it seems the check is only enabled
with -fanalyzer.
Can we add this in the CI?
If we can't enable all of -fanalyzer checks, maybe go with a subset of
it, like -Wanalyzer-allocation-size
-Wanalyzer-mismatching-deallocation ?
--
David Marchand
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [PATCH v3 17/18] eal: add function attributes for allocation functions
2024-09-29 15:34 ` [PATCH v3 17/18] eal: add function attributes for allocation functions Stephen Hemminger
2024-09-30 9:19 ` fengchengwen
@ 2024-10-08 8:29 ` Morten Brørup
2024-10-08 15:43 ` Stephen Hemminger
1 sibling, 1 reply; 196+ messages in thread
From: Morten Brørup @ 2024-10-08 8:29 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Tyler Retzlaff, Anatoly Burakov
> From: Stephen Hemminger [mailto:stephen@networkplumber.org]
> Sent: Sunday, 29 September 2024 17.35
>
> The allocation functions take a alignment argument that
> can be useful to hint the compiler optimizer.
>
> This is supported by Gcc and Clang but only useful with
> Gcc because Clang gives warning if alignment is 0.
This patch defines and uses __rte_alloc_align(). OK.
>
> Recent versions of GCC have a malloc attribute that can
> be used to find mismatches between allocation and free;
> the typical problem caught is a pointer allocated with
> rte_malloc() that is then incorrectly freed using free().
This patch defines __rte_alloc_func(), but uses it in the next patch in the series.
Suggest either doing both here, or move the definition of __rte_alloc_func() to the next patch.
> +/**
> + * Tells the compiler this is a function like malloc and that the
> pointer
> + * returned cannot alias any other pointer (ie new memory).
There's a good example of its use here:
https://developers.redhat.com/blog/2021/04/30/detecting-memory-management-bugs-with-gcc-11-part-1-understanding-dynamic-allocation#detecting_mismatched_deallocations
It not only refers to memory, but also handle pointers.
You might want to replace "ie new memory" by "ie new object" or similar.
Please add the optional arguments to pass to __rte_alloc_func to the macro description, e.g.:
@param [free_func]
The name of the deallocation function to free the allocated object
@param [free_func_ptr_index]
The deallocation function's argument index of the object pointer.
PS: The brackets indicate that the parameter is optional. I didn't know, so it is what I found on the internet.
> + *
> + * Also, with recent GCC versions also able to track that proper
> + * dealloctor function is used for this pointer.
> + */
> +#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
> +#define __rte_alloc_func(...) \
> + __attribute__((malloc, malloc(__VA_ARGS__)))
> +
> +#elif defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
> +#define __rte_alloc_func(...) \
> + __attribute__((malloc))
> +#else
> +#define __rte_alloc_func(...)
> +#endif
The _func postfix seems superfluous. Macros hinting about Hot and cold functions are simply __rte_hot and __rte_cold, without _func postfix.
It's probably a matter of taste, so I'll leave it up to you.
Minor detail:
When looking at the code using the macro, it seems somewhat confusing that the macro name is "__rte_alloc" when its arguments describe the associated free function.
But I have no ideas for a better name...
Even if the two arguments were required, the primary purpose of the macro is to inform the compiler that the function is an allocation function; so that must be dominant in the name of the macro, which it is with the current name.
With the macro description updated,
Series-Acked-by: Morten Brørup <mb@smartsharesystems.com>
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [PATCH v6 17/17] eal: add function attributes for allocation functions
2024-10-02 15:43 ` [PATCH v6 17/17] eal: add function attributes for allocation functions Stephen Hemminger
2024-10-02 16:45 ` Wathsala Wathawana Vithanage
@ 2024-10-08 9:03 ` Morten Brørup
1 sibling, 0 replies; 196+ messages in thread
From: Morten Brørup @ 2024-10-08 9:03 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
> From: Stephen Hemminger [mailto:stephen@networkplumber.org]
> Sent: Wednesday, 2 October 2024 17.43
>
> The allocation functions take a alignment argument that
> can be useful to hint the compiler optimizer. This is supported
> by GCC and Clang but only useful with GCC because Clang gives
> warning if alignment is 0.
>
> Newer versions of GCC have a malloc attribute that can be used to find
> mismatches between allocation and free; the typical problem caught is a
> pointer allocated with rte_malloc() that is then incorrectly freed
> using
> free(). The name of the DPDK wrapper macros for these attributes
> are chosen to be similar to what GLIBC is using in cdefs.h.
> Note: The rte_free function prototype was moved ahead of the allocation
> functions since the dealloc attribute now refers to it.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Chengwen Feng <fengchengwen@huawei.com>
> Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
> ---
I see many of my comments to v3 have already been addressed. Great minds think alike. :-)
> +/**
> + * With recent GCC versions also able to track that proper
> + * deallocator function is used for this pointer.
> + */
> +#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
> +#define __rte_dealloc(dealloc, argno) \
> + __attribute__((malloc(dealloc, argno)))
> +#else
> +#define __rte_dealloc(dealloc, argno)
> +#endif
A matter of taste...
The name "__rte_malloc" is closely associated with the function name "malloc()"; for consistency suggest naming this "__rte_free" or "__rte_malloc_free".
<brainstorming>
If named __rte_malloc_free, it could include the __rte_malloc (as in previous versions of the patch).
However, that might be confusing, so probably not a good idea.
I prefer keeping the attributes separate, as in this version.
</brainstorming>
> +++ b/lib/eal/include/rte_malloc.h
> @@ -31,6 +31,26 @@ struct rte_malloc_socket_stats {
> size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
> };
>
> +/**
> + * Function attribut for prototypes that expect to release memory with
> rte_free()
Typo: attribut -> attribute
> + */
> +#define __rte_dealloc_free __rte_dealloc(rte_free, 1)
Minor detail:
I'm worried someone might misunderstand the purpose of this shortcut, and use it with an allocator function where a different deallocator is associated.
Moving it from rte_common.h to rte_malloc.h is a huge improvement; but please consider if the benefit outweighs the risk.
Again, I'll leave it up to you.
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 00/17] Add function attributes to uncover allocation bugs
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (21 preceding siblings ...)
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 01/17] memzone: fix use after free in tracing Stephen Hemminger
` (16 more replies)
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
23 siblings, 17 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of GCC have some additional function attributes that can
help with DPDK performance and stability.
The alloc_align attribute tells the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in GCC 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
In order to use the malloc attribute the free function prototype
needs to be moved before the allocator/create function prototype
so that the malloc attribute can refer to it.
This uncovered at least 16 pre-existing bugs in DPDK, these
should go to stable. This patch set is structured with:
- fix any new warnings that were discovered
- add macros for enable the macros
- enable the attributes
The same attributes could be added to lots more functions in DPDK,
but this patch set focuses on the key ones, and where problems
exist in current code base.
v8 - rebase and cleanup the macros
Stephen Hemminger (17):
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix pointer mismatch in cleanup
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
net/nfp: fix duplicate call to rte_free
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
baseband/la12xx: prevent use after free
common/idpf: fix use after free due
eal: add function attributes for allocation functions
doc/guides/rel_notes/release_24_11.rst | 8 +++
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
drivers/common/idpf/base/idpf_osdep.h | 10 +++-
drivers/common/idpf/idpf_common_device.c | 3 +-
drivers/common/qat/qat_device.c | 6 +--
drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 4 +-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 +-
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
drivers/net/sfc/sfc_flow_rss.c | 4 +-
drivers/net/sfc/sfc_mae.c | 23 ++++-----
drivers/raw/ifpga/base/opae_intel_max10.c | 11 ++++-
drivers/raw/ifpga/ifpga_rawdev.c | 8 +--
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 +-
lib/eal/include/rte_common.h | 34 +++++++++++++
lib/eal/include/rte_malloc.h | 59 ++++++++++++++---------
21 files changed, 126 insertions(+), 66 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 01/17] memzone: fix use after free in tracing
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (15 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 02/17] cryptodev/bcmfs: fix mis-matched free
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 01/17] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (14 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Vikas Gupta,
Raveendra Padasalagi, Akhil Goyal
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 03/17] dma/ixd: fix incorrect free function in cleanup
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
` (13 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 60ac219559..6ed03e96da 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 04/17] event/cnxk: fix pointer mismatch in cleanup
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (2 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 16:40 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
` (12 subsequent siblings)
16 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error was passing incorrect
value to rte_free. The ports[] entry was allocated with
rte_malloc and that should be used instead of the offset
in that object.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..08c6ce0c07 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
+ void *ws = event_dev->data->ports[i];
+
event_dev->data->ports[i] = NULL;
- rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ rte_free(ws);
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 05/17] examples/vhost: fix free function mismatch
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (3 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 06/17] net/cnxk: fix use-after-free Stephen Hemminger
` (11 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 06/17] net/cnxk: fix use-after-free
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (4 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
` (10 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 07/17] bpf: fix free mismatch if convert fails
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (5 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 06/17] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 08/17] net/e1000: fix use-after-free Stephen Hemminger
` (9 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 08/17] net/e1000: fix use-after-free
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (6 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (8 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 1e0a483d4a..d3a9181874 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 09/17] net/sfc: fix use-after-free warning messages
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (7 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 08/17] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
` (7 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Ivan Malov, Andrew Rybchenko, Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 10/17] net/cpfl: fix free of nonheap object
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (8 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
` (6 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 011229a470..303e979015 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 11/17] net/nfp: fix duplicate call to rte_free
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (9 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
` (5 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, chaoyong.he, Niklas Söderlund
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at ../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9: error: pointer 'entry' used after 'rte_free' [-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9: note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Cc: chaoyong.he@corigine.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
index 0078455658..64a0062c8b 100644
--- a/drivers/net/nfp/flower/nfp_flower_flow.c
+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 12/17] raw/ifpga/base: fix use after free
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (10 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 13/17] common/qat: " Stephen Hemminger
` (4 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 13/17] common/qat: fix use after free
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (11 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (3 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 14/17] drivers/ifpga: fix free function mismatch
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (12 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 13/17] common/qat: " Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
` (2 subsequent siblings)
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index 113a22b0a7..5b9b596435 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 15/17] baseband/la12xx: prevent use after free
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (13 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 17/17] eal: add function attributes for allocation functions Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Nipun Gupta, Akhil Goyal, Nicolas Chautru
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index af4b4f1e9a..2432cdf884 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 16/17] common/idpf: fix use after free due
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (14 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 17/17] eal: add function attributes for allocation functions Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, junfeng.guo, Jingjing Wu, Xiao Wang, Beilei Xing
The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
as a simple LIST_FOR_EACH macro. But they are not the same
the _SAFE variant guarantees that there will not be use after free.
Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
Cc: junfeng.guo@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
drivers/common/idpf/idpf_common_device.c | 3 +--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/common/idpf/base/idpf_osdep.h b/drivers/common/idpf/base/idpf_osdep.h
index e042ef871c..cf9e553906 100644
--- a/drivers/common/idpf/base/idpf_osdep.h
+++ b/drivers/common/idpf/base/idpf_osdep.h
@@ -341,10 +341,16 @@ idpf_hweight32(u32 num)
#define LIST_ENTRY_TYPE(type) LIST_ENTRY(type)
#endif
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#ifndef LIST_FOR_EACH_ENTRY_SAFE
#define LIST_FOR_EACH_ENTRY_SAFE(pos, temp, head, entry_type, list) \
- LIST_FOREACH(pos, head, list)
-
+ LIST_FOREACH_SAFE(pos, head, list, temp)
#endif
#ifndef LIST_FOR_EACH_ENTRY
diff --git a/drivers/common/idpf/idpf_common_device.c b/drivers/common/idpf/idpf_common_device.c
index 8403ed83f9..e9fa024850 100644
--- a/drivers/common/idpf/idpf_common_device.c
+++ b/drivers/common/idpf/idpf_common_device.c
@@ -136,8 +136,7 @@ idpf_init_mbx(struct idpf_hw *hw)
if (ret != 0)
return ret;
- LIST_FOR_EACH_ENTRY_SAFE(ctlq, NULL, &hw->cq_list_head,
- struct idpf_ctlq_info, cq_list) {
+ LIST_FOR_EACH_ENTRY(ctlq, &hw->cq_list_head, struct idpf_ctlq_info, cq_list) {
if (ctlq->q_id == IDPF_CTLQ_ID &&
ctlq->cq_type == IDPF_CTLQ_TYPE_MAILBOX_TX)
hw->asq = ctlq;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v8 17/17] eal: add function attributes for allocation functions
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
` (15 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 16/17] common/idpf: fix use after free due Stephen Hemminger
@ 2024-10-08 15:41 ` Stephen Hemminger
16 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer. This is supported
by GCC and Clang but only useful with GCC because Clang gives
warning if alignment is 0.
Newer versions of GCC have a malloc attribute that can be used to find
mismatches between allocation and free; the typical problem caught is a
pointer allocated with rte_malloc() that is then incorrectly freed using
free(). The name of the DPDK wrapper macros for these attributes
are chosen to be similar to what GLIBC is using in cdefs.h.
Note: The rte_free function prototype was moved ahead of the allocation
functions since the dealloc attribute now refers to it.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
doc/guides/rel_notes/release_24_11.rst | 8 ++++
lib/eal/include/rte_common.h | 34 +++++++++++++++
lib/eal/include/rte_malloc.h | 59 ++++++++++++++++----------
3 files changed, 78 insertions(+), 23 deletions(-)
diff --git a/doc/guides/rel_notes/release_24_11.rst b/doc/guides/rel_notes/release_24_11.rst
index e0a9aa55a1..662cb66ebd 100644
--- a/doc/guides/rel_notes/release_24_11.rst
+++ b/doc/guides/rel_notes/release_24_11.rst
@@ -67,6 +67,14 @@ New Features
The new statistics are useful for debugging and profiling.
+* **Hardened rte_malloc and related functions.**
+
+ * Added function attributes to ``rte_malloc`` and similar functions
+ that can catch some obvious bugs at compile time (with GCC 11.0 or later).
+ Examples: calling ``free()`` on pointer that was allocated with ``rte_malloc``
+ (and vice versa); freeing the same pointer twice in the same routine;
+ freeing an object that was not created by allocation; etc.
+
Removed Items
-------------
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index eec0400dad..a53051072e 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -228,6 +228,40 @@ typedef uint16_t unaligned_uint16_t;
#define __rte_alloc_size(...)
#endif
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ *
+ * Note: not enabled on Clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(argno) \
+ __attribute__((alloc_align(argno)))
+#else
+#define __rte_alloc_align(argno)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ */
+#if defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_malloc __attribute__((__malloc__))
+#else
+#define __rte_malloc
+#endif
+
+/**
+ * With recent GCC versions also able to track that proper
+ * deallocator function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_dealloc(dealloc, argno) \
+ __attribute__((malloc(dealloc, argno)))
+#else
+#define __rte_dealloc(dealloc, argno)
+#endif
+
#define RTE_PRIORITY_LOG 101
#define RTE_PRIORITY_BUS 110
#define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index 1f91e7bdde..c8836de67c 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,26 @@ struct rte_malloc_socket_stats {
size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
};
+/**
+ * Functions that expect return value to be freed with rte_free()
+ */
+#define __rte_dealloc_free __rte_dealloc(rte_free, 1)
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ * The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
/**
* This function allocates memory from the huge-page area of memory. The memory
* is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -54,7 +74,8 @@ struct rte_malloc_socket_stats {
*/
void *
rte_malloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -81,7 +102,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
*/
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +130,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
*/
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +155,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
*/
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +182,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
*/
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +210,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
*/
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -214,7 +240,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,22 +270,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
- __rte_alloc_size(2, 3);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- * The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* If malloc debug is enabled, check a memory block for header
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v3 17/18] eal: add function attributes for allocation functions
2024-10-08 8:29 ` Morten Brørup
@ 2024-10-08 15:43 ` Stephen Hemminger
0 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 15:43 UTC (permalink / raw)
To: Morten Brørup; +Cc: dev, Tyler Retzlaff, Anatoly Burakov
On Tue, 8 Oct 2024 10:29:23 +0200
Morten Brørup <mb@smartsharesystems.com> wrote:
> > From: Stephen Hemminger [mailto:stephen@networkplumber.org]
> > Sent: Sunday, 29 September 2024 17.35
> >
> > The allocation functions take a alignment argument that
> > can be useful to hint the compiler optimizer.
> >
> > This is supported by Gcc and Clang but only useful with
> > Gcc because Clang gives warning if alignment is 0.
>
> This patch defines and uses __rte_alloc_align(). OK.
>
> >
> > Recent versions of GCC have a malloc attribute that can
> > be used to find mismatches between allocation and free;
> > the typical problem caught is a pointer allocated with
> > rte_malloc() that is then incorrectly freed using free().
>
> This patch defines __rte_alloc_func(), but uses it in the next patch in the series.
> Suggest either doing both here, or move the definition of __rte_alloc_func() to the next patch.
>
>
> > +/**
> > + * Tells the compiler this is a function like malloc and that the
> > pointer
> > + * returned cannot alias any other pointer (ie new memory).
>
> There's a good example of its use here:
> https://developers.redhat.com/blog/2021/04/30/detecting-memory-management-bugs-with-gcc-11-part-1-understanding-dynamic-allocation#detecting_mismatched_deallocations
>
> It not only refers to memory, but also handle pointers.
> You might want to replace "ie new memory" by "ie new object" or similar.
>
>
> Please add the optional arguments to pass to __rte_alloc_func to the macro description, e.g.:
> @param [free_func]
> The name of the deallocation function to free the allocated object
> @param [free_func_ptr_index]
> The deallocation function's argument index of the object pointer.
>
> PS: The brackets indicate that the parameter is optional. I didn't know, so it is what I found on the internet.
In later versions of the patch decided that naming and parameters should
follow the precedent used in glibc. See new version sent today.
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v8 04/17] event/cnxk: fix pointer mismatch in cleanup
2024-10-08 15:41 ` [PATCH v8 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
@ 2024-10-08 16:40 ` Stephen Hemminger
2024-10-08 16:43 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
0 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:40 UTC (permalink / raw)
To: dev; +Cc: sthotton, stable, Pavan Nikhilesh
On Tue, 8 Oct 2024 08:41:34 -0700
Stephen Hemminger <stephen@networkplumber.org> wrote:
> The code to cleanup in case of error was passing incorrect
> value to rte_free. The ports[] entry was allocated with
> rte_malloc and that should be used instead of the offset
> in that object.
>
> Fixes: 97a05c1fe634 ("event/cnxk: add port config")
> Cc: sthotton@marvell.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
> index 4b2d6bffa6..08c6ce0c07 100644
> --- a/drivers/event/cnxk/cnxk_eventdev.c
> +++ b/drivers/event/cnxk/cnxk_eventdev.c
> @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
> return 0;
> hws_fini:
> for (i = i - 1; i >= 0; i--) {
> + void *ws = event_dev->data->ports[i];
> +
> event_dev->data->ports[i] = NULL;
> - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
> + rte_free(ws);
> }
> return -ENOMEM;
> }
This fix is not right, but something is wrong with the original code?
[865/3024] Compiling C object drivers/libtmp_rte_event_cnxk.a.p/event_cnxk_cnxk_eventdev.c.o
../drivers/event/cnxk/cnxk_eventdev.c: In function ‘cnxk_setup_event_ports’:
../drivers/event/cnxk/cnxk_eventdev.c:125:17: warning: ‘rte_free’ called on a pointer to an unallocated object ‘18446744073709551552’ [-Wfree-nonheap-object]
125 | rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[3024/3024] Linking target app/dpdk-test
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [EXTERNAL] Re: [PATCH v8 04/17] event/cnxk: fix pointer mismatch in cleanup
2024-10-08 16:40 ` Stephen Hemminger
@ 2024-10-08 16:43 ` Pavan Nikhilesh Bhagavatula
0 siblings, 0 replies; 196+ messages in thread
From: Pavan Nikhilesh Bhagavatula @ 2024-10-08 16:43 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Shijith Thotton, stable
> -----Original Message-----
> From: Stephen Hemminger <stephen@networkplumber.org>
> Sent: Tuesday, October 8, 2024 10:10 PM
> To: dev@dpdk.org
> Cc: Shijith Thotton <sthotton@marvell.com>; stable@dpdk.org; Pavan
> Nikhilesh Bhagavatula <pbhagavatula@marvell.com>
> Subject: [EXTERNAL] Re: [PATCH v8 04/17] event/cnxk: fix pointer mismatch
> in cleanup
>
> On Tue, 8 Oct 2024 08: 41: 34 -0700 Stephen Hemminger
> <stephen@ networkplumber. org> wrote: > The code to cleanup in case of
> error was passing incorrect > value to rte_free. The ports[] entry was allocated
> with > rte_malloc and that
>
> On Tue, 8 Oct 2024 08:41:34 -0700
> Stephen Hemminger <stephen@networkplumber.org> wrote:
>
> > The code to cleanup in case of error was passing incorrect
> > value to rte_free. The ports[] entry was allocated with
> > rte_malloc and that should be used instead of the offset
> > in that object.
> >
> > Fixes: 97a05c1fe634 ("event/cnxk: add port config")
> > Cc: sthotton@marvell.com
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> > ---
> > drivers/event/cnxk/cnxk_eventdev.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/event/cnxk/cnxk_eventdev.c
> b/drivers/event/cnxk/cnxk_eventdev.c
> > index 4b2d6bffa6..08c6ce0c07 100644
> > --- a/drivers/event/cnxk/cnxk_eventdev.c
> > +++ b/drivers/event/cnxk/cnxk_eventdev.c
> > @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct
> rte_eventdev *event_dev,
> > return 0;
> > hws_fini:
> > for (i = i - 1; i >= 0; i--) {
> > + void *ws = event_dev->data->ports[i];
> > +
> > event_dev->data->ports[i] = NULL;
> > - rte_free(cnxk_sso_hws_get_cookie(event_dev->data-
> >ports[i]));
> > + rte_free(ws);
> > }
> > return -ENOMEM;
> > }
>
> This fix is not right, but something is wrong with the original code?
>
Yup, the NULL allocation should come after the free
rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
event_dev->data->ports[i] = NULL;
> [865/3024] Compiling C object
> drivers/libtmp_rte_event_cnxk.a.p/event_cnxk_cnxk_eventdev.c.o
> ../drivers/event/cnxk/cnxk_eventdev.c: In function ‘cnxk_setup_event_ports’:
> ../drivers/event/cnxk/cnxk_eventdev.c:125:17: warning: ‘rte_free’ called on a
> pointer to an unallocated object ‘18446744073709551552’ [-Wfree-
> nonheap-object]
> 125 | rte_free(cnxk_sso_hws_get_cookie(event_dev->data-
> >ports[i]));
> |
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> [3024/3024] Linking target app/dpdk-test
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 00/17] Use malloc function attribute to uncover bugs
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
` (22 preceding siblings ...)
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 01/17] memzone: fix use after free in tracing Stephen Hemminger
` (19 more replies)
23 siblings, 20 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger
Recent versions of GCC have some additional function attributes that can
help with DPDK performance and stability.
The alloc_align attribute tells the compiler what the alignment
of the allocation will be, and the optimizer can use this to produce
better code (especially memcpy and structure copies).
The malloc attribute tells compiler that object is not overlapping
and potentially aliasing. It also as an additional variant in GCC 11
or later that allows for detecting all sorts of common errors like
calling free() on memory allocated with rte_malloc().
In order to use the malloc attribute the free function prototype
needs to be moved before the allocator/create function prototype
so that the malloc attribute can refer to it.
This uncovered at least 16 pre-existing bugs in DPDK, these
should go to stable. This patch set is structured with:
- fix any new warnings that were discovered
- add macros for enable the macros
- enable the attributes
The same attributes could be added to lots more functions in DPDK,
but this patch set focuses on the key ones, and where problems
exist in current code base.
v9 - correct the event/cnxk patch
Stephen Hemminger (17):
memzone: fix use after free in tracing
cryptodev/bcmfs: fix mis-matched free
dma/ixd: fix incorrect free function in cleanup
event/cnxk: fix free of non-heap in cleanup code
examples/vhost: fix free function mismatch
net/cnxk: fix use-after-free
bpf: fix free mismatch if convert fails
net/e1000: fix use-after-free
net/sfc: fix use-after-free warning messages
net/cpfl: fix free of nonheap object
net/nfp: fix duplicate call to rte_free
raw/ifpga/base: fix use after free
common/qat: fix use after free
drivers/ifpga: fix free function mismatch
baseband/la12xx: prevent use after free
common/idpf: fix use after free due
eal: add function attributes for allocation functions
doc/guides/rel_notes/release_24_11.rst | 8 +++
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
drivers/common/idpf/base/idpf_osdep.h | 10 +++-
drivers/common/idpf/idpf_common_device.c | 3 +-
drivers/common/qat/qat_device.c | 6 +--
drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
drivers/dma/idxd/idxd_pci.c | 2 +-
drivers/event/cnxk/cnxk_eventdev.c | 2 +-
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
drivers/net/e1000/igb_ethdev.c | 4 +-
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
drivers/net/sfc/sfc_flow_rss.c | 4 +-
drivers/net/sfc/sfc_mae.c | 23 ++++-----
drivers/raw/ifpga/base/opae_intel_max10.c | 11 ++++-
drivers/raw/ifpga/ifpga_rawdev.c | 8 +--
examples/vhost_blk/vhost_blk.c | 2 +-
lib/bpf/bpf_convert.c | 2 +-
lib/eal/common/eal_common_memzone.c | 3 +-
lib/eal/include/rte_common.h | 34 +++++++++++++
lib/eal/include/rte_malloc.h | 59 ++++++++++++++---------
21 files changed, 124 insertions(+), 66 deletions(-)
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 01/17] memzone: fix use after free in tracing
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
` (18 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
Using the freed value for tracing is not a good idea.
Although it is harmless for tracing, it will cause analyzers to flag
this as unsafe.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
lib/eal/common/eal_common_memzone.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/eal/common/eal_common_memzone.c b/lib/eal/common/eal_common_memzone.c
index 2d9b6aa3e3..90efbb621d 100644
--- a/lib/eal/common/eal_common_memzone.c
+++ b/lib/eal/common/eal_common_memzone.c
@@ -331,9 +331,10 @@ rte_memzone_free(const struct rte_memzone *mz)
rte_rwlock_write_unlock(&mcfg->mlock);
+ rte_eal_trace_memzone_free(name, addr, ret);
+
rte_free(addr);
- rte_eal_trace_memzone_free(name, addr, ret);
return ret;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 02/17] cryptodev/bcmfs: fix mis-matched free
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 01/17] memzone: fix use after free in tracing Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
` (17 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Ajit Khaparde, Vikas Gupta,
Akhil Goyal, Raveendra Padasalagi
The device structure is allocated with rte_malloc() and
then incorrectly freed with free(). This will lead to
corrupt malloc pool.
Bugzilla ID: 1552
Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
---
drivers/crypto/bcmfs/bcmfs_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c
index ada7ba342c..46522970d5 100644
--- a/drivers/crypto/bcmfs/bcmfs_device.c
+++ b/drivers/crypto/bcmfs/bcmfs_device.c
@@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev,
return fsdev;
cleanup:
- free(fsdev);
+ rte_free(fsdev);
return NULL;
}
@@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev)
return;
TAILQ_REMOVE(&fsdev_list, fsdev, next);
- free(fsdev);
+ rte_free(fsdev);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 03/17] dma/ixd: fix incorrect free function in cleanup
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code Stephen Hemminger
` (16 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh
The data structure is allocated with rte_malloc and incorrectly
freed in cleanup logic using free.
Bugzilla ID: 1549
Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe")
Cc: kevin.laatz@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/dma/idxd/idxd_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c
index 60ac219559..6ed03e96da 100644
--- a/drivers/dma/idxd/idxd_pci.c
+++ b/drivers/dma/idxd/idxd_pci.c
@@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd,
return nb_wqs;
err:
- free(pci);
+ rte_free(pci);
return err_code;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (2 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:54 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-08 16:47 ` [PATCH v9 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
` (15 subsequent siblings)
19 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh
The code to cleanup in case of error would derefence null pointer
then pass that result to rte_free.
Fixes: 97a05c1fe634 ("event/cnxk: add port config")
Cc: sthotton@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/event/cnxk/cnxk_eventdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c
index 4b2d6bffa6..8cc1adef11 100644
--- a/drivers/event/cnxk/cnxk_eventdev.c
+++ b/drivers/event/cnxk/cnxk_eventdev.c
@@ -121,8 +121,8 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev,
return 0;
hws_fini:
for (i = i - 1; i >= 0; i--) {
- event_dev->data->ports[i] = NULL;
rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i]));
+ event_dev->data->ports[i] = NULL;
}
return -ENOMEM;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 05/17] examples/vhost: fix free function mismatch
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (3 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-09 6:27 ` Chenbo Xia
2024-10-08 16:47 ` [PATCH v9 06/17] net/cnxk: fix use-after-free Stephen Hemminger
` (14 subsequent siblings)
19 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin,
Chenbo Xia, Jin Yu
The pointer bdev is allocated with rte_zmalloc() and then
incorrectly freed with free() which will lead pool corruption.
Bugzilla ID: 1553
Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
---
examples/vhost_blk/vhost_blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
index 03f1ac9c3f..9c9e326949 100644
--- a/examples/vhost_blk/vhost_blk.c
+++ b/examples/vhost_blk/vhost_blk.c
@@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
if (!bdev->data) {
fprintf(stderr, "No enough reserved huge memory for disk\n");
- free(bdev);
+ rte_free(bdev);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 06/17] net/cnxk: fix use-after-free
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (4 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
` (13 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram,
Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra
The driver would refer to the mempool object after it was freed.
Bugzilla ID: 1554
Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF")
Cc: rbhansali@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 6f5319e534..e428d2115d 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char
return -EINVAL;
}
- rte_mempool_free(hp);
plt_free(hp->pool_config);
+ rte_mempool_free(hp);
*aura_handle = 0;
*mpool = 0;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 07/17] bpf: fix free mismatch if convert fails
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (5 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 06/17] net/cnxk: fix use-after-free Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 08/17] net/e1000: fix use-after-free Stephen Hemminger
` (12 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella
If conversion of cBF to eBPF fails then an object allocated with
rte_malloc() would be passed to free().
[908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o
../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’:
../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
559 | free(prm);
| ^~~~~~~~~
../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’
545 | prm = rte_zmalloc("bpf_filter",
| ^~~~~~~~~~~~~~~~~~~~~~~~~
546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_convert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c
index d7ff2b4325..e7e298c9cb 100644
--- a/lib/bpf/bpf_convert.c
+++ b/lib/bpf/bpf_convert.c
@@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog)
ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len);
if (ret < 0) {
RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__);
- free(prm);
+ rte_free(prm);
rte_errno = -ret;
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 08/17] net/e1000: fix use-after-free
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (6 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
` (11 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao
The driver cleanup code was freeing the filter object
then dereferencing it.
Bugzilla ID: 1550
Fixes: 6a4d050e2855 ("net/igb: flush all the filter")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/e1000/igb_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c
index 1e0a483d4a..d3a9181874 100644
--- a/drivers/net/e1000/igb_ethdev.c
+++ b/drivers/net/e1000/igb_ethdev.c
@@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev,
filter_info->twotuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
@@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
filter_info->fivetuple_mask &= ~(1 << filter->index);
TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries);
- rte_free(filter);
E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
E1000_FTQF_VF_BP | E1000_FTQF_MASK);
@@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev,
E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
+ rte_free(filter);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 09/17] net/sfc: fix use-after-free warning messages
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (7 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 08/17] net/e1000: fix use-after-free Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
` (10 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Ivan Malov, Andrew Rybchenko, Andy Moreton
If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.
Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov@arknetworks.am>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
---
| 4 ++--
drivers/net/sfc/sfc_mae.c | 23 +++++++++--------------
2 files changed, 11 insertions(+), 16 deletions(-)
--git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
rte_free(ctx->qid_offsets);
- rte_free(ctx);
-
sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+ rte_free(ctx);
}
static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index 60ff6d2181..8f74f10390 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
efx_mae_match_spec_fini(sa->nic, rule->match_spec);
TAILQ_REMOVE(&mae->outer_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted outer_rule=%p", rule);
+ rte_free(rule);
}
static int
@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
}
TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
- rte_free(mac_addr);
-
sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+ rte_free(mac_addr);
}
enum sfc_mae_mac_addr_type {
@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
}
TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+ sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
rte_free(encap_header->buf);
rte_free(encap_header);
-
- sfc_dbg(sa, "deleted encap_header=%p", encap_header);
}
static int
@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
}
TAILQ_REMOVE(&mae->counters, counter, entries);
- rte_free(counter);
-
sfc_dbg(sa, "deleted counter=%p", counter);
+ rte_free(counter);
}
static int
@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
sfc_mae_counter_del(sa, action_set->counter);
TAILQ_REMOVE(&mae->action_sets, action_set, entries);
- rte_free(action_set);
-
sfc_dbg(sa, "deleted action_set=%p", action_set);
+ rte_free(action_set);
}
static int
@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
+ sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
+
rte_free(action_set_list->action_sets);
rte_free(action_set_list);
-
- sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
}
static int
@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
sfc_mae_outer_rule_del(sa, rule->outer_rule);
TAILQ_REMOVE(&mae->action_rules, rule, entries);
- rte_free(rule);
-
sfc_dbg(sa, "deleted action_rule=%p", rule);
+ rte_free(rule);
}
static int
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 10/17] net/cpfl: fix free of nonheap object
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (8 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
` (9 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang
With proper annotation, GCC discovers that this driver is
calling rte_free() on an object that was not allocated
(it is part of array in another object).
In function ‘cpfl_flow_js_mr_layout’,
inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9,
inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9,
inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8,
inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8:
../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object]
740 | rte_free(js_mod->layout);
| ^~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON")
Cc: wenjing.qiao@intel.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/cpfl/cpfl_flow_parser.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c
index 011229a470..303e979015 100644
--- a/drivers/net/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/cpfl/cpfl_flow_parser.c
@@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js
return 0;
err:
- rte_free(js_mod->layout);
return -EINVAL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 11/17] net/nfp: fix duplicate call to rte_free
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (9 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
` (8 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, chaoyong.he, Niklas Söderlund
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at ../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9: error: pointer 'entry' used after 'rte_free' [-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9: note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Cc: chaoyong.he@corigine.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
index 0078455658..64a0062c8b 100644
--- a/drivers/net/nfp/flower/nfp_flower_flow.c
+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 12/17] raw/ifpga/base: fix use after free
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (10 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 13/17] common/qat: " Stephen Hemminger
` (7 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei
The TAILQ_FOREACH() macro would refer to info after it
had been freed. Fix by introducing TAILQ_FOREACH_SAFE here.
Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c
index dd97a5f9fd..d5a9ceb6e3 100644
--- a/drivers/raw/ifpga/base/opae_intel_max10.c
+++ b/drivers/raw/ifpga/base/opae_intel_max10.c
@@ -6,6 +6,13 @@
#include <libfdt.h>
#include "opae_osdep.h"
+#ifndef TAILQ_FOREACH_SAFE
+#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
int max10_sys_read(struct intel_max10_device *dev,
unsigned int offset, unsigned int *val)
{
@@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name,
static void max10_sensor_uinit(struct intel_max10_device *dev)
{
- struct opae_sensor_info *info;
+ struct opae_sensor_info *info, *next;
- TAILQ_FOREACH(info, &dev->opae_sensor_list, node) {
+ TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) {
TAILQ_REMOVE(&dev->opae_sensor_list, info, node);
opae_free(info);
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 13/17] common/qat: fix use after free
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (11 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
` (6 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, arkadiuszx.kusztal, Kai Ji, Ciara Power
Checking return value of rte_memzone_free() is pointless
and if it failed then it was because the pointer was null.
Fixes: 7b1374b1e6e7 ("common/qat: limit configuration to primary process")
Cc: arkadiuszx.kusztal@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/qat/qat_device.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 4a972a83bd..bca88fd9bd 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -390,11 +390,7 @@ qat_pci_device_allocate(struct rte_pci_device *pci_dev)
return qat_dev;
error:
rte_free(qat_dev->command_line);
- if (rte_memzone_free(qat_dev_mz)) {
- QAT_LOG(DEBUG,
- "QAT internal error! Trying to free already allocated memzone: %s",
- qat_dev_mz->name);
- }
+ rte_memzone_free(qat_dev_mz);
return NULL;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 14/17] drivers/ifpga: fix free function mismatch
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (12 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 13/17] common/qat: " Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
` (5 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim,
David Marchand
The raw ifpga driver redefines malloc to be opae_malloc
and free to be opae_free; which is a bad idea.
This leads to case where interrupt efd array is allocated
with calloc() and then passed to rte_free. The workaround
is to allocate the array with rte_calloc() instead.
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")
Cc: hkalra@marvell.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index 113a22b0a7..5b9b596435 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
nb_intr = rte_intr_nb_intr_get(*intr_handle);
- intr_efds = calloc(nb_intr, sizeof(int));
+ intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0);
if (!intr_efds)
return -ENOMEM;
@@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = opae_acc_set_irq(acc, vec_start, count, intr_efds);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
}
@@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id,
ret = rte_intr_callback_register(*intr_handle,
handler, (void *)arg);
if (ret) {
- free(intr_efds);
+ rte_free(intr_efds);
return -EINVAL;
}
IFPGA_RAWDEV_PMD_INFO("success register %s interrupt", name);
- free(intr_efds);
+ rte_free(intr_efds);
return 0;
}
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 15/17] baseband/la12xx: prevent use after free
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (13 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 16/17] common/idpf: fix use after free due Stephen Hemminger
` (4 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev
Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh,
Akhil Goyal, Nipun Gupta, Nicolas Chautru
It is possible that the info pointer (hp) could get freed twice.
Fix by nulling after free.
In function 'setup_la12xx_dev',
inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
901 | rte_free(hp);
| ^~~~~~~~~~~~
../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
791 | rte_free(hp);
| ^~~~~~~~~~~~
Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
index af4b4f1e9a..2432cdf884 100644
--- a/drivers/baseband/la12xx/bbdev_la12xx.c
+++ b/drivers/baseband/la12xx/bbdev_la12xx.c
@@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
ipc_priv->hugepg_start.size = hp->len;
rte_free(hp);
+ hp = NULL;
}
dev_ipc = open_ipc_dev(priv->modem_id);
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 16/17] common/idpf: fix use after free due
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (14 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 17/17] eal: add function attributes for allocation functions Stephen Hemminger
` (3 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, junfeng.guo, Jingjing Wu, Xiao Wang, Beilei Xing
The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
as a simple LIST_FOR_EACH macro. But they are not the same
the _SAFE variant guarantees that there will not be use after free.
Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
Cc: junfeng.guo@intel.com
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
drivers/common/idpf/idpf_common_device.c | 3 +--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/common/idpf/base/idpf_osdep.h b/drivers/common/idpf/base/idpf_osdep.h
index e042ef871c..cf9e553906 100644
--- a/drivers/common/idpf/base/idpf_osdep.h
+++ b/drivers/common/idpf/base/idpf_osdep.h
@@ -341,10 +341,16 @@ idpf_hweight32(u32 num)
#define LIST_ENTRY_TYPE(type) LIST_ENTRY(type)
#endif
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#ifndef LIST_FOR_EACH_ENTRY_SAFE
#define LIST_FOR_EACH_ENTRY_SAFE(pos, temp, head, entry_type, list) \
- LIST_FOREACH(pos, head, list)
-
+ LIST_FOREACH_SAFE(pos, head, list, temp)
#endif
#ifndef LIST_FOR_EACH_ENTRY
diff --git a/drivers/common/idpf/idpf_common_device.c b/drivers/common/idpf/idpf_common_device.c
index 8403ed83f9..e9fa024850 100644
--- a/drivers/common/idpf/idpf_common_device.c
+++ b/drivers/common/idpf/idpf_common_device.c
@@ -136,8 +136,7 @@ idpf_init_mbx(struct idpf_hw *hw)
if (ret != 0)
return ret;
- LIST_FOR_EACH_ENTRY_SAFE(ctlq, NULL, &hw->cq_list_head,
- struct idpf_ctlq_info, cq_list) {
+ LIST_FOR_EACH_ENTRY(ctlq, &hw->cq_list_head, struct idpf_ctlq_info, cq_list) {
if (ctlq->q_id == IDPF_CTLQ_ID &&
ctlq->cq_type == IDPF_CTLQ_TYPE_MAILBOX_TX)
hw->asq = ctlq;
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH v9 17/17] eal: add function attributes for allocation functions
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (15 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 16/17] common/idpf: fix use after free due Stephen Hemminger
@ 2024-10-08 16:47 ` Stephen Hemminger
2024-10-10 15:07 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Konstantin Ananyev
` (2 subsequent siblings)
19 siblings, 0 replies; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Chengwen Feng, Anatoly Burakov, Tyler Retzlaff
The allocation functions take a alignment argument that
can be useful to hint the compiler optimizer. This is supported
by GCC and Clang but only useful with GCC because Clang gives
warning if alignment is 0.
Newer versions of GCC have a malloc attribute that can be used to find
mismatches between allocation and free; the typical problem caught is a
pointer allocated with rte_malloc() that is then incorrectly freed using
free(). The name of the DPDK wrapper macros for these attributes
are chosen to be similar to what GLIBC is using in cdefs.h.
Note: The rte_free function prototype was moved ahead of the allocation
functions since the dealloc attribute now refers to it.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
doc/guides/rel_notes/release_24_11.rst | 8 ++++
lib/eal/include/rte_common.h | 34 +++++++++++++++
lib/eal/include/rte_malloc.h | 59 ++++++++++++++++----------
3 files changed, 78 insertions(+), 23 deletions(-)
diff --git a/doc/guides/rel_notes/release_24_11.rst b/doc/guides/rel_notes/release_24_11.rst
index e0a9aa55a1..662cb66ebd 100644
--- a/doc/guides/rel_notes/release_24_11.rst
+++ b/doc/guides/rel_notes/release_24_11.rst
@@ -67,6 +67,14 @@ New Features
The new statistics are useful for debugging and profiling.
+* **Hardened rte_malloc and related functions.**
+
+ * Added function attributes to ``rte_malloc`` and similar functions
+ that can catch some obvious bugs at compile time (with GCC 11.0 or later).
+ Examples: calling ``free()`` on pointer that was allocated with ``rte_malloc``
+ (and vice versa); freeing the same pointer twice in the same routine;
+ freeing an object that was not created by allocation; etc.
+
Removed Items
-------------
diff --git a/lib/eal/include/rte_common.h b/lib/eal/include/rte_common.h
index eec0400dad..a53051072e 100644
--- a/lib/eal/include/rte_common.h
+++ b/lib/eal/include/rte_common.h
@@ -228,6 +228,40 @@ typedef uint16_t unaligned_uint16_t;
#define __rte_alloc_size(...)
#endif
+/**
+ * Tells the compiler that the function returns a value that points to
+ * memory aligned by a function argument.
+ *
+ * Note: not enabled on Clang because it warns if align argument is zero.
+ */
+#if defined(RTE_CC_GCC)
+#define __rte_alloc_align(argno) \
+ __attribute__((alloc_align(argno)))
+#else
+#define __rte_alloc_align(argno)
+#endif
+
+/**
+ * Tells the compiler this is a function like malloc and that the pointer
+ * returned cannot alias any other pointer (ie new memory).
+ */
+#if defined(RTE_CC_GCC) || defined(RTE_CC_CLANG)
+#define __rte_malloc __attribute__((__malloc__))
+#else
+#define __rte_malloc
+#endif
+
+/**
+ * With recent GCC versions also able to track that proper
+ * deallocator function is used for this pointer.
+ */
+#if defined(RTE_TOOLCHAIN_GCC) && (GCC_VERSION >= 110000)
+#define __rte_dealloc(dealloc, argno) \
+ __attribute__((malloc(dealloc, argno)))
+#else
+#define __rte_dealloc(dealloc, argno)
+#endif
+
#define RTE_PRIORITY_LOG 101
#define RTE_PRIORITY_BUS 110
#define RTE_PRIORITY_CLASS 120
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index 1f91e7bdde..c8836de67c 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -31,6 +31,26 @@ struct rte_malloc_socket_stats {
size_t heap_allocsz_bytes; /**< Total allocated bytes on heap */
};
+/**
+ * Functions that expect return value to be freed with rte_free()
+ */
+#define __rte_dealloc_free __rte_dealloc(rte_free, 1)
+
+/**
+ * Frees the memory space pointed to by the provided pointer.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ * The pointer to memory to be freed.
+ */
+void
+rte_free(void *ptr);
+
/**
* This function allocates memory from the huge-page area of memory. The memory
* is not cleared. In NUMA systems, the memory allocated resides on the same
@@ -54,7 +74,8 @@ struct rte_malloc_socket_stats {
*/
void *
rte_malloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -81,7 +102,8 @@ rte_malloc(const char *type, size_t size, unsigned align)
*/
void *
rte_zmalloc(const char *type, size_t size, unsigned align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -108,7 +130,8 @@ rte_zmalloc(const char *type, size_t size, unsigned align)
*/
void *
rte_calloc(const char *type, size_t num, size_t size, unsigned align)
- __rte_alloc_size(2, 3);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -132,7 +155,8 @@ rte_calloc(const char *type, size_t num, size_t size, unsigned align)
*/
void *
rte_realloc(void *ptr, size_t size, unsigned int align)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for realloc(), using huge-page memory. Reserved area
@@ -158,7 +182,8 @@ rte_realloc(void *ptr, size_t size, unsigned int align)
*/
void *
rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* This function allocates memory from the huge-page area of memory. The memory
@@ -185,7 +210,8 @@ rte_realloc_socket(void *ptr, size_t size, unsigned int align, int socket)
*/
void *
rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Allocate zeroed memory from the heap.
@@ -214,7 +240,8 @@ rte_malloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
- __rte_alloc_size(2);
+ __rte_alloc_size(2) __rte_alloc_align(3)
+ __rte_malloc __rte_dealloc_free;
/**
* Replacement function for calloc(), using huge-page memory. Memory area is
@@ -243,22 +270,8 @@ rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
*/
void *
rte_calloc_socket(const char *type, size_t num, size_t size, unsigned align, int socket)
- __rte_alloc_size(2, 3);
-
-/**
- * Frees the memory space pointed to by the provided pointer.
- *
- * This pointer must have been returned by a previous call to
- * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
- * rte_free() is undefined if the pointer does not match this requirement.
- *
- * If the pointer is NULL, the function does nothing.
- *
- * @param ptr
- * The pointer to memory to be freed.
- */
-void
-rte_free(void *ptr);
+ __rte_alloc_size(2, 3) __rte_alloc_align(4)
+ __rte_malloc __rte_dealloc_free;
/**
* If malloc debug is enabled, check a memory block for header
--
2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v7 00/16] Fix allocation bugs and prevent future ones
2024-10-04 14:57 ` David Marchand
@ 2024-10-08 16:50 ` Stephen Hemminger
2024-10-10 10:14 ` David Marchand
0 siblings, 1 reply; 196+ messages in thread
From: Stephen Hemminger @ 2024-10-08 16:50 UTC (permalink / raw)
To: David Marchand; +Cc: dev
On Fri, 4 Oct 2024 16:57:16 +0200
David Marchand <david.marchand@redhat.com> wrote:
> >
> > It seems v7 lost the last patch that was introducing and using the
> > annotations in rte_malloc.
> > Was there an issue with this patch, or is it just a series submission issue?
>
> Btw, reading gcc documentation, it seems the check is only enabled
> with -fanalyzer.
> Can we add this in the CI?
>
> If we can't enable all of -fanalyzer checks, maybe go with a subset of
> it, like -Wanalyzer-allocation-size
> -Wanalyzer-mismatching-deallocation ?
I didn't enable -fanalyzer in my build, and all these bugs showed up.
Turning on full analyzer does give better and more through checking though.
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [EXTERNAL] [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code
2024-10-08 16:47 ` [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code Stephen Hemminger
@ 2024-10-08 16:54 ` Pavan Nikhilesh Bhagavatula
0 siblings, 0 replies; 196+ messages in thread
From: Pavan Nikhilesh Bhagavatula @ 2024-10-08 16:54 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: Shijith Thotton, stable
> The code to cleanup in case of error would derefence null pointer
> then pass that result to rte_free.
>
> Fixes: 97a05c1fe634 ("event/cnxk: add port config")
> Cc: sthotton@marvell.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Thanks Stephen,
Acked-by: Pavan Nikhilesh <pbhagavatula@marvell.com>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v9 05/17] examples/vhost: fix free function mismatch
2024-10-08 16:47 ` [PATCH v9 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
@ 2024-10-09 6:27 ` Chenbo Xia
0 siblings, 0 replies; 196+ messages in thread
From: Chenbo Xia @ 2024-10-09 6:27 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev, stable, Chengwen Feng, Maxime Coquelin, Jin Yu
> On Oct 9, 2024, at 00:47, Stephen Hemminger <stephen@networkplumber.org> wrote:
>
> External email: Use caution opening links or attachments
>
>
> The pointer bdev is allocated with rte_zmalloc() and then
> incorrectly freed with free() which will lead pool corruption.
>
> Bugzilla ID: 1553
> Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample")
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Chengwen Feng <fengchengwen@huawei.com>
> ---
> examples/vhost_blk/vhost_blk.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c
> index 03f1ac9c3f..9c9e326949 100644
> --- a/examples/vhost_blk/vhost_blk.c
> +++ b/examples/vhost_blk/vhost_blk.c
> @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name,
> bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0);
> if (!bdev->data) {
> fprintf(stderr, "No enough reserved huge memory for disk\n");
> - free(bdev);
> + rte_free(bdev);
> return NULL;
> }
>
> --
> 2.45.2
>
Reviewed-by: Chenbo Xia <chenbox@nvidia.com>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v7 00/16] Fix allocation bugs and prevent future ones
2024-10-08 16:50 ` Stephen Hemminger
@ 2024-10-10 10:14 ` David Marchand
0 siblings, 0 replies; 196+ messages in thread
From: David Marchand @ 2024-10-10 10:14 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev
On Tue, Oct 8, 2024 at 6:50 PM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> On Fri, 4 Oct 2024 16:57:16 +0200
> David Marchand <david.marchand@redhat.com> wrote:
>
> > >
> > > It seems v7 lost the last patch that was introducing and using the
> > > annotations in rte_malloc.
> > > Was there an issue with this patch, or is it just a series submission issue?
> >
> > Btw, reading gcc documentation, it seems the check is only enabled
> > with -fanalyzer.
> > Can we add this in the CI?
> >
> > If we can't enable all of -fanalyzer checks, maybe go with a subset of
> > it, like -Wanalyzer-allocation-size
> > -Wanalyzer-mismatching-deallocation ?
>
>
> I didn't enable -fanalyzer in my build, and all these bugs showed up.
Ok, there was probably something wrong in my testing earlier.
I can see the errors fine now that applied the annotations first...
This is a nice tool, let me see if I can get this in for rc1.
--
David Marchand
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [PATCH v9 00/17] Use malloc function attribute to uncover bugs
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (16 preceding siblings ...)
2024-10-08 16:47 ` [PATCH v9 17/17] eal: add function attributes for allocation functions Stephen Hemminger
@ 2024-10-10 15:07 ` Konstantin Ananyev
2024-10-10 15:30 ` Wathsala Wathawana Vithanage
2024-10-10 16:58 ` David Marchand
19 siblings, 0 replies; 196+ messages in thread
From: Konstantin Ananyev @ 2024-10-10 15:07 UTC (permalink / raw)
To: Stephen Hemminger, dev
> Recent versions of GCC have some additional function attributes that can
> help with DPDK performance and stability.
>
> The alloc_align attribute tells the compiler what the alignment
> of the allocation will be, and the optimizer can use this to produce
> better code (especially memcpy and structure copies).
>
> The malloc attribute tells compiler that object is not overlapping
> and potentially aliasing. It also as an additional variant in GCC 11
> or later that allows for detecting all sorts of common errors like
> calling free() on memory allocated with rte_malloc().
>
> In order to use the malloc attribute the free function prototype
> needs to be moved before the allocator/create function prototype
> so that the malloc attribute can refer to it.
>
> This uncovered at least 16 pre-existing bugs in DPDK, these
> should go to stable. This patch set is structured with:
> - fix any new warnings that were discovered
> - add macros for enable the macros
> - enable the attributes
>
> The same attributes could be added to lots more functions in DPDK,
> but this patch set focuses on the key ones, and where problems
> exist in current code base.
>
> v9 - correct the event/cnxk patch
>
> Stephen Hemminger (17):
> memzone: fix use after free in tracing
> cryptodev/bcmfs: fix mis-matched free
> dma/ixd: fix incorrect free function in cleanup
> event/cnxk: fix free of non-heap in cleanup code
> examples/vhost: fix free function mismatch
> net/cnxk: fix use-after-free
> bpf: fix free mismatch if convert fails
> net/e1000: fix use-after-free
> net/sfc: fix use-after-free warning messages
> net/cpfl: fix free of nonheap object
> net/nfp: fix duplicate call to rte_free
> raw/ifpga/base: fix use after free
> common/qat: fix use after free
> drivers/ifpga: fix free function mismatch
> baseband/la12xx: prevent use after free
> common/idpf: fix use after free due
> eal: add function attributes for allocation functions
>
> doc/guides/rel_notes/release_24_11.rst | 8 +++
> drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
> drivers/common/idpf/base/idpf_osdep.h | 10 +++-
> drivers/common/idpf/idpf_common_device.c | 3 +-
> drivers/common/qat/qat_device.c | 6 +--
> drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
> drivers/dma/idxd/idxd_pci.c | 2 +-
> drivers/event/cnxk/cnxk_eventdev.c | 2 +-
> drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
> drivers/net/cpfl/cpfl_flow_parser.c | 1 -
> drivers/net/e1000/igb_ethdev.c | 4 +-
> drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
> drivers/net/sfc/sfc_flow_rss.c | 4 +-
> drivers/net/sfc/sfc_mae.c | 23 ++++-----
> drivers/raw/ifpga/base/opae_intel_max10.c | 11 ++++-
> drivers/raw/ifpga/ifpga_rawdev.c | 8 +--
> examples/vhost_blk/vhost_blk.c | 2 +-
> lib/bpf/bpf_convert.c | 2 +-
> lib/eal/common/eal_common_memzone.c | 3 +-
> lib/eal/include/rte_common.h | 34 +++++++++++++
> lib/eal/include/rte_malloc.h | 59 ++++++++++++++---------
> 21 files changed, 124 insertions(+), 66 deletions(-)
>
Series-Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
> --
> 2.45.2
^ permalink raw reply [flat|nested] 196+ messages in thread
* RE: [PATCH v9 00/17] Use malloc function attribute to uncover bugs
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (17 preceding siblings ...)
2024-10-10 15:07 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Konstantin Ananyev
@ 2024-10-10 15:30 ` Wathsala Wathawana Vithanage
2024-10-10 16:58 ` David Marchand
19 siblings, 0 replies; 196+ messages in thread
From: Wathsala Wathawana Vithanage @ 2024-10-10 15:30 UTC (permalink / raw)
To: Stephen Hemminger, dev; +Cc: nd
> Subject: [PATCH v9 00/17] Use malloc function attribute to uncover bugs
>
> Recent versions of GCC have some additional function attributes that can help
> with DPDK performance and stability.
>
> The alloc_align attribute tells the compiler what the alignment of the allocation
> will be, and the optimizer can use this to produce better code (especially
> memcpy and structure copies).
>
> The malloc attribute tells compiler that object is not overlapping and
> potentially aliasing. It also as an additional variant in GCC 11 or later that
> allows for detecting all sorts of common errors like calling free() on memory
> allocated with rte_malloc().
>
> In order to use the malloc attribute the free function prototype needs to be
> moved before the allocator/create function prototype so that the malloc
> attribute can refer to it.
>
> This uncovered at least 16 pre-existing bugs in DPDK, these should go to
> stable. This patch set is structured with:
> - fix any new warnings that were discovered
> - add macros for enable the macros
> - enable the attributes
>
> The same attributes could be added to lots more functions in DPDK, but this
> patch set focuses on the key ones, and where problems exist in current code
> base.
>
> v9 - correct the event/cnxk patch
>
> Stephen Hemminger (17):
> memzone: fix use after free in tracing
> cryptodev/bcmfs: fix mis-matched free
> dma/ixd: fix incorrect free function in cleanup
> event/cnxk: fix free of non-heap in cleanup code
> examples/vhost: fix free function mismatch
> net/cnxk: fix use-after-free
> bpf: fix free mismatch if convert fails
> net/e1000: fix use-after-free
> net/sfc: fix use-after-free warning messages
> net/cpfl: fix free of nonheap object
> net/nfp: fix duplicate call to rte_free
> raw/ifpga/base: fix use after free
> common/qat: fix use after free
> drivers/ifpga: fix free function mismatch
> baseband/la12xx: prevent use after free
> common/idpf: fix use after free due
> eal: add function attributes for allocation functions
>
> doc/guides/rel_notes/release_24_11.rst | 8 +++
> drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
> drivers/common/idpf/base/idpf_osdep.h | 10 +++-
> drivers/common/idpf/idpf_common_device.c | 3 +-
> drivers/common/qat/qat_device.c | 6 +--
> drivers/crypto/bcmfs/bcmfs_device.c | 4 +-
> drivers/dma/idxd/idxd_pci.c | 2 +-
> drivers/event/cnxk/cnxk_eventdev.c | 2 +-
> drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +-
> drivers/net/cpfl/cpfl_flow_parser.c | 1 -
> drivers/net/e1000/igb_ethdev.c | 4 +-
> drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
> drivers/net/sfc/sfc_flow_rss.c | 4 +-
> drivers/net/sfc/sfc_mae.c | 23 ++++-----
> drivers/raw/ifpga/base/opae_intel_max10.c | 11 ++++-
> drivers/raw/ifpga/ifpga_rawdev.c | 8 +--
> examples/vhost_blk/vhost_blk.c | 2 +-
> lib/bpf/bpf_convert.c | 2 +-
> lib/eal/common/eal_common_memzone.c | 3 +-
> lib/eal/include/rte_common.h | 34 +++++++++++++
> lib/eal/include/rte_malloc.h | 59 ++++++++++++++---------
> 21 files changed, 124 insertions(+), 66 deletions(-)
>
> --
> 2.45.2
Acked-by: Wathsala Vithanage <wathsala.vithanage@arm.com>
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH v9 00/17] Use malloc function attribute to uncover bugs
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
` (18 preceding siblings ...)
2024-10-10 15:30 ` Wathsala Wathawana Vithanage
@ 2024-10-10 16:58 ` David Marchand
19 siblings, 0 replies; 196+ messages in thread
From: David Marchand @ 2024-10-10 16:58 UTC (permalink / raw)
To: Stephen Hemminger
Cc: dev, Konstantin Ananyev, Wathsala Wathawana Vithanage,
Morten Brørup, Tyler Retzlaff, Burakov, Anatoly,
Chengwen Feng, Thomas Monjalon
On Tue, Oct 8, 2024 at 6:49 PM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> Recent versions of GCC have some additional function attributes that can
> help with DPDK performance and stability.
>
> The alloc_align attribute tells the compiler what the alignment
> of the allocation will be, and the optimizer can use this to produce
> better code (especially memcpy and structure copies).
>
> The malloc attribute tells compiler that object is not overlapping
> and potentially aliasing. It also as an additional variant in GCC 11
> or later that allows for detecting all sorts of common errors like
> calling free() on memory allocated with rte_malloc().
>
> In order to use the malloc attribute the free function prototype
> needs to be moved before the allocator/create function prototype
> so that the malloc attribute can refer to it.
>
> This uncovered at least 16 pre-existing bugs in DPDK, these
> should go to stable. This patch set is structured with:
> - fix any new warnings that were discovered
> - add macros for enable the macros
> - enable the attributes
>
> The same attributes could be added to lots more functions in DPDK,
> but this patch set focuses on the key ones, and where problems
> exist in current code base.
Series applied.
Thanks Stephen.
--
David Marchand
^ permalink raw reply [flat|nested] 196+ messages in thread
end of thread, other threads:[~2024-10-10 16:58 UTC | newest]
Thread overview: 196+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-09-27 20:45 [PATCH 00/16] Fix allocation issues and add hardening Stephen Hemminger
2024-09-27 20:45 ` [PATCH 01/16] eal: add function attributes for allocation functions Stephen Hemminger
2024-09-27 22:09 ` David Marchand
2024-09-27 23:10 ` Stephen Hemminger
2024-09-27 20:45 ` [PATCH 02/16] memzone: fix use after free in tracing Stephen Hemminger
2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 10/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-09-28 11:52 ` Ivan Malov
2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 13/16] common/qat: " Stephen Hemminger
2024-09-27 20:45 ` [PATCH 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-27 20:45 ` [PATCH 15/16] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
2024-09-27 20:45 ` [PATCH 16/16] mempool: annotate mempool create Stephen Hemminger
2024-09-28 11:49 ` Morten Brørup
2024-09-28 16:47 ` [PATCH v2 00/16] Fix allocation bugs and add malloc hardening Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 01/16] eal: add function attributes for allocation functions Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 02/16] memzone: fix use after free in tracing Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 10/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 12/16] net/nfp: fix duplicate call to rte_free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 14/16] common/qat: " Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 16/16] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 00/18] Fix allocation bugs and add malloc hardening Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 01/18] memzone: fix use after free in tracing Stephen Hemminger
2024-09-30 9:15 ` fengchengwen
2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-30 9:16 ` fengchengwen
2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 09/18] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-09-30 5:53 ` Andrew Rybchenko
2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 11/18] net/nfp: fix duplicate call to rte_free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 13/18] common/qat: " Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
2024-09-30 8:25 ` Hemant Agrawal
2024-09-29 15:34 ` [PATCH v3 16/18] common/ipdf: fix use after free due Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 17/18] eal: add function attributes for allocation functions Stephen Hemminger
2024-09-30 9:19 ` fengchengwen
2024-10-08 8:29 ` Morten Brørup
2024-10-08 15:43 ` Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 18/18] eal: add alloc_function attribute to rte_malloc Stephen Hemminger
2024-09-30 9:20 ` fengchengwen
2024-09-30 18:43 ` [PATCH v4 00/17] Fix allocation bugs and hardening for rte_malloc Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-01 12:17 ` Burakov, Anatoly
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-30 20:06 ` Ajit Khaparde
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-01 12:41 ` Bruce Richardson
2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 13/17] common/qat: " Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 17/17] eal: add function attributes for allocation functions Stephen Hemminger
2024-10-01 12:21 ` Burakov, Anatoly
2024-10-01 12:25 ` David Marchand
2024-10-01 15:25 ` Stephen Hemminger
2024-10-02 8:42 ` Burakov, Anatoly
2024-10-01 16:35 ` [PATCH v5 00/17] Fix allocation related bugs and add attributes Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-01 17:04 ` Bruce Richardson
2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 13/17] common/qat: " Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 17/17] eal: add function attributes for allocation functions Stephen Hemminger
2024-10-02 7:06 ` David Marchand
2024-10-02 15:42 ` [PATCH v6 00/17] Fix allocation related bugs and catch future bugs Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 13/17] common/qat: " Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
2024-10-02 15:43 ` [PATCH v6 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-10-02 15:43 ` [PATCH v6 17/17] eal: add function attributes for allocation functions Stephen Hemminger
2024-10-02 16:45 ` Wathsala Wathawana Vithanage
2024-10-02 18:23 ` Ajit Khaparde
2024-10-08 9:03 ` Morten Brørup
2024-10-02 18:37 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 01/16] memzone: fix use after free in tracing Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-03 5:52 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 09/16] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 11/16] net/nfp: fix duplicate call to rte_free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 13/16] common/qat: " Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 16/16] common/idpf: fix use after free due Stephen Hemminger
2024-10-04 14:28 ` [PATCH v7 00/16] Fix allocation bugs and prevent future ones David Marchand
2024-10-04 14:57 ` David Marchand
2024-10-08 16:50 ` Stephen Hemminger
2024-10-10 10:14 ` David Marchand
2024-10-08 15:41 ` [PATCH v8 00/17] Add function attributes to uncover allocation bugs Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-08 16:40 ` Stephen Hemminger
2024-10-08 16:43 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-08 15:41 ` [PATCH v8 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 13/17] common/qat: " Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 17/17] eal: add function attributes for allocation functions Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 01/17] memzone: fix use after free in tracing Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code Stephen Hemminger
2024-10-08 16:54 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-08 16:47 ` [PATCH v9 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-09 6:27 ` Chenbo Xia
2024-10-08 16:47 ` [PATCH v9 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 09/17] net/sfc: fix use-after-free warning messages Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 11/17] net/nfp: fix duplicate call to rte_free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 13/17] common/qat: " Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 16/17] common/idpf: fix use after free due Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 17/17] eal: add function attributes for allocation functions Stephen Hemminger
2024-10-10 15:07 ` [PATCH v9 00/17] Use malloc function attribute to uncover bugs Konstantin Ananyev
2024-10-10 15:30 ` Wathsala Wathawana Vithanage
2024-10-10 16:58 ` David Marchand
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).