From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by dpdk.org (Postfix) with ESMTP id 0440E5424 for ; Thu, 22 Nov 2018 23:10:03 +0100 (CET) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 7D41822077; Thu, 22 Nov 2018 17:10:03 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Thu, 22 Nov 2018 17:10:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding:content-type; s=mesmtp; bh=vQ2XF3JjsOqb6h1hSJUwthi9lCfA5U5B8CVin0KfOSw=; b=opE6rciGef5E cixo5bIL+VrOjAaV08DW+RPKrJ7Fa8MMV/9t57F5k1bYyKf2zctrLSmV1Dro/bGJ 8yL+KVKIPhYHg4fm9/oRbWPrn0QspYlfiwaR1JDdj2DO0pZ7s89AazHi6isDd1jp IP49H2ubQj+2qx3AlqJ3ap4h2XOpXHM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=vQ2XF3JjsOqb6h1hSJUwthi9lCfA5U5B8CVin0KfO Sw=; b=WjuJDY+2WeYDRhMUb6Ky6P87WH0J1zU7zybbri+e2PuKNd3YBBDSMdWvF BE7zCyg3V+Fb71+0aMdBM2ezlnWOWVke6BOW83EYM9IU4jRO2yDygD+Lqe4tZv37 5PkEEykCVCnmpqb5MXJM/GyDGbHXHzsduGe9PMWaOQOXXcFSfFsseKrwoAOXTyuz 5lHoDUJpqXmtk4QlGQwPvdsRnUg4cqjnrP1e5/PkNz1Igv8BtiD8r0ZmoLwG0fBZ gCCpQKzWYuy1uVJSe1YmkCaqEqGA4vg/tg7wna54Kt991kgTUqu1YInZnOI3UaEF eemQRGk02wYUawMTdsUuXvNLmEFrw== X-ME-Sender: X-ME-Proxy: Received: from xps.localnet (184.203.134.77.rev.sfr.net [77.134.203.184]) by mail.messagingengine.com (Postfix) with ESMTPA id CBBD8102A0; Thu, 22 Nov 2018 17:10:01 -0500 (EST) From: Thomas Monjalon To: Anatoly Burakov Cc: dev@dpdk.org Date: Thu, 22 Nov 2018 23:09:57 +0100 Message-ID: <3087286.9lSO7AOfn4@xps> In-Reply-To: <69497bc41646c6dd5eebb097b3bdc8a2136aeb53.1542730524.git.anatoly.burakov@intel.com> References: <3ac0562bbdfbabbcb2bdf5fec9e0ffa777475e2b.1542727150.git.anatoly.burakov@intel.com> <69497bc41646c6dd5eebb097b3bdc8a2136aeb53.1542730524.git.anatoly.burakov@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Subject: Re: [dpdk-dev] [PATCH v2] ipc: fix use-after-free on failed send X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2018 22:10:04 -0000 20/11/2018 17:18, Anatoly Burakov: > Previous fix for rte_panic has moved setting of alarm before > sending the message. This means that whether we send a message, > the alarm would still trigger. The comment noted that cleanup > would happen in the alarm handler, but that's not what actually > happened - instead, in the event of failed send we freed the > memory in-place, before putting the request on the queue. > > This works OK when the message is sent, but when sending the > message fails, the alarm would still trigger with a pointer > argument that points to non-existent memory, and cause > memory corruption. > > There probably is a "proper" fix for this issue, with correct > handling of sent vs. unsent requests, however it would be > simpler just to sacrifice the sent request in the (extremely > unlikely) event of alarm set failing. The other process would > still send a response, but it will be ignored by the sender. > > Fixes: 45e5f49e87fb ("ipc: remove panic in async request") > > Signed-off-by: Anatoly Burakov Applied, thanks