From: Slava Ovsiienko <viacheslavo@nvidia.com>
To: wangyunjian <wangyunjian@huawei.com>, "dev@dpdk.org" <dev@dpdk.org>
Cc: Matan Azrad <matan@nvidia.com>,
Raslan Darawsheh <rasland@nvidia.com>,
Dmitry Kozlyuk <dkozlyuk@nvidia.com>,
Huangshaozhang <huangshaozhang@huawei.com>,
"stable@dpdk.org" <stable@dpdk.org>
Subject: RE: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing tx queues
Date: Mon, 26 Sep 2022 12:30:21 +0000 [thread overview]
Message-ID: <DM6PR12MB37536FEE8BCEA8B652257C4ADF529@DM6PR12MB3753.namprd12.prod.outlook.com> (raw)
In-Reply-To: <d4f7bef9573a421ab1a80c1b9a5c2fa7@huawei.com>
Hi, Yunjian
Could you, please, tell more details about problematic scenario?
In bonding slave? It is not fully clean for me how mlx5_txq_release
frees priv->txqs[idx] (BTW NULL is OK to free, it is safe).
We have check for NULL here:
> > - if (priv->txqs == NULL || (*priv->txqs)[idx] == NULL)
priv->txq is internal objects managed by PMD, dev->data->tx_queues
are DPDK-wide ones. Theoretically it might happen when DPDK objects
are created and internals are not, and vice versa. So, checking
for existence of external objects in the routine that manages internals
does not look so reasonable. Internal queue object management is based
on the atomic reference counter and, generally speaking, should not depend
on externals.
With best regards,
Slava
> -----Original Message-----
> From: wangyunjian <wangyunjian@huawei.com>
> Sent: Friday, September 23, 2022 12:32
> To: dev@dpdk.org
> Cc: Matan Azrad <matan@nvidia.com>; Raslan Darawsheh <rasland@nvidia.com>;
> Slava Ovsiienko <viacheslavo@nvidia.com>; Dmitry Kozlyuk
> <dkozlyuk@nvidia.com>; Huangshaozhang <huangshaozhang@huawei.com>;
> stable@dpdk.org
> Subject: RE: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when
> releasing tx queues
>
> Friendly ping.
>
> > -----Original Message-----
> > From: wangyunjian
> > Sent: Tuesday, August 23, 2022 2:46 PM
> > To: dev@dpdk.org
> > Cc: matan@nvidia.com; rasland@nvidia.com; viacheslavo@nvidia.com;
> > dkozlyuk@nvidia.com; Huangshaozhang <huangshaozhang@huawei.com>;
> > wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org
> > Subject: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when
> > releasing tx queues
> >
> > The bonding slave remove function was calling the
> > eth_dev_tx_queue_config function, which frees dev->data->tx_queues,
> > and then tries to free
> > priv->txqs[idx] in mlx5_txq_release function, which causes the heap
> > priv->use
> > after free issue. Add checks whether dev->data->tx_queues is not NULL.
> >
> > Fixes: 94e257ec8ca ("net/mlx5: fix Rx/Tx queue checks")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> > ---
> > drivers/net/mlx5/mlx5_txq.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/mlx5/mlx5_txq.c b/drivers/net/mlx5/mlx5_txq.c
> > index
> > 0140f8b3b2..cb2c33a060 100644
> > --- a/drivers/net/mlx5/mlx5_txq.c
> > +++ b/drivers/net/mlx5/mlx5_txq.c
> > @@ -1198,7 +1198,8 @@ mlx5_txq_release(struct rte_eth_dev *dev,
> > uint16_t
> > idx)
> > struct mlx5_priv *priv = dev->data->dev_private;
> > struct mlx5_txq_ctrl *txq_ctrl;
> >
> > - if (priv->txqs == NULL || (*priv->txqs)[idx] == NULL)
> > + if (dev->data->tx_queues == NULL || priv->txqs == NULL ||
> > + (*priv->txqs)[idx] == NULL)
> > return 0;
> > txq_ctrl = container_of((*priv->txqs)[idx], struct mlx5_txq_ctrl,
> txq);
> > if (__atomic_sub_fetch(&txq_ctrl->refcnt, 1, __ATOMIC_RELAXED) > 1)
> > --
> > 2.27.0
next prev parent reply other threads:[~2022-09-26 12:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-03 13:15 [dpdk-dev] [PATCH 0/2] fixes for mlx5 Yunjian Wang
2022-08-03 13:16 ` [dpdk-dev] [PATCH 1/2] net/mlx5: fix use after free when releasing tx queues Yunjian Wang
2022-08-03 13:16 ` [dpdk-dev] [PATCH 2/2] net/mlx5: fix resource leak when releasing a drop action Yunjian Wang
2022-08-23 6:45 ` [dpdk-dev] [PATCH v2 0/2] fixes for mlx5 Yunjian Wang
2022-08-23 6:45 ` [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing tx queues Yunjian Wang
2022-09-23 9:31 ` wangyunjian
2022-09-26 12:30 ` Slava Ovsiienko [this message]
2022-08-23 6:46 ` [dpdk-dev] [PATCH v2 2/2] net/mlx5: fix resource leak when releasing a drop action Yunjian Wang
2022-09-23 9:31 ` wangyunjian
2022-09-26 19:35 ` Slava Ovsiienko
2022-09-29 1:51 ` wangyunjian
2022-09-01 9:20 ` [dpdk-dev] [PATCH v2 0/2] fixes for mlx5 wangyunjian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM6PR12MB37536FEE8BCEA8B652257C4ADF529@DM6PR12MB3753.namprd12.prod.outlook.com \
--to=viacheslavo@nvidia.com \
--cc=dev@dpdk.org \
--cc=dkozlyuk@nvidia.com \
--cc=huangshaozhang@huawei.com \
--cc=matan@nvidia.com \
--cc=rasland@nvidia.com \
--cc=stable@dpdk.org \
--cc=wangyunjian@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).