* [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free [not found] <20240927204742.546164-1-stephen@networkplumber.org> @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (16 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde, Raveendra Padasalagi, Akhil Goyal The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: vikas.gupta@broadcom.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup [not found] <20240927204742.546164-1-stephen@networkplumber.org> 2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger ` (15 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 81637d9420..f89e2b41ff 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 05/16] event/cnxk: fix pointer mismatch in cleanup [not found] <20240927204742.546164-1-stephen@networkplumber.org> 2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger ` (14 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error was passing incorrect value to rte_free. The ports[] entry was allocated with rte_malloc and that should be used instead of the offset in that object. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..08c6ce0c07 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { + void *ws = event_dev->data->ports[i]; + event_dev->data->ports[i] = NULL; - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + rte_free(ws); } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 06/16] examples/vhost: fix free function mismatch [not found] <20240927204742.546164-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger ` (13 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: jin.yu@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 07/16] net/cnxk: fix use-after-free [not found] <20240927204742.546164-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger ` (12 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 08/16] bpf: fix free mismatch if convert fails [not found] <20240927204742.546164-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger ` (11 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 09/16] net/e1000: fix use-after-free [not found] <20240927204742.546164-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger ` (10 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: wei.zhao1@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 095be27b08..973d0d2407 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 11/16] net/cpfl: fix free of nonheap object [not found] <20240927204742.546164-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger ` (9 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 40569ddc6f..30abaad7c8 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 12/16] raw/ifpga/base: fix use after free [not found] <20240927204742.546164-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger 2024-09-27 20:45 ` [PATCH 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger ` (8 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: tianfei.zhang@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 14/16] drivers/ifpga: fix free function mismatch [not found] <20240927204742.546164-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-09-27 20:45 ` Stephen Hemminger [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> ` (7 subsequent siblings) 17 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-27 20:45 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim, David Marchand The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index a972b3b7a4..86558c7b9b 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
[parent not found: <20240928164814.861933-1-stephen@networkplumber.org>]
* [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (8 subsequent siblings) 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde, Raveendra Padasalagi, Akhil Goyal The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: vikas.gupta@broadcom.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> 2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger ` (7 subsequent siblings) 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 81637d9420..f89e2b41ff 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 05/16] event/cnxk: fix pointer mismatch in cleanup [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> 2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger ` (6 subsequent siblings) 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error was passing incorrect value to rte_free. The ports[] entry was allocated with rte_malloc and that should be used instead of the offset in that object. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..08c6ce0c07 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { + void *ws = event_dev->data->ports[i]; + event_dev->data->ports[i] = NULL; - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + rte_free(ws); } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 06/16] examples/vhost: fix free function mismatch [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger ` (5 subsequent siblings) 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: jin.yu@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 07/16] net/cnxk: fix use-after-free [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger ` (4 subsequent siblings) 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 08/16] bpf: fix free mismatch if convert fails [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger ` (3 subsequent siblings) 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 09/16] net/e1000: fix use-after-free [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger ` (2 subsequent siblings) 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: wei.zhao1@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 095be27b08..973d0d2407 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 11/16] net/cpfl: fix free of nonheap object [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 40569ddc6f..30abaad7c8 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 13/16] raw/ifpga/base: fix use after free [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: tianfei.zhang@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v2 15/16] drivers/ifpga: fix free function mismatch [not found] ` <20240928164814.861933-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-09-28 16:47 ` Stephen Hemminger 9 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-28 16:47 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim, David Marchand The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index a972b3b7a4..86558c7b9b 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
[parent not found: <20240929154107.62539-1-stephen@networkplumber.org>]
* [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (9 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, vikas.gupta, stable, Ajit Khaparde, Raveendra Padasalagi, Akhil Goyal The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: vikas.gupta@broadcom.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> 2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger ` (8 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 81637d9420..f89e2b41ff 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 04/18] event/cnxk: fix pointer mismatch in cleanup [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> 2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger ` (7 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error was passing incorrect value to rte_free. The ports[] entry was allocated with rte_malloc and that should be used instead of the offset in that object. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..08c6ce0c07 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { + void *ws = event_dev->data->ports[i]; + event_dev->data->ports[i] = NULL; - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + rte_free(ws); } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 05/18] examples/vhost: fix free function mismatch [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-30 9:16 ` fengchengwen 2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger ` (6 subsequent siblings) 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, jin.yu, stable, Maxime Coquelin, Chenbo Xia The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: jin.yu@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH v3 05/18] examples/vhost: fix free function mismatch 2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-09-30 9:16 ` fengchengwen 0 siblings, 0 replies; 107+ messages in thread From: fengchengwen @ 2024-09-30 9:16 UTC (permalink / raw) To: Stephen Hemminger, dev; +Cc: jin.yu, stable, Maxime Coquelin, Chenbo Xia Acked-by: Chengwen Feng <fengchengwen@huawei.com> On 2024/9/29 23:34, Stephen Hemminger wrote: > The pointer bdev is allocated with rte_zmalloc() and then > incorrectly freed with free() which will lead pool corruption. > > Bugzilla ID: 1553 > Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") > Cc: jin.yu@intel.com > Cc: stable@dpdk.org > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 06/18] net/cnxk: fix use-after-free [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger ` (5 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 07/18] bpf: fix free mismatch if convert fails [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger ` (4 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 08/18] net/e1000: fix use-after-free [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger ` (3 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wei.zhao1, stable The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: wei.zhao1@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 095be27b08..973d0d2407 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 10/18] net/cpfl: fix free of nonheap object [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger ` (2 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 40569ddc6f..30abaad7c8 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 12/18] raw/ifpga/base: fix use after free [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, tianfei.zhang, stable, Rosen Xu, Andy Pei The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: tianfei.zhang@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 14/18] drivers/ifpga: fix free function mismatch [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, David Marchand, Hyong Youb Kim The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index a972b3b7a4..86558c7b9b 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v3 15/18] baseband/la12xx: prevent use after free [not found] ` <20240929154107.62539-1-stephen@networkplumber.org> ` (9 preceding siblings ...) 2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger @ 2024-09-29 15:34 ` Stephen Hemminger 2024-09-30 8:25 ` Hemant Agrawal 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-09-29 15:34 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hemant.agrawal, stable, Gagandeep Singh, Nipun Gupta, Nicolas Chautru, Akhil Goyal It is possible that the info pointer (hp) could get freed twice. Fix by nulling after free. In function 'setup_la12xx_dev', inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8, inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9: ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free] 901 | rte_free(hp); | ^~~~~~~~~~~~ ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here 791 | rte_free(hp); | ^~~~~~~~~~~~ Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config") Cc: hemant.agrawal@nxp.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/baseband/la12xx/bbdev_la12xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c index 1a56e73abd..cad6f9490e 100644 --- a/drivers/baseband/la12xx/bbdev_la12xx.c +++ b/drivers/baseband/la12xx/bbdev_la12xx.c @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev) ipc_priv->hugepg_start.size = hp->len; rte_free(hp); + hp = NULL; } dev_ipc = open_ipc_dev(priv->modem_id); -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH v3 15/18] baseband/la12xx: prevent use after free 2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger @ 2024-09-30 8:25 ` Hemant Agrawal 0 siblings, 0 replies; 107+ messages in thread From: Hemant Agrawal @ 2024-09-30 8:25 UTC (permalink / raw) To: Stephen Hemminger, dev Cc: hemant.agrawal, stable, Gagandeep Singh, Nipun Gupta, Nicolas Chautru, Akhil Goyal On 29-09-2024 21:04, Stephen Hemminger wrote: > It is possible that the info pointer (hp) could get freed twice. > Fix by nulling after free. > > In function 'setup_la12xx_dev', > inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8, > inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9: > ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free] > 901 | rte_free(hp); > | ^~~~~~~~~~~~ > ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here > 791 | rte_free(hp); > | ^~~~~~~~~~~~ > > Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config") > Cc: hemant.agrawal@nxp.com > Cc: stable@dpdk.org > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> > --- > drivers/baseband/la12xx/bbdev_la12xx.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c > index 1a56e73abd..cad6f9490e 100644 > --- a/drivers/baseband/la12xx/bbdev_la12xx.c > +++ b/drivers/baseband/la12xx/bbdev_la12xx.c > @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev) > ipc_priv->hugepg_start.size = hp->len; > > rte_free(hp); > + hp = NULL; > } > > dev_ipc = open_ipc_dev(priv->modem_id); Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com> ^ permalink raw reply [flat|nested] 107+ messages in thread
[parent not found: <20240930184600.7092-1-stephen@networkplumber.org>]
* [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> @ 2024-09-30 18:43 ` Stephen Hemminger 2024-09-30 20:06 ` Ajit Khaparde 2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (9 subsequent siblings) 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi, Vikas Gupta, Akhil Goyal The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free 2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-09-30 20:06 ` Ajit Khaparde 0 siblings, 0 replies; 107+ messages in thread From: Ajit Khaparde @ 2024-09-30 20:06 UTC (permalink / raw) To: Stephen Hemminger Cc: dev, stable, Raveendra Padasalagi, Vikas Gupta, Akhil Goyal [-- Attachment #1: Type: text/plain, Size: 1242 bytes --] On Mon, Sep 30, 2024 at 11:46 AM Stephen Hemminger <stephen@networkplumber.org> wrote: > > The device structure is allocated with rte_malloc() and > then incorrectly freed with free(). This will lead to > corrupt malloc pool. > > Bugzilla ID: 1552 > Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") > Cc: stable@dpdk.org > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com> > --- > drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c > index ada7ba342c..46522970d5 100644 > --- a/drivers/crypto/bcmfs/bcmfs_device.c > +++ b/drivers/crypto/bcmfs/bcmfs_device.c > @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, > return fsdev; > > cleanup: > - free(fsdev); > + rte_free(fsdev); > > return NULL; > } > @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) > return; > > TAILQ_REMOVE(&fsdev_list, fsdev, next); > - free(fsdev); > + rte_free(fsdev); > } > > static int > -- > 2.45.2 > [-- Attachment #2: S/MIME Cryptographic Signature --] [-- Type: application/pkcs7-signature, Size: 4218 bytes --] ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> 2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-09-30 18:43 ` Stephen Hemminger 2024-10-01 12:41 ` Bruce Richardson 2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger ` (8 subsequent siblings) 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 81637d9420..f89e2b41ff 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup 2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-10-01 12:41 ` Bruce Richardson 0 siblings, 0 replies; 107+ messages in thread From: Bruce Richardson @ 2024-10-01 12:41 UTC (permalink / raw) To: Stephen Hemminger; +Cc: dev, kevin.laatz, stable, Conor Walsh On Mon, Sep 30, 2024 at 11:43:57AM -0700, Stephen Hemminger wrote: > The data structure is allocated with rte_malloc and incorrectly > freed in cleanup logic using free. > > Bugzilla ID: 1549 > Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") > Cc: kevin.laatz@intel.com > Cc: stable@dpdk.org > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Bruce Richardson <bruce.richardson@intel.com> > --- > drivers/dma/idxd/idxd_pci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c > index 81637d9420..f89e2b41ff 100644 > --- a/drivers/dma/idxd/idxd_pci.c > +++ b/drivers/dma/idxd/idxd_pci.c > @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, > return nb_wqs; > > err: > - free(pci); > + rte_free(pci); > return err_code; > } > > -- > 2.45.2 > ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 04/17] event/cnxk: fix pointer mismatch in cleanup [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> 2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-09-30 18:43 ` Stephen Hemminger 2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger ` (7 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error was passing incorrect value to rte_free. The ports[] entry was allocated with rte_malloc and that should be used instead of the offset in that object. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..08c6ce0c07 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { + void *ws = event_dev->data->ports[i]; + event_dev->data->ports[i] = NULL; - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + rte_free(ws); } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 05/17] examples/vhost: fix free function mismatch [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-09-30 18:43 ` Stephen Hemminger 2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger ` (6 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:43 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin, Chenbo Xia, Jin Yu The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Chengwen Feng <fengchengwen@huawei.com> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 06/17] net/cnxk: fix use-after-free [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-09-30 18:44 ` Stephen Hemminger 2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger ` (5 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 07/17] bpf: fix free mismatch if convert fails [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-09-30 18:44 ` Stephen Hemminger 2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger ` (4 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 08/17] net/e1000: fix use-after-free [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-09-30 18:44 ` Stephen Hemminger 2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger ` (3 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 095be27b08..973d0d2407 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 10/17] net/cpfl: fix free of nonheap object [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger @ 2024-09-30 18:44 ` Stephen Hemminger 2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger ` (2 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 40569ddc6f..30abaad7c8 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 12/17] raw/ifpga/base: fix use after free [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-09-30 18:44 ` Stephen Hemminger 2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger 2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 14/17] drivers/ifpga: fix free function mismatch [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-09-30 18:44 ` Stephen Hemminger 2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim, David Marchand The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index a972b3b7a4..86558c7b9b 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v4 15/17] baseband/la12xx: prevent use after free [not found] ` <20240930184600.7092-1-stephen@networkplumber.org> ` (9 preceding siblings ...) 2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger @ 2024-09-30 18:44 ` Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-09-30 18:44 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh, Nicolas Chautru, Nipun Gupta, Akhil Goyal It is possible that the info pointer (hp) could get freed twice. Fix by nulling after free. In function 'setup_la12xx_dev', inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8, inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9: ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free] 901 | rte_free(hp); | ^~~~~~~~~~~~ ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here 791 | rte_free(hp); | ^~~~~~~~~~~~ Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/baseband/la12xx/bbdev_la12xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c index 1a56e73abd..cad6f9490e 100644 --- a/drivers/baseband/la12xx/bbdev_la12xx.c +++ b/drivers/baseband/la12xx/bbdev_la12xx.c @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev) ipc_priv->hugepg_start.size = hp->len; rte_free(hp); + hp = NULL; } dev_ipc = open_ipc_dev(priv->modem_id); -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
[parent not found: <20241001163708.355128-1-stephen@networkplumber.org>]
* [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (9 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi, Vikas Gupta, Akhil Goyal The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> 2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 17:04 ` Bruce Richardson 2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger ` (8 subsequent siblings) 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 81637d9420..f89e2b41ff 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup 2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-10-01 17:04 ` Bruce Richardson 0 siblings, 0 replies; 107+ messages in thread From: Bruce Richardson @ 2024-10-01 17:04 UTC (permalink / raw) To: Stephen Hemminger; +Cc: dev, kevin.laatz, stable, Conor Walsh On Tue, Oct 01, 2024 at 09:35:26AM -0700, Stephen Hemminger wrote: > The data structure is allocated with rte_malloc and incorrectly > freed in cleanup logic using free. > > Bugzilla ID: 1549 > Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") > Cc: kevin.laatz@intel.com > Cc: stable@dpdk.org > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> From previous revision: Reviewed-by: Bruce Richardson <bruce.richardson@intel.com> ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 04/17] event/cnxk: fix pointer mismatch in cleanup [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> 2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger ` (7 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error was passing incorrect value to rte_free. The ports[] entry was allocated with rte_malloc and that should be used instead of the offset in that object. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..08c6ce0c07 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { + void *ws = event_dev->data->ports[i]; + event_dev->data->ports[i] = NULL; - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + rte_free(ws); } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 05/17] examples/vhost: fix free function mismatch [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger ` (6 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin, Chenbo Xia, Jin Yu The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Chengwen Feng <fengchengwen@huawei.com> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 06/17] net/cnxk: fix use-after-free [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger ` (5 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 07/17] bpf: fix free mismatch if convert fails [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger ` (4 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 08/17] net/e1000: fix use-after-free [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger ` (3 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 095be27b08..973d0d2407 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 10/17] net/cpfl: fix free of nonheap object [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger ` (2 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 40569ddc6f..30abaad7c8 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 12/17] raw/ifpga/base: fix use after free [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 14/17] drivers/ifpga: fix free function mismatch [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim, David Marchand The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index a972b3b7a4..86558c7b9b 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v5 15/17] baseband/la12xx: prevent use after free [not found] ` <20241001163708.355128-1-stephen@networkplumber.org> ` (9 preceding siblings ...) 2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger @ 2024-10-01 16:35 ` Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-01 16:35 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh, Nipun Gupta, Akhil Goyal, Nicolas Chautru It is possible that the info pointer (hp) could get freed twice. Fix by nulling after free. In function 'setup_la12xx_dev', inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8, inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9: ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free] 901 | rte_free(hp); | ^~~~~~~~~~~~ ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here 791 | rte_free(hp); | ^~~~~~~~~~~~ Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/baseband/la12xx/bbdev_la12xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c index 1a56e73abd..cad6f9490e 100644 --- a/drivers/baseband/la12xx/bbdev_la12xx.c +++ b/drivers/baseband/la12xx/bbdev_la12xx.c @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev) ipc_priv->hugepg_start.size = hp->len; rte_free(hp); + hp = NULL; } dev_ipc = open_ipc_dev(priv->modem_id); -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
[parent not found: <20241002154429.64357-1-stephen@networkplumber.org>]
* [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (9 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Ajit Khaparde, Raveendra Padasalagi, Vikas Gupta, Akhil Goyal The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> 2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger ` (8 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Bruce Richardson <bruce.richardson@intel.com> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 81637d9420..f89e2b41ff 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 04/17] event/cnxk: fix pointer mismatch in cleanup [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> 2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger ` (7 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error was passing incorrect value to rte_free. The ports[] entry was allocated with rte_malloc and that should be used instead of the offset in that object. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..08c6ce0c07 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { + void *ws = event_dev->data->ports[i]; + event_dev->data->ports[i] = NULL; - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + rte_free(ws); } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 05/17] examples/vhost: fix free function mismatch [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger ` (6 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin, Chenbo Xia, Jin Yu The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Chengwen Feng <fengchengwen@huawei.com> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 06/17] net/cnxk: fix use-after-free [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger ` (5 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 07/17] bpf: fix free mismatch if convert fails [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger ` (4 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 08/17] net/e1000: fix use-after-free [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger ` (3 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 095be27b08..973d0d2407 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 10/17] net/cpfl: fix free of nonheap object [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger ` (2 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 40569ddc6f..30abaad7c8 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 12/17] raw/ifpga/base: fix use after free [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 14/17] drivers/ifpga: fix free function mismatch [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, David Marchand, Hyong Youb Kim The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index a972b3b7a4..86558c7b9b 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v6 15/17] baseband/la12xx: prevent use after free [not found] ` <20241002154429.64357-1-stephen@networkplumber.org> ` (9 preceding siblings ...) 2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger @ 2024-10-02 15:42 ` Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 15:42 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh, Nicolas Chautru, Nipun Gupta, Akhil Goyal It is possible that the info pointer (hp) could get freed twice. Fix by nulling after free. In function 'setup_la12xx_dev', inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8, inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9: ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free] 901 | rte_free(hp); | ^~~~~~~~~~~~ ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here 791 | rte_free(hp); | ^~~~~~~~~~~~ Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/baseband/la12xx/bbdev_la12xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c index 1a56e73abd..cad6f9490e 100644 --- a/drivers/baseband/la12xx/bbdev_la12xx.c +++ b/drivers/baseband/la12xx/bbdev_la12xx.c @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev) ipc_priv->hugepg_start.size = hp->len; rte_free(hp); + hp = NULL; } dev_ipc = open_ipc_dev(priv->modem_id); -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
[parent not found: <20241002183918.161656-1-stephen@networkplumber.org>]
* [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (9 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Ajit Khaparde, Vikas Gupta, Akhil Goyal, Raveendra Padasalagi The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> 2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger ` (8 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Bruce Richardson <bruce.richardson@intel.com> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 81637d9420..f89e2b41ff 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 04/16] event/cnxk: fix pointer mismatch in cleanup [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> 2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-03 5:52 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula 2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger ` (7 subsequent siblings) 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error was passing incorrect value to rte_free. The ports[] entry was allocated with rte_malloc and that should be used instead of the offset in that object. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..08c6ce0c07 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { + void *ws = event_dev->data->ports[i]; + event_dev->data->ports[i] = NULL; - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + rte_free(ws); } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* RE: [EXTERNAL] [PATCH v7 04/16] event/cnxk: fix pointer mismatch in cleanup 2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-10-03 5:52 ` Pavan Nikhilesh Bhagavatula 0 siblings, 0 replies; 107+ messages in thread From: Pavan Nikhilesh Bhagavatula @ 2024-10-03 5:52 UTC (permalink / raw) To: Stephen Hemminger, dev; +Cc: Shijith Thotton, stable, Jerin Jacob > The code to cleanup in case of error was passing incorrect > value to rte_free. The ports[] entry was allocated with > rte_malloc and that should be used instead of the offset > in that object. > > Fixes: 97a05c1fe634 ("event/cnxk: add port config") > Cc: sthotton@marvell.com > Cc: stable@dpdk.org > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> > --- > drivers/event/cnxk/cnxk_eventdev.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/event/cnxk/cnxk_eventdev.c > b/drivers/event/cnxk/cnxk_eventdev.c > index 4b2d6bffa6..08c6ce0c07 100644 > --- a/drivers/event/cnxk/cnxk_eventdev.c > +++ b/drivers/event/cnxk/cnxk_eventdev.c > @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev > *event_dev, > return 0; > hws_fini: > for (i = i - 1; i >= 0; i--) { > + void *ws = event_dev->data->ports[i]; > + > event_dev->data->ports[i] = NULL; > - rte_free(cnxk_sso_hws_get_cookie(event_dev->data- > >ports[i])); > + rte_free(ws); Hi Stephen, The rte_zmalloc memory is pointing to the cookie[1], the memory assigned to event_dev->data->ports[i] is rte_zmalloc + RTE_CACHE_LINE_SIZE. There is still a bug in the code where we are assigning NULL before freeing memory. The fix should be rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); event_dev->data->ports[i] = NULL; [1] /* Allocate event port memory */ ws = rte_zmalloc("cn10k_ws", sizeof(struct cn10k_sso_hws) + RTE_CACHE_LINE_SIZE, RTE_CACHE_LINE_SIZE); /* First cache line is reserved for cookie */ ws = (struct cn10k_sso_hws *)((uint8_t *)ws + RTE_CACHE_LINE_SIZE); Thanks, Pavan. > } > return -ENOMEM; > } > -- > 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 05/16] examples/vhost: fix free function mismatch [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger ` (6 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin, Chenbo Xia, Jin Yu The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Chengwen Feng <fengchengwen@huawei.com> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 06/16] net/cnxk: fix use-after-free [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger ` (5 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 07/16] bpf: fix free mismatch if convert fails [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger ` (4 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 08/16] net/e1000: fix use-after-free [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger ` (3 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 095be27b08..973d0d2407 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 10/16] net/cpfl: fix free of nonheap object [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger ` (2 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 40569ddc6f..30abaad7c8 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 12/16] raw/ifpga/base: fix use after free [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Andy Pei, Tianfei Zhang The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 14/16] drivers/ifpga: fix free function mismatch [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim, David Marchand The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index a972b3b7a4..86558c7b9b 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt\n", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v7 15/16] baseband/la12xx: prevent use after free [not found] ` <20241002183918.161656-1-stephen@networkplumber.org> ` (9 preceding siblings ...) 2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger @ 2024-10-02 18:37 ` Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-02 18:37 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh, Akhil Goyal, Nipun Gupta, Nicolas Chautru It is possible that the info pointer (hp) could get freed twice. Fix by nulling after free. In function 'setup_la12xx_dev', inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8, inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9: ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free] 901 | rte_free(hp); | ^~~~~~~~~~~~ ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here 791 | rte_free(hp); | ^~~~~~~~~~~~ Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/baseband/la12xx/bbdev_la12xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c index 1a56e73abd..cad6f9490e 100644 --- a/drivers/baseband/la12xx/bbdev_la12xx.c +++ b/drivers/baseband/la12xx/bbdev_la12xx.c @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev) ipc_priv->hugepg_start.size = hp->len; rte_free(hp); + hp = NULL; } dev_ipc = open_ipc_dev(priv->modem_id); -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
[parent not found: <20241008154301.66192-1-stephen@networkplumber.org>]
* [PATCH v8 02/17] cryptodev/bcmfs: fix mis-matched free [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (9 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Ajit Khaparde, Vikas Gupta, Raveendra Padasalagi, Akhil Goyal The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 03/17] dma/ixd: fix incorrect free function in cleanup [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> 2024-10-08 15:41 ` [PATCH v8 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger ` (8 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Bruce Richardson <bruce.richardson@intel.com> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 60ac219559..6ed03e96da 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 04/17] event/cnxk: fix pointer mismatch in cleanup [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> 2024-10-08 15:41 ` [PATCH v8 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 16:40 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 05/17] examples/vhost: fix free function mismatch Stephen Hemminger ` (7 subsequent siblings) 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error was passing incorrect value to rte_free. The ports[] entry was allocated with rte_malloc and that should be used instead of the offset in that object. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..08c6ce0c07 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { + void *ws = event_dev->data->ports[i]; + event_dev->data->ports[i] = NULL; - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + rte_free(ws); } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH v8 04/17] event/cnxk: fix pointer mismatch in cleanup 2024-10-08 15:41 ` [PATCH v8 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-10-08 16:40 ` Stephen Hemminger 2024-10-08 16:43 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula 0 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:40 UTC (permalink / raw) To: dev; +Cc: sthotton, stable, Pavan Nikhilesh On Tue, 8 Oct 2024 08:41:34 -0700 Stephen Hemminger <stephen@networkplumber.org> wrote: > The code to cleanup in case of error was passing incorrect > value to rte_free. The ports[] entry was allocated with > rte_malloc and that should be used instead of the offset > in that object. > > Fixes: 97a05c1fe634 ("event/cnxk: add port config") > Cc: sthotton@marvell.com > Cc: stable@dpdk.org > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> > --- > drivers/event/cnxk/cnxk_eventdev.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c > index 4b2d6bffa6..08c6ce0c07 100644 > --- a/drivers/event/cnxk/cnxk_eventdev.c > +++ b/drivers/event/cnxk/cnxk_eventdev.c > @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, > return 0; > hws_fini: > for (i = i - 1; i >= 0; i--) { > + void *ws = event_dev->data->ports[i]; > + > event_dev->data->ports[i] = NULL; > - rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); > + rte_free(ws); > } > return -ENOMEM; > } This fix is not right, but something is wrong with the original code? [865/3024] Compiling C object drivers/libtmp_rte_event_cnxk.a.p/event_cnxk_cnxk_eventdev.c.o ../drivers/event/cnxk/cnxk_eventdev.c: In function ‘cnxk_setup_event_ports’: ../drivers/event/cnxk/cnxk_eventdev.c:125:17: warning: ‘rte_free’ called on a pointer to an unallocated object ‘18446744073709551552’ [-Wfree-nonheap-object] 125 | rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [3024/3024] Linking target app/dpdk-test ^ permalink raw reply [flat|nested] 107+ messages in thread
* RE: [EXTERNAL] Re: [PATCH v8 04/17] event/cnxk: fix pointer mismatch in cleanup 2024-10-08 16:40 ` Stephen Hemminger @ 2024-10-08 16:43 ` Pavan Nikhilesh Bhagavatula 0 siblings, 0 replies; 107+ messages in thread From: Pavan Nikhilesh Bhagavatula @ 2024-10-08 16:43 UTC (permalink / raw) To: Stephen Hemminger, dev; +Cc: Shijith Thotton, stable > -----Original Message----- > From: Stephen Hemminger <stephen@networkplumber.org> > Sent: Tuesday, October 8, 2024 10:10 PM > To: dev@dpdk.org > Cc: Shijith Thotton <sthotton@marvell.com>; stable@dpdk.org; Pavan > Nikhilesh Bhagavatula <pbhagavatula@marvell.com> > Subject: [EXTERNAL] Re: [PATCH v8 04/17] event/cnxk: fix pointer mismatch > in cleanup > > On Tue, 8 Oct 2024 08: 41: 34 -0700 Stephen Hemminger > <stephen@ networkplumber. org> wrote: > The code to cleanup in case of > error was passing incorrect > value to rte_free. The ports[] entry was allocated > with > rte_malloc and that > > On Tue, 8 Oct 2024 08:41:34 -0700 > Stephen Hemminger <stephen@networkplumber.org> wrote: > > > The code to cleanup in case of error was passing incorrect > > value to rte_free. The ports[] entry was allocated with > > rte_malloc and that should be used instead of the offset > > in that object. > > > > Fixes: 97a05c1fe634 ("event/cnxk: add port config") > > Cc: sthotton@marvell.com > > Cc: stable@dpdk.org > > > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> > > --- > > drivers/event/cnxk/cnxk_eventdev.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/event/cnxk/cnxk_eventdev.c > b/drivers/event/cnxk/cnxk_eventdev.c > > index 4b2d6bffa6..08c6ce0c07 100644 > > --- a/drivers/event/cnxk/cnxk_eventdev.c > > +++ b/drivers/event/cnxk/cnxk_eventdev.c > > @@ -121,8 +121,10 @@ cnxk_setup_event_ports(const struct > rte_eventdev *event_dev, > > return 0; > > hws_fini: > > for (i = i - 1; i >= 0; i--) { > > + void *ws = event_dev->data->ports[i]; > > + > > event_dev->data->ports[i] = NULL; > > - rte_free(cnxk_sso_hws_get_cookie(event_dev->data- > >ports[i])); > > + rte_free(ws); > > } > > return -ENOMEM; > > } > > This fix is not right, but something is wrong with the original code? > Yup, the NULL allocation should come after the free rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); event_dev->data->ports[i] = NULL; > [865/3024] Compiling C object > drivers/libtmp_rte_event_cnxk.a.p/event_cnxk_cnxk_eventdev.c.o > ../drivers/event/cnxk/cnxk_eventdev.c: In function ‘cnxk_setup_event_ports’: > ../drivers/event/cnxk/cnxk_eventdev.c:125:17: warning: ‘rte_free’ called on a > pointer to an unallocated object ‘18446744073709551552’ [-Wfree- > nonheap-object] > 125 | rte_free(cnxk_sso_hws_get_cookie(event_dev->data- > >ports[i])); > | > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > [3024/3024] Linking target app/dpdk-test ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 05/17] examples/vhost: fix free function mismatch [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-10-08 15:41 ` [PATCH v8 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 06/17] net/cnxk: fix use-after-free Stephen Hemminger ` (6 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin, Chenbo Xia, Jin Yu The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Chengwen Feng <fengchengwen@huawei.com> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 06/17] net/cnxk: fix use-after-free [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-10-08 15:41 ` [PATCH v8 05/17] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger ` (5 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 07/17] bpf: fix free mismatch if convert fails [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-10-08 15:41 ` [PATCH v8 06/17] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 08/17] net/e1000: fix use-after-free Stephen Hemminger ` (4 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 08/17] net/e1000: fix use-after-free [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-10-08 15:41 ` [PATCH v8 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger ` (3 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 1e0a483d4a..d3a9181874 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 10/17] net/cpfl: fix free of nonheap object [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-10-08 15:41 ` [PATCH v8 08/17] net/e1000: fix use-after-free Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 12/17] raw/ifpga/base: fix use after free Stephen Hemminger ` (2 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 011229a470..303e979015 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 12/17] raw/ifpga/base: fix use after free [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-10-08 15:41 ` [PATCH v8 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 14/17] drivers/ifpga: fix free function mismatch [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-10-08 15:41 ` [PATCH v8 12/17] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 2024-10-08 15:41 ` [PATCH v8 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim, David Marchand The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index 113a22b0a7..5b9b596435 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v8 15/17] baseband/la12xx: prevent use after free [not found] ` <20241008154301.66192-1-stephen@networkplumber.org> ` (9 preceding siblings ...) 2024-10-08 15:41 ` [PATCH v8 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger @ 2024-10-08 15:41 ` Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 15:41 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh, Nipun Gupta, Akhil Goyal, Nicolas Chautru It is possible that the info pointer (hp) could get freed twice. Fix by nulling after free. In function 'setup_la12xx_dev', inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8, inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9: ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free] 901 | rte_free(hp); | ^~~~~~~~~~~~ ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here 791 | rte_free(hp); | ^~~~~~~~~~~~ Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/baseband/la12xx/bbdev_la12xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c index af4b4f1e9a..2432cdf884 100644 --- a/drivers/baseband/la12xx/bbdev_la12xx.c +++ b/drivers/baseband/la12xx/bbdev_la12xx.c @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev) ipc_priv->hugepg_start.size = hp->len; rte_free(hp); + hp = NULL; } dev_ipc = open_ipc_dev(priv->modem_id); -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
[parent not found: <20241008164842.139045-1-stephen@networkplumber.org>]
* [PATCH v9 02/17] cryptodev/bcmfs: fix mis-matched free [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger ` (9 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Ajit Khaparde, Vikas Gupta, Akhil Goyal, Raveendra Padasalagi The device structure is allocated with rte_malloc() and then incorrectly freed with free(). This will lead to corrupt malloc pool. Bugzilla ID: 1552 Fixes: c8e79da7c676 ("crypto/bcmfs: introduce BCMFS driver") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com> --- drivers/crypto/bcmfs/bcmfs_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/bcmfs/bcmfs_device.c b/drivers/crypto/bcmfs/bcmfs_device.c index ada7ba342c..46522970d5 100644 --- a/drivers/crypto/bcmfs/bcmfs_device.c +++ b/drivers/crypto/bcmfs/bcmfs_device.c @@ -139,7 +139,7 @@ fsdev_allocate_one_dev(struct rte_vdev_device *vdev, return fsdev; cleanup: - free(fsdev); + rte_free(fsdev); return NULL; } @@ -163,7 +163,7 @@ fsdev_release(struct bcmfs_device *fsdev) return; TAILQ_REMOVE(&fsdev_list, fsdev, next); - free(fsdev); + rte_free(fsdev); } static int -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 03/17] dma/ixd: fix incorrect free function in cleanup [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> 2024-10-08 16:47 ` [PATCH v9 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code Stephen Hemminger ` (8 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, kevin.laatz, stable, Bruce Richardson, Conor Walsh The data structure is allocated with rte_malloc and incorrectly freed in cleanup logic using free. Bugzilla ID: 1549 Fixes: 9449330a8458 ("dma/idxd: create dmadev instances on PCI probe") Cc: kevin.laatz@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Bruce Richardson <bruce.richardson@intel.com> --- drivers/dma/idxd/idxd_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/idxd_pci.c b/drivers/dma/idxd/idxd_pci.c index 60ac219559..6ed03e96da 100644 --- a/drivers/dma/idxd/idxd_pci.c +++ b/drivers/dma/idxd/idxd_pci.c @@ -301,7 +301,7 @@ init_pci_device(struct rte_pci_device *dev, struct idxd_dmadev *idxd, return nb_wqs; err: - free(pci); + rte_free(pci); return err_code; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> 2024-10-08 16:47 ` [PATCH v9 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:54 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula 2024-10-08 16:47 ` [PATCH v9 05/17] examples/vhost: fix free function mismatch Stephen Hemminger ` (7 subsequent siblings) 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, sthotton, stable, Pavan Nikhilesh The code to cleanup in case of error would derefence null pointer then pass that result to rte_free. Fixes: 97a05c1fe634 ("event/cnxk: add port config") Cc: sthotton@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/event/cnxk/cnxk_eventdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/event/cnxk/cnxk_eventdev.c b/drivers/event/cnxk/cnxk_eventdev.c index 4b2d6bffa6..8cc1adef11 100644 --- a/drivers/event/cnxk/cnxk_eventdev.c +++ b/drivers/event/cnxk/cnxk_eventdev.c @@ -121,8 +121,8 @@ cnxk_setup_event_ports(const struct rte_eventdev *event_dev, return 0; hws_fini: for (i = i - 1; i >= 0; i--) { - event_dev->data->ports[i] = NULL; rte_free(cnxk_sso_hws_get_cookie(event_dev->data->ports[i])); + event_dev->data->ports[i] = NULL; } return -ENOMEM; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* RE: [EXTERNAL] [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code 2024-10-08 16:47 ` [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code Stephen Hemminger @ 2024-10-08 16:54 ` Pavan Nikhilesh Bhagavatula 0 siblings, 0 replies; 107+ messages in thread From: Pavan Nikhilesh Bhagavatula @ 2024-10-08 16:54 UTC (permalink / raw) To: Stephen Hemminger, dev; +Cc: Shijith Thotton, stable > The code to cleanup in case of error would derefence null pointer > then pass that result to rte_free. > > Fixes: 97a05c1fe634 ("event/cnxk: add port config") > Cc: sthotton@marvell.com > Cc: stable@dpdk.org > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Thanks Stephen, Acked-by: Pavan Nikhilesh <pbhagavatula@marvell.com> ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 05/17] examples/vhost: fix free function mismatch [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> ` (2 preceding siblings ...) 2024-10-08 16:47 ` [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-09 6:27 ` Chenbo Xia 2024-10-08 16:47 ` [PATCH v9 06/17] net/cnxk: fix use-after-free Stephen Hemminger ` (6 subsequent siblings) 10 siblings, 1 reply; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Chengwen Feng, Maxime Coquelin, Chenbo Xia, Jin Yu The pointer bdev is allocated with rte_zmalloc() and then incorrectly freed with free() which will lead pool corruption. Bugzilla ID: 1553 Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Chengwen Feng <fengchengwen@huawei.com> --- examples/vhost_blk/vhost_blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c index 03f1ac9c3f..9c9e326949 100644 --- a/examples/vhost_blk/vhost_blk.c +++ b/examples/vhost_blk/vhost_blk.c @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); if (!bdev->data) { fprintf(stderr, "No enough reserved huge memory for disk\n"); - free(bdev); + rte_free(bdev); return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH v9 05/17] examples/vhost: fix free function mismatch 2024-10-08 16:47 ` [PATCH v9 05/17] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-10-09 6:27 ` Chenbo Xia 0 siblings, 0 replies; 107+ messages in thread From: Chenbo Xia @ 2024-10-09 6:27 UTC (permalink / raw) To: Stephen Hemminger; +Cc: dev, stable, Chengwen Feng, Maxime Coquelin, Jin Yu > On Oct 9, 2024, at 00:47, Stephen Hemminger <stephen@networkplumber.org> wrote: > > External email: Use caution opening links or attachments > > > The pointer bdev is allocated with rte_zmalloc() and then > incorrectly freed with free() which will lead pool corruption. > > Bugzilla ID: 1553 > Fixes: c19beb3f38cd ("examples/vhost_blk: introduce vhost storage sample") > Cc: stable@dpdk.org > > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> > Acked-by: Chengwen Feng <fengchengwen@huawei.com> > --- > examples/vhost_blk/vhost_blk.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/examples/vhost_blk/vhost_blk.c b/examples/vhost_blk/vhost_blk.c > index 03f1ac9c3f..9c9e326949 100644 > --- a/examples/vhost_blk/vhost_blk.c > +++ b/examples/vhost_blk/vhost_blk.c > @@ -776,7 +776,7 @@ vhost_blk_bdev_construct(const char *bdev_name, > bdev->data = rte_zmalloc(NULL, blk_cnt * blk_size, 0); > if (!bdev->data) { > fprintf(stderr, "No enough reserved huge memory for disk\n"); > - free(bdev); > + rte_free(bdev); > return NULL; > } > > -- > 2.45.2 > Reviewed-by: Chenbo Xia <chenbox@nvidia.com> ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 06/17] net/cnxk: fix use-after-free [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> ` (3 preceding siblings ...) 2024-10-08 16:47 ` [PATCH v9 05/17] examples/vhost: fix free function mismatch Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger ` (5 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, rbhansali, stable, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori, Satha Rao, Harman Kalra The driver would refer to the mempool object after it was freed. Bugzilla ID: 1554 Fixes: 7ea187184a51 ("common/cnxk: support 1-N pool-aura per NIX LF") Cc: rbhansali@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cnxk/cnxk_ethdev_sec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index 6f5319e534..e428d2115d 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -136,8 +136,8 @@ cnxk_nix_inl_custom_meta_pool_cb(uintptr_t pmpool, uintptr_t *mpool, const char return -EINVAL; } - rte_mempool_free(hp); plt_free(hp->pool_config); + rte_mempool_free(hp); *aura_handle = 0; *mpool = 0; -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 07/17] bpf: fix free mismatch if convert fails [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> ` (4 preceding siblings ...) 2024-10-08 16:47 ` [PATCH v9 06/17] net/cnxk: fix use-after-free Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 08/17] net/e1000: fix use-after-free Stephen Hemminger ` (4 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Konstantin Ananyev, Ray Kinsella If conversion of cBF to eBPF fails then an object allocated with rte_malloc() would be passed to free(). [908/3201] Compiling C object lib/librte_bpf.a.p/bpf_bpf_convert.c.o ../lib/bpf/bpf_convert.c: In function ‘rte_bpf_convert’: ../lib/bpf/bpf_convert.c:559:17: warning: ‘free’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] 559 | free(prm); | ^~~~~~~~~ ../lib/bpf/bpf_convert.c:545:15: note: returned from ‘rte_zmalloc’ 545 | prm = rte_zmalloc("bpf_filter", | ^~~~~~~~~~~~~~~~~~~~~~~~~ 546 | sizeof(*prm) + ebpf_len * sizeof(*ebpf), 0); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 2eccf6afbea9 ("bpf: add function to convert classic BPF to DPDK BPF") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- lib/bpf/bpf_convert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bpf/bpf_convert.c b/lib/bpf/bpf_convert.c index d7ff2b4325..e7e298c9cb 100644 --- a/lib/bpf/bpf_convert.c +++ b/lib/bpf/bpf_convert.c @@ -556,7 +556,7 @@ rte_bpf_convert(const struct bpf_program *prog) ret = bpf_convert_filter(prog->bf_insns, prog->bf_len, ebpf, &ebpf_len); if (ret < 0) { RTE_BPF_LOG_LINE(ERR, "%s: cannot convert cBPF to eBPF", __func__); - free(prm); + rte_free(prm); rte_errno = -ret; return NULL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 08/17] net/e1000: fix use-after-free [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> ` (5 preceding siblings ...) 2024-10-08 16:47 ` [PATCH v9 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger ` (3 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Wei Zhao The driver cleanup code was freeing the filter object then dereferencing it. Bugzilla ID: 1550 Fixes: 6a4d050e2855 ("net/igb: flush all the filter") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/e1000/igb_ethdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/e1000/igb_ethdev.c b/drivers/net/e1000/igb_ethdev.c index 1e0a483d4a..d3a9181874 100644 --- a/drivers/net/e1000/igb_ethdev.c +++ b/drivers/net/e1000/igb_ethdev.c @@ -3907,11 +3907,11 @@ igb_delete_2tuple_filter(struct rte_eth_dev *dev, filter_info->twotuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->twotuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_TTQF(filter->index), E1000_TTQF_DISABLE_MASK); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } @@ -4348,7 +4348,6 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, filter_info->fivetuple_mask &= ~(1 << filter->index); TAILQ_REMOVE(&filter_info->fivetuple_list, filter, entries); - rte_free(filter); E1000_WRITE_REG(hw, E1000_FTQF(filter->index), E1000_FTQF_VF_BP | E1000_FTQF_MASK); @@ -4357,6 +4356,7 @@ igb_delete_5tuple_filter_82576(struct rte_eth_dev *dev, E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0); E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0); + rte_free(filter); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 10/17] net/cpfl: fix free of nonheap object [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> ` (6 preceding siblings ...) 2024-10-08 16:47 ` [PATCH v9 08/17] net/e1000: fix use-after-free Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 12/17] raw/ifpga/base: fix use after free Stephen Hemminger ` (2 subsequent siblings) 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, wenjing.qiao, stable, Qi Zhang With proper annotation, GCC discovers that this driver is calling rte_free() on an object that was not allocated (it is part of array in another object). In function ‘cpfl_flow_js_mr_layout’, inlined from ‘cpfl_flow_js_mr_action’ at ../drivers/net/cpfl/cpfl_flow_parser.c:848:9, inlined from ‘cpfl_flow_js_mod_rule’ at ../drivers/net/cpfl/cpfl_flow_parser.c:908:9, inlined from ‘cpfl_parser_init’ at ../drivers/net/cpfl/cpfl_flow_parser.c:932:8, inlined from ‘cpfl_parser_create’ at ../drivers/net/cpfl/cpfl_flow_parser.c:959:8: ../drivers/net/cpfl/cpfl_flow_parser.c:740:9: warning: ‘rte_free’ called on pointer ‘*parser.modifications’ with nonzero offset [28, 15479062120396] [-Wfree-nonheap-object] 740 | rte_free(js_mod->layout); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 6cc97c9971d7 ("net/cpfl: build action mapping rules from JSON") Cc: wenjing.qiao@intel.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/net/cpfl/cpfl_flow_parser.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/cpfl/cpfl_flow_parser.c b/drivers/net/cpfl/cpfl_flow_parser.c index 011229a470..303e979015 100644 --- a/drivers/net/cpfl/cpfl_flow_parser.c +++ b/drivers/net/cpfl/cpfl_flow_parser.c @@ -737,7 +737,6 @@ cpfl_flow_js_mr_layout(json_t *ob_layouts, struct cpfl_flow_js_mr_action_mod *js return 0; err: - rte_free(js_mod->layout); return -EINVAL; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 12/17] raw/ifpga/base: fix use after free [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> ` (7 preceding siblings ...) 2024-10-08 16:47 ` [PATCH v9 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev; +Cc: Stephen Hemminger, stable, Rosen Xu, Tianfei Zhang, Andy Pei The TAILQ_FOREACH() macro would refer to info after it had been freed. Fix by introducing TAILQ_FOREACH_SAFE here. Fixes: 4a19f89104f8 ("raw/ifpga/base: support multiple cards") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/base/opae_intel_max10.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/raw/ifpga/base/opae_intel_max10.c b/drivers/raw/ifpga/base/opae_intel_max10.c index dd97a5f9fd..d5a9ceb6e3 100644 --- a/drivers/raw/ifpga/base/opae_intel_max10.c +++ b/drivers/raw/ifpga/base/opae_intel_max10.c @@ -6,6 +6,13 @@ #include <libfdt.h> #include "opae_osdep.h" +#ifndef TAILQ_FOREACH_SAFE +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST((head)); \ + (var) && ((tvar) = TAILQ_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + int max10_sys_read(struct intel_max10_device *dev, unsigned int offset, unsigned int *val) { @@ -746,9 +753,9 @@ static int fdt_get_named_reg(const void *fdt, int node, const char *name, static void max10_sensor_uinit(struct intel_max10_device *dev) { - struct opae_sensor_info *info; + struct opae_sensor_info *info, *next; - TAILQ_FOREACH(info, &dev->opae_sensor_list, node) { + TAILQ_FOREACH_SAFE(info, &dev->opae_sensor_list, node, next) { TAILQ_REMOVE(&dev->opae_sensor_list, info, node); opae_free(info); } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 14/17] drivers/ifpga: fix free function mismatch [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> ` (8 preceding siblings ...) 2024-10-08 16:47 ` [PATCH v9 12/17] raw/ifpga/base: fix use after free Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 2024-10-08 16:47 ` [PATCH v9 15/17] baseband/la12xx: prevent use after free Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, hkalra, stable, Rosen Xu, Hyong Youb Kim, David Marchand The raw ifpga driver redefines malloc to be opae_malloc and free to be opae_free; which is a bad idea. This leads to case where interrupt efd array is allocated with calloc() and then passed to rte_free. The workaround is to allocate the array with rte_calloc() instead. Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Cc: hkalra@marvell.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> --- drivers/raw/ifpga/ifpga_rawdev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index 113a22b0a7..5b9b596435 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -1499,7 +1499,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, nb_intr = rte_intr_nb_intr_get(*intr_handle); - intr_efds = calloc(nb_intr, sizeof(int)); + intr_efds = rte_calloc("ifpga_efds", nb_intr, sizeof(int), 0); if (!intr_efds) return -ENOMEM; @@ -1508,7 +1508,7 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = opae_acc_set_irq(acc, vec_start, count, intr_efds); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } } @@ -1517,13 +1517,13 @@ ifpga_register_msix_irq(struct ifpga_rawdev *dev, int port_id, ret = rte_intr_callback_register(*intr_handle, handler, (void *)arg); if (ret) { - free(intr_efds); + rte_free(intr_efds); return -EINVAL; } IFPGA_RAWDEV_PMD_INFO("success register %s interrupt", name); - free(intr_efds); + rte_free(intr_efds); return 0; } -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH v9 15/17] baseband/la12xx: prevent use after free [not found] ` <20241008164842.139045-1-stephen@networkplumber.org> ` (9 preceding siblings ...) 2024-10-08 16:47 ` [PATCH v9 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger @ 2024-10-08 16:47 ` Stephen Hemminger 10 siblings, 0 replies; 107+ messages in thread From: Stephen Hemminger @ 2024-10-08 16:47 UTC (permalink / raw) To: dev Cc: Stephen Hemminger, stable, Hemant Agrawal, Gagandeep Singh, Akhil Goyal, Nipun Gupta, Nicolas Chautru It is possible that the info pointer (hp) could get freed twice. Fix by nulling after free. In function 'setup_la12xx_dev', inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8, inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9: ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free] 901 | rte_free(hp); | ^~~~~~~~~~~~ ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here 791 | rte_free(hp); | ^~~~~~~~~~~~ Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config") Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/baseband/la12xx/bbdev_la12xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c index af4b4f1e9a..2432cdf884 100644 --- a/drivers/baseband/la12xx/bbdev_la12xx.c +++ b/drivers/baseband/la12xx/bbdev_la12xx.c @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev) ipc_priv->hugepg_start.size = hp->len; rte_free(hp); + hp = NULL; } dev_ipc = open_ipc_dev(priv->modem_id); -- 2.45.2 ^ permalink raw reply [flat|nested] 107+ messages in thread
end of thread, other threads:[~2024-10-09 6:27 UTC | newest]
Thread overview: 107+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20240927204742.546164-1-stephen@networkplumber.org>
2024-09-27 20:45 ` [PATCH 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-27 20:45 ` [PATCH 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-27 20:45 ` [PATCH 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-27 20:45 ` [PATCH 07/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-27 20:45 ` [PATCH 09/16] net/e1000: fix use-after-free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-27 20:45 ` [PATCH 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-27 20:45 ` [PATCH 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
[not found] ` <20240928164814.861933-1-stephen@networkplumber.org>
2024-09-28 16:47 ` [PATCH v2 03/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 04/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 05/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 06/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 07/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 08/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 09/16] net/e1000: fix use-after-free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 11/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 13/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-28 16:47 ` [PATCH v2 15/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
[not found] ` <20240929154107.62539-1-stephen@networkplumber.org>
2024-09-29 15:34 ` [PATCH v3 02/18] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 03/18] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 04/18] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 05/18] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-30 9:16 ` fengchengwen
2024-09-29 15:34 ` [PATCH v3 06/18] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 07/18] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 08/18] net/e1000: fix use-after-free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 10/18] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 12/18] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 14/18] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-29 15:34 ` [PATCH v3 15/18] baseband/la12xx: prevent use after free Stephen Hemminger
2024-09-30 8:25 ` Hemant Agrawal
[not found] ` <20240930184600.7092-1-stephen@networkplumber.org>
2024-09-30 18:43 ` [PATCH v4 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-09-30 20:06 ` Ajit Khaparde
2024-09-30 18:43 ` [PATCH v4 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-01 12:41 ` Bruce Richardson
2024-09-30 18:43 ` [PATCH v4 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-09-30 18:43 ` [PATCH v4 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-09-30 18:44 ` [PATCH v4 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
[not found] ` <20241001163708.355128-1-stephen@networkplumber.org>
2024-10-01 16:35 ` [PATCH v5 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-01 17:04 ` Bruce Richardson
2024-10-01 16:35 ` [PATCH v5 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-01 16:35 ` [PATCH v5 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
[not found] ` <20241002154429.64357-1-stephen@networkplumber.org>
2024-10-02 15:42 ` [PATCH v6 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-02 15:42 ` [PATCH v6 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
[not found] ` <20241002183918.161656-1-stephen@networkplumber.org>
2024-10-02 18:37 ` [PATCH v7 02/16] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 03/16] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 04/16] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-03 5:52 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-02 18:37 ` [PATCH v7 05/16] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 06/16] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 07/16] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 08/16] net/e1000: fix use-after-free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 10/16] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 12/16] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 14/16] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-02 18:37 ` [PATCH v7 15/16] baseband/la12xx: prevent use after free Stephen Hemminger
[not found] ` <20241008154301.66192-1-stephen@networkplumber.org>
2024-10-08 15:41 ` [PATCH v8 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 04/17] event/cnxk: fix pointer mismatch " Stephen Hemminger
2024-10-08 16:40 ` Stephen Hemminger
2024-10-08 16:43 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-08 15:41 ` [PATCH v8 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-08 15:41 ` [PATCH v8 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
[not found] ` <20241008164842.139045-1-stephen@networkplumber.org>
2024-10-08 16:47 ` [PATCH v9 02/17] cryptodev/bcmfs: fix mis-matched free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 03/17] dma/ixd: fix incorrect free function in cleanup Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 04/17] event/cnxk: fix free of non-heap in cleanup code Stephen Hemminger
2024-10-08 16:54 ` [EXTERNAL] " Pavan Nikhilesh Bhagavatula
2024-10-08 16:47 ` [PATCH v9 05/17] examples/vhost: fix free function mismatch Stephen Hemminger
2024-10-09 6:27 ` Chenbo Xia
2024-10-08 16:47 ` [PATCH v9 06/17] net/cnxk: fix use-after-free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 07/17] bpf: fix free mismatch if convert fails Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 08/17] net/e1000: fix use-after-free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 10/17] net/cpfl: fix free of nonheap object Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 12/17] raw/ifpga/base: fix use after free Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 14/17] drivers/ifpga: fix free function mismatch Stephen Hemminger
2024-10-08 16:47 ` [PATCH v9 15/17] baseband/la12xx: prevent use after free Stephen Hemminger
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).