From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <christian.ehrhardt@canonical.com>
Received: from mail-qg0-f51.google.com (mail-qg0-f51.google.com
 [209.85.192.51]) by dpdk.org (Postfix) with ESMTP id 3F1DE2C59
 for <dev@dpdk.org>; Wed, 16 Mar 2016 14:34:48 +0100 (CET)
Received: by mail-qg0-f51.google.com with SMTP id a36so11068957qge.0
 for <dev@dpdk.org>; Wed, 16 Mar 2016 06:34:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=canonical-com.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=MGapuebrMLT6YFLiv5V1f0R7iQoFPGXUcybSQd3apTM=;
 b=gPjHQhQNYGmnAjvdlc4G4Bl+1RRRE/1T+3kNhhesasjN4yL7pmornz0+/XgMjn45My
 6+TMMQ7tXt/raIxmhgxVvtxu/18WEyEDzzOkNJ5CUB+Ay0158PFgeJAFoxkU82RrANvE
 9VqG8GW3WuEwvIUU52isUGy6tFIiMMuBB1VtHIAofGTZzJsnLq1k2W2VV6bFFb938bqz
 NqtQG1xKc9IjJ3blVhBgh+MtJhbTXGWS1XMnRglE4+hZRisosXZ+BsH2evdseCJ+Dhxj
 s6XrjcEzSxWtY2oAT1LAO/6xdAExfC3umuihtvi3gumv5vRhw4Hy0zryPlUEHnWjwjBk
 X5XA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=MGapuebrMLT6YFLiv5V1f0R7iQoFPGXUcybSQd3apTM=;
 b=MOkOF6g+hOTBCq3LuuvvKHnDLAje9BHjfrKOI46Q+/gNfHHlx57moZU4FjtDiCvcp0
 CEP7bRfWjVGxNrUdrp+QvPk643F8UFjL9PSqEdkemPa+r6fdkVdhsBqA5BcuhNCAR+TF
 xk3jV8PFKlK37Te6OWJ+5V8Th85swN3fb683JbxBegcwuY4UdXJ6gPJY6HAr3xRKZkgl
 ilHEaZA7dNT+dfBIEj4JsDGp7iTbgmZQNA2rDGQ0zXftMxs8X4IoMHWWtK0/5EUXFdIR
 NlG/0SdumeomBlXsJMheOaeTrbwFuMQCQCiCOKILQhgxWFku3qq85m0gFEoPvB/Fzi06
 411Q==
X-Gm-Message-State: AD7BkJJcaGgPO047kCzG79Ew8VYR0HSPT47qulSG5dAEGNf2Pu+sgcVuwH31iguAKzwRFNCRd0cVR0m8QR+C8u5V
X-Received: by 10.140.156.138 with SMTP id c132mr5568026qhc.96.1458135287650; 
 Wed, 16 Mar 2016 06:34:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.169.6 with HTTP; Wed, 16 Mar 2016 06:34:28 -0700 (PDT)
In-Reply-To: <56E95C29.1060600@6wind.com>
References: <1458131629-21925-1-git-send-email-christian.ehrhardt@canonical.com>
 <1458131629-21925-4-git-send-email-christian.ehrhardt@canonical.com>
 <56E95C29.1060600@6wind.com>
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date: Wed, 16 Mar 2016 14:34:28 +0100
Message-ID: <CAATJJ0LqPQ2Vby_JzB-cKmtxmxk4kK+6vUzCHbyDpK754rQmaA@mail.gmail.com>
To: Olivier MATZ <olivier.matz@6wind.com>
Cc: Bruce Richardson <bruce.richardson@intel.com>, dev <dev@dpdk.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 13:34:48 -0000

Hi,
looking at it I think we have intersections but also parts of yours that I
missed.
More than that while applying your changes I found other potential
use-after free cases.

I'll wrap that all up together in a v3 of my series.

Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

On Wed, Mar 16, 2016 at 2:14 PM, Olivier MATZ <olivier.matz@6wind.com>
wrote:

> Hi Christian,
>
> On 03/16/2016 01:33 PM, Christian Ehrhardt wrote:
>
>> Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm
>> might not be freed if it didn't find a te (early return)
>>
>> Acked-by: Bruce Richardson <bruce.richardson@intel.com>
>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
>> ---
>>   lib/librte_lpm/rte_lpm.c | 8 ++------
>>   1 file changed, 2 insertions(+), 6 deletions(-)
>>
>> diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c
>> index ccaaa2a..d5fa1f8 100644
>> --- a/lib/librte_lpm/rte_lpm.c
>> +++ b/lib/librte_lpm/rte_lpm.c
>> @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm)
>>                 if (te->data == (void *) lpm)
>>                         break;
>>         }
>> -       if (te == NULL) {
>> -               rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK);
>> -               return;
>> -       }
>> -
>> -       TAILQ_REMOVE(lpm_list, te, next);
>> +       if (te != NULL)
>> +               TAILQ_REMOVE(lpm_list, te, next);
>>
>>         rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK);
>>
>>
>>
> I've just seen you had already posted a series on this topic.
> It looks that some free() are missing in lpm.c:
>
> Could you please check my version of the patch (which was not as
> complete as your series)?
> http://dpdk.org/dev/patchwork/patch/11526/
>
> Regards,
> Olivier
>