Bug ID 1551
Summary use after free in Sfc driver
Product DPDK
Version unspecified
Hardware All
OS All
Status UNCONFIRMED
Severity normal
Priority Normal
Component ethdev
Assignee dev@dpdk.org
Reporter stephen@networkplumber.org
Target Milestone ---

If GCC function attributes are added to rte_malloc, then it is able to spot use
after free in several places.

1255/2957] Compiling C object
drivers/libtmp_rte_net_sfc.a.p/net_sfc_sfc_flow_rss.c.o
In file included from ../drivers/net/sfc/sfc.h:28,
                 from ../drivers/net/sfc/sfc_flow_rss.c:15:
../drivers/net/sfc/sfc_flow_rss.c: In function ‘sfc_flow_rss_ctx_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘ctx’ used after
‘rte_free’ [-Wuse-after-free]
   38 |                 rte_log(level, type,                                   
\
      |                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   39 |                         RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", 
\
      |                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   40 |                                 _sas->log_prefix,                      
\
      |                                
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   41 |                                 RTE_FMT_TAIL(__VA_ARGS__,)));          
\
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
   80 |                 SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,               
\
      |                 ^~~~~~~
../drivers/net/sfc/sfc_flow_rss.c:308:9: note: in expansion of macro ‘sfc_dbg’
  308 |         sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
      |         ^~~~~~~
../drivers/net/sfc/sfc_flow_rss.c:306:9: note: call to ‘rte_free’ here
  306 |         rte_free(ctx);
      |         ^~~~~~~~~~~~~
[1262/2957] Compiling C object
drivers/libtmp_rte_net_sfc.a.p/net_sfc_sfc_mae.c.o
In file included from ../drivers/net/sfc/sfc.h:28,
                 from ../drivers/net/sfc/sfc_mae.c:19:
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_encap_header_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘encap_header’ used after
‘rte_free’ [-Wuse-after-free]
   38 |                 rte_log(level, type,                                   
\
      |                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   39 |                         RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", 
\
      |                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   40 |                                 _sas->log_prefix,                      
\
      |                                
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   41 |                                 RTE_FMT_TAIL(__VA_ARGS__,)));          
\
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
   80 |                 SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,               
\
      |                 ^~~~~~~
../drivers/net/sfc/sfc_mae.c:791:9: note: in expansion of macro ‘sfc_dbg’
  791 |         sfc_dbg(sa, "deleted encap_header=%p", encap_header);
      |         ^~~~~~~
../drivers/net/sfc/sfc_mae.c:789:9: note: call to ‘rte_free’ here
  789 |         rte_free(encap_header);
      |         ^~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_mac_addr_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘mac_addr’ used after
‘rte_free’ [-Wuse-after-free]
   38 |                 rte_log(level, type,                                   
\
      |                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   39 |                         RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", 
\
      |                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   40 |                                 _sas->log_prefix,                      
\
      |                                
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   41 |                                 RTE_FMT_TAIL(__VA_ARGS__,)));          
\
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
   80 |                 SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,               
\
      |                 ^~~~~~~
../drivers/net/sfc/sfc_mae.c:590:9: note: in expansion of macro ‘sfc_dbg’
  590 |         sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
      |         ^~~~~~~
../drivers/net/sfc/sfc_mae.c:588:9: note: call to ‘rte_free’ here
  588 |         rte_free(mac_addr);
      |         ^~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_outer_rule_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘rule’ used after
‘rte_free’ [-Wuse-after-free]
   38 |                 rte_log(level, type,                                   
\
      |                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   39 |                         RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", 
\
      |                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   40 |                                 _sas->log_prefix,                      
\
      |                                
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   41 |                                 RTE_FMT_TAIL(__VA_ARGS__,)));          
\
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
   80 |                 SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,               
\
      |                 ^~~~~~~
../drivers/net/sfc/sfc_mae.c:405:9: note: in expansion of macro ‘sfc_dbg’
  405 |         sfc_dbg(sa, "deleted outer_rule=%p", rule);
      |         ^~~~~~~
../drivers/net/sfc/sfc_mae.c:403:9: note: call to ‘rte_free’ here
  403 |         rte_free(rule);
      |         ^~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_counter_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘counter’ used after
‘rte_free’ [-Wuse-after-free]
   38 |                 rte_log(level, type,                                   
\
      |                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   39 |                         RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", 
\
      |                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   40 |                                 _sas->log_prefix,                      
\
      |                                
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   41 |                                 RTE_FMT_TAIL(__VA_ARGS__,)));          
\
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
   80 |                 SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,               
\
      |                 ^~~~~~~
../drivers/net/sfc/sfc_mae.c:988:9: note: in expansion of macro ‘sfc_dbg’
  988 |         sfc_dbg(sa, "deleted counter=%p", counter);
      |         ^~~~~~~
../drivers/net/sfc/sfc_mae.c:986:9: note: call to ‘rte_free’ here
  986 |         rte_free(counter);
      |         ^~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_set_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘action_set’ used after
‘rte_free’ [-Wuse-after-free]
   38 |                 rte_log(level, type,                                   
\
      |                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   39 |                         RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", 
\
      |                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   40 |                                 _sas->log_prefix,                      
\
      |                                
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   41 |                                 RTE_FMT_TAIL(__VA_ARGS__,)));          
\
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
   80 |                 SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,               
\
      |                 ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1170:9: note: in expansion of macro ‘sfc_dbg’
 1170 |         sfc_dbg(sa, "deleted action_set=%p", action_set);
      |         ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1168:9: note: call to ‘rte_free’ here
 1168 |         rte_free(action_set);
      |         ^~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_set_list_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘action_set_list’ used
after ‘rte_free’ [-Wuse-after-free]
   38 |                 rte_log(level, type,                                   
\
      |                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   39 |                         RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", 
\
      |                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   40 |                                 _sas->log_prefix,                      
\
      |                                
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   41 |                                 RTE_FMT_TAIL(__VA_ARGS__,)));          
\
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
   80 |                 SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,               
\
      |                 ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1407:9: note: in expansion of macro ‘sfc_dbg’
 1407 |         sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
      |         ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1405:9: note: call to ‘rte_free’ here
 1405 |         rte_free(action_set_list);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_mae.c: In function ‘sfc_mae_action_rule_del’:
../drivers/net/sfc/sfc_log.h:38:17: warning: pointer ‘rule’ used after
‘rte_free’ [-Wuse-after-free]
   38 |                 rte_log(level, type,                                   
\
      |                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   39 |                         RTE_FMT("%s" RTE_FMT_HEAD(__VA_ARGS__ ,) "\n", 
\
      |                        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   40 |                                 _sas->log_prefix,                      
\
      |                                
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   41 |                                 RTE_FMT_TAIL(__VA_ARGS__,)));          
\
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../drivers/net/sfc/sfc_log.h:80:17: note: in expansion of macro ‘SFC_LOG’
   80 |                 SFC_LOG(_sa->priv.shared, RTE_LOG_DEBUG,               
\
      |                 ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1672:9: note: in expansion of macro ‘sfc_dbg’
 1672 |         sfc_dbg(sa, "deleted action_rule=%p", rule);
      |         ^~~~~~~
../drivers/net/sfc/sfc_mae.c:1670:9: note: call to ‘rte_free’ here
 1670 |         rte_free(rule);
      |         ^~~~~~~~~~~~~~
          


You are receiving this mail because: