From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 9A801A0093
	for <public@inbox.dpdk.org>; Tue, 19 May 2020 03:37:18 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 5564A1D14D;
	Tue, 19 May 2020 03:37:18 +0200 (CEST)
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 by dpdk.org (Postfix) with ESMTP id 76A161D14D;
 Tue, 19 May 2020 03:37:15 +0200 (CEST)
IronPort-SDR: 2wVL7P765UdDuhyxJC973sGJir+3Cf3xmtd7cFFFXPi+SZHOJTCKzQcn2qK65pK/SKWCgatex+
 9++DINPc2PLQ==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65])
 by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 18 May 2020 18:37:14 -0700
IronPort-SDR: FQ6XsK7TMsew5+Wcbe6YETUxbe2yg0sfVgasXtNIhWuPDGVCbR0jKxoSpEaGHrGKwWZ1QeWno+
 i9GODSmEo7vA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.73,408,1583222400"; d="scan'208";a="299956953"
Received: from yexl-server.sh.intel.com (HELO localhost) ([10.67.116.183])
 by orsmga008.jf.intel.com with ESMTP; 18 May 2020 18:37:12 -0700
Date: Tue, 19 May 2020 09:28:42 +0800
From: Ye Xiaolong <xiaolong.ye@intel.com>
To: Wei Zhao <wei.zhao1@intel.com>
Cc: dev@dpdk.org, stable@dpdk.org, jia.guo@intel.com
Message-ID: <20200519012842.GA37127@intel.com>
References: <20200518074330.35840-1-wei.zhao1@intel.com>
 <20200518080051.36318-1-wei.zhao1@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200518080051.36318-1-wei.zhao1@intel.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Subject: Re: [dpdk-stable] [PATCH v5] net/i40e: fix the core dump risk of
 wild pointer operation
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

On 05/18, Wei Zhao wrote:
>In i40e PMD code of function i40e_res_pool_free(), if valid_entry
>is freed by "rte_free(valid_entry);" in the code, then the following
>code for pool update may still use the wild pointer "valid_entry"
>for pool info update. It seems has the risk of core dump for
>using wild pointer operation, we should avoid this risk.
>
>Cc: stable@dpdk.org
>Fixes: 4861cde46116 ("i40e: new poll mode driver")
>
>Signed-off-by: Wei Zhao <wei.zhao1@intel.com>
>
>---
>
>v2:
>update commit log
>
>v3:
>set free pointer to NULL
>
>v4:
>change code style
>
>v5:
>fix an issue in v4
>---
> drivers/net/i40e/i40e_ethdev.c | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
>diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethdev.c
>index 749d85f54..00bb05179 100644
>--- a/drivers/net/i40e/i40e_ethdev.c
>+++ b/drivers/net/i40e/i40e_ethdev.c
>@@ -4935,6 +4935,7 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
> {
> 	struct pool_entry *entry, *next, *prev, *valid_entry = NULL;
> 	uint32_t pool_offset;
>+	uint16_t len;
> 	int insert;
> 
> 	if (pool == NULL) {
>@@ -4973,12 +4974,13 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
> 	}
> 
> 	insert = 0;
>+	len = valid_entry->len;
> 	/* Try to merge with next one*/
> 	if (next != NULL) {
> 		/* Merge with next one */
>-		if (valid_entry->base + valid_entry->len == next->base) {
>+		if (valid_entry->base + len == next->base) {
> 			next->base = valid_entry->base;
>-			next->len += valid_entry->len;
>+			next->len += len;
> 			rte_free(valid_entry);
> 			valid_entry = next;
> 			insert = 1;
>@@ -4988,13 +4990,15 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
> 	if (prev != NULL) {
> 		/* Merge with previous one */
> 		if (prev->base + prev->len == valid_entry->base) {
>-			prev->len += valid_entry->len;
>+			prev->len += len;
> 			/* If it merge with next one, remove next node */
> 			if (insert == 1) {
> 				LIST_REMOVE(valid_entry, next);
> 				rte_free(valid_entry);
>+				valid_entry = NULL;
> 			} else {
> 				rte_free(valid_entry);
>+				valid_entry = NULL;
> 				insert = 1;
> 			}
> 		}
>@@ -5010,8 +5014,8 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
> 			LIST_INSERT_HEAD(&pool->free_list, valid_entry, next);
> 	}
> 
>-	pool->num_free += valid_entry->len;
>-	pool->num_alloc -= valid_entry->len;
>+	pool->num_free += len;
>+	pool->num_alloc -= len;
> 
> 	return 0;
> }
>-- 
>2.19.1
>

Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>

Applied to dpdk-next-net-intel, Thanks.