https://bugs.dpdk.org/show_bug.cgi?id=1551 Bug ID: 1551 Summary: use after free in Sfc driver Product: DPDK Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: Normal Component: ethdev Assignee: dev@dpdk.org Reporter: stephen@networkplumber.org Target Milestone: --- If GCC function attributes are added to rte_malloc, then it is able to spot use after free in several places. 1255/2957] Compiling C object drivers/libtmp_rte_net_sfc.a.p/net_sfc_sfc_flow_rss.c.o In file included from ../drivers/net/sfc/sfc.h:28, from ../drivers/net/sfc/sfc_flow_rss.c:15: ../drivers/net/sfc/sfc_flow_rss.c: In function ‘sfc_flow_rss_ctx_del’: ../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘ctx’ used after ‘rte_free’ [-Wuse-after-free] 38 | rte_log(level, type, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | _sas->log_prefix, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 41 | RTE_FMT_TAIL(__VA_ARGS__,))); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’ 80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG, \ | ^~~~~~~ ../drivers/net/sfc/sfc_flow_rss.c:308:9: note: in expansion of macro ‘sfc_dbg’ 308 | sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx); | ^~~~~~~ ../drivers/net/sfc/sfc_flow_rss.c:306:9: note: call to ‘rte_free’ here 306 | rte_free(ctx); | ^~~~~~~~~~~~~ [1262/2957] Compiling C object drivers/libtmp_rte_net_sfc.a.p/net_sfc_sfc_mae.c.o In file included from ../drivers/net/sfc/sfc.h:28, from ../drivers/net/sfc/sfc_mae.c:19: ../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_encap_header_del’: ../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘encap_header’ used after ‘rte_free’ [-Wuse-after-free] 38 | rte_log(level, type, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | _sas->log_prefix, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 41 | RTE_FMT_TAIL(__VA_ARGS__,))); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’ 80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG, \ | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:791:9: note: in expansion of macro ‘sfc_dbg’ 791 | sfc_dbg(sa, "deleted encap_header=%p", encap_header); | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:789:9: note: call to ‘rte_free’ here 789 | rte_free(encap_header); | ^~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_mac_addr_del’: ../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘mac_addr’ used after ‘rte_free’ [-Wuse-after-free] 38 | rte_log(level, type, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | _sas->log_prefix, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 41 | RTE_FMT_TAIL(__VA_ARGS__,))); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’ 80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG, \ | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:590:9: note: in expansion of macro ‘sfc_dbg’ 590 | sfc_dbg(sa, "deleted mac_addr=%p", mac_addr); | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:588:9: note: call to ‘rte_free’ here 588 | rte_free(mac_addr); | ^~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_outer_rule_del’: ../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘rule’ used after ‘rte_free’ [-Wuse-after-free] 38 | rte_log(level, type, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | _sas->log_prefix, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 41 | RTE_FMT_TAIL(__VA_ARGS__,))); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’ 80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG, \ | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:405:9: note: in expansion of macro ‘sfc_dbg’ 405 | sfc_dbg(sa, "deleted outer_rule=%p", rule); | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:403:9: note: call to ‘rte_free’ here 403 | rte_free(rule); | ^~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_counter_del’: ../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘counter’ used after ‘rte_free’ [-Wuse-after-free] 38 | rte_log(level, type, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | _sas->log_prefix, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 41 | RTE_FMT_TAIL(__VA_ARGS__,))); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’ 80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG, \ | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:988:9: note: in expansion of macro ‘sfc_dbg’ 988 | sfc_dbg(sa, "deleted counter=%p", counter); | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:986:9: note: call to ‘rte_free’ here 986 | rte_free(counter); | ^~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_set_del’: ../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘action_set’ used after ‘rte_free’ [-Wuse-after-free] 38 | rte_log(level, type, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | _sas->log_prefix, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 41 | RTE_FMT_TAIL(__VA_ARGS__,))); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’ 80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG, \ | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:1170:9: note: in expansion of macro ‘sfc_dbg’ 1170 | sfc_dbg(sa, "deleted action_set=%p", action_set); | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:1168:9: note: call to ‘rte_free’ here 1168 | rte_free(action_set); | ^~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_set_list_del’: ../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘action_set_list’ used after ‘rte_free’ [-Wuse-after-free] 38 | rte_log(level, type, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | _sas->log_prefix, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 41 | RTE_FMT_TAIL(__VA_ARGS__,))); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’ 80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG, \ | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:1407:9: note: in expansion of macro ‘sfc_dbg’ 1407 | sfc_dbg(sa, "deleted action_set_list=%p", action_set_list); | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:1405:9: note: call to ‘rte_free’ here 1405 | rte_free(action_set_list); | ^~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_rule_del’: ../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘rule’ used after ‘rte_free’ [-Wuse-after-free] 38 | rte_log(level, type, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 | _sas->log_prefix, \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 41 | RTE_FMT_TAIL(__VA_ARGS__,))); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’ 80 | SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG, \ | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:1672:9: note: in expansion of macro ‘sfc_dbg’ 1672 | sfc_dbg(sa, "deleted action_rule=%p", rule); | ^~~~~~~ ../drivers/net/sfc/sfc_mae.c:1670:9: note: call to ‘rte_free’ here 1670 | rte_free(rule); | ^~~~~~~~~~~~~~ -- You are receiving this mail because: You are the assignee for the bug.