From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id DB538200 for ; Mon, 16 Jul 2018 19:25:49 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jul 2018 10:25:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,362,1526367600"; d="scan'208";a="55427395" Received: from irsmsx107.ger.corp.intel.com ([163.33.3.99]) by fmsmga008.fm.intel.com with ESMTP; 16 Jul 2018 10:25:47 -0700 Received: from irsmsx103.ger.corp.intel.com ([169.254.3.208]) by IRSMSX107.ger.corp.intel.com ([169.254.10.193]) with mapi id 14.03.0319.002; Mon, 16 Jul 2018 18:25:46 +0100 From: "Singh, Jasvinder" To: "Dumitrescu, Cristian" , "dev@dpdk.org" Thread-Topic: [PATCH] net/softnic: fix illegal memory access Thread-Index: AQHUHR6mnLJmf7aP00Gj80eZG4jvjKSSF9ZA Date: Mon, 16 Jul 2018 17:25:45 +0000 Message-ID: <54CBAA185211B4429112C315DA58FF6D335D8B6F@IRSMSX103.ger.corp.intel.com> References: <20180716124147.89863-1-jasvinder.singh@intel.com> <3EB4FA525960D640B5BDFFD6A3D891268E77452D@IRSMSX107.ger.corp.intel.com> In-Reply-To: <3EB4FA525960D640B5BDFFD6A3D891268E77452D@IRSMSX107.ger.corp.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNWUwYjg5MDUtNWU2YS00NWQ4LTgxNjktYTM2YmEyZWVjNTk1IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoicmpDOHlEMUV4QkZXZWEwZjI5Mkl3dkdsYUtWNHBBT0VUVWlDSWx0VnlFMENRSXk2OGx1dkphYTRubjJ0a2tNYyJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.200.100 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH] net/softnic: fix illegal memory access X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2018 17:25:51 -0000 > -----Original Message----- > From: Dumitrescu, Cristian > Sent: Monday, July 16, 2018 5:04 PM > To: Singh, Jasvinder ; dev@dpdk.org > Subject: RE: [PATCH] net/softnic: fix illegal memory access >=20 >=20 >=20 > > -----Original Message----- > > From: Singh, Jasvinder > > Sent: Monday, July 16, 2018 1:42 PM > > To: dev@dpdk.org > > Cc: Dumitrescu, Cristian > > Subject: [PATCH] net/softnic: fix illegal memory access > > > > Fix pointer dereferencing and read after free (USE_AFTER_FREE). > > > > Coverity issue: 302867 > > Fixes: bef50bcb1c47 ("net/softnic: implement start and stop") > > > > Signed-off-by: Jasvinder Singh > > --- > > drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++-- > > 1 file changed, 6 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c > > b/drivers/net/softnic/rte_eth_softnic_swq.c > > index 1944fbb..604a2cc 100644 > > --- a/drivers/net/softnic/rte_eth_softnic_swq.c > > +++ b/drivers/net/softnic/rte_eth_softnic_swq.c > > @@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p) void > > softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p) { > > - struct softnic_swq *swq; > > + for ( ; ; ) { > > + struct softnic_swq *swq; > > + > > + swq =3D TAILQ_FIRST(&p->swq_list); > > + if (swq =3D=3D NULL) > > + break; > > > > - TAILQ_FOREACH(swq, &p->swq_list, node) { > > if ((strncmp(swq->name, "RXQ", strlen("RXQ")) =3D=3D 0) || > > (strncmp(swq->name, "TXQ", strlen("TXQ")) =3D=3D 0)) > > continue; > > -- > > 2.9.3 >=20 > Where is the bug? We simply parse a linked list to free each element. Below is coverity log on the issue; =20 =20 void softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p) { struct softnic_swq *swq; 1. Condition swq, taking true branch. 4. Condition swq, taking true branch. 7. alias: Assigning: swq =3D swq->node.tqe_next. Now both point to the = same storage. 8. Condition swq, taking true branch. =09 CID 302867 (#1-2 of 2): Read from pointer after free (USE_AFTER_FREE) 15. deref_after_free: Dereferencing freed pointer swq. TAILQ_FOREACH(swq, &p->swq_list, node) { 2. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) =3D=3D 0, taking = true branch. 5. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) =3D=3D 0, taking = true branch. 9. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) =3D=3D 0, taking = false branch. 10. Condition strncmp(swq->name, "TXQ", strlen("TXQ")) =3D=3D 0, taking= false branch. if ((strncmp(swq->name, "RXQ", strlen("RXQ")) =3D=3D 0) || (strncmp(swq->name, "TXQ", strlen("TXQ")) =3D=3D 0= )) 3. Continuing loop. 6. Continuing loop. continue; =20 11. Condition swq->node.tqe_next !=3D NULL, taking true branch. 12. Falling through to end of if statement. TAILQ_REMOVE(&p->swq_list, swq, node); rte_ring_free(swq->r); 13. freed_arg: free frees swq. free(swq); 14. Jumping back to the beginning of the loop. } } =20