| Message ID | 1458131629-21925-4-git-send-email-christian.ehrhardt@canonical.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers |
Return-Path: <dev-bounces@dpdk.org> X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [IPv6:::1]) by dpdk.org (Postfix) with ESMTP id C79F5568A; Wed, 16 Mar 2016 13:34:15 +0100 (CET) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by dpdk.org (Postfix) with ESMTP id 30A655680 for <dev@dpdk.org>; Wed, 16 Mar 2016 13:34:13 +0100 (CET) Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from <christian.ehrhardt@canonical.com>) id 1agAeS-0002Hx-TY; Wed, 16 Mar 2016 12:34:12 +0000 From: Christian Ehrhardt <christian.ehrhardt@canonical.com> To: christian.ehrhardt@canonical.com, bruce.richardson@intel.com, dev@dpdk.org Date: Wed, 16 Mar 2016 13:33:49 +0100 Message-Id: <1458131629-21925-4-git-send-email-christian.ehrhardt@canonical.com> X-Mailer: git-send-email 2.7.0 In-Reply-To: <1458131629-21925-1-git-send-email-christian.ehrhardt@canonical.com> References: <1458131629-21925-1-git-send-email-christian.ehrhardt@canonical.com> Subject: [dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK <dev.dpdk.org> List-Unsubscribe: <http://dpdk.org/ml/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://dpdk.org/ml/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <http://dpdk.org/ml/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org> |
Commit Message
Christian Ehrhardt
March 16, 2016, 12:33 p.m. UTC
Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm might not be freed if it didn't find a te (early return) Acked-by: Bruce Richardson <bruce.richardson@intel.com> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- lib/librte_lpm/rte_lpm.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-)
Comments
Hi Christian, On 03/16/2016 01:33 PM, Christian Ehrhardt wrote: > Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm > might not be freed if it didn't find a te (early return) > > Acked-by: Bruce Richardson <bruce.richardson@intel.com> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > --- > lib/librte_lpm/rte_lpm.c | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c > index ccaaa2a..d5fa1f8 100644 > --- a/lib/librte_lpm/rte_lpm.c > +++ b/lib/librte_lpm/rte_lpm.c > @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm) > if (te->data == (void *) lpm) > break; > } > - if (te == NULL) { > - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); > - return; > - } > - > - TAILQ_REMOVE(lpm_list, te, next); > + if (te != NULL) > + TAILQ_REMOVE(lpm_list, te, next); > > rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); > > I've just seen you had already posted a series on this topic. It looks that some free() are missing in lpm.c: Could you please check my version of the patch (which was not as complete as your series)? http://dpdk.org/dev/patchwork/patch/11526/ Regards, Olivier
Hi, looking at it I think we have intersections but also parts of yours that I missed. More than that while applying your changes I found other potential use-after free cases. I'll wrap that all up together in a v3 of my series. Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd On Wed, Mar 16, 2016 at 2:14 PM, Olivier MATZ <olivier.matz@6wind.com> wrote: > Hi Christian, > > On 03/16/2016 01:33 PM, Christian Ehrhardt wrote: > >> Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm >> might not be freed if it didn't find a te (early return) >> >> Acked-by: Bruce Richardson <bruce.richardson@intel.com> >> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> >> --- >> lib/librte_lpm/rte_lpm.c | 8 ++------ >> 1 file changed, 2 insertions(+), 6 deletions(-) >> >> diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c >> index ccaaa2a..d5fa1f8 100644 >> --- a/lib/librte_lpm/rte_lpm.c >> +++ b/lib/librte_lpm/rte_lpm.c >> @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm) >> if (te->data == (void *) lpm) >> break; >> } >> - if (te == NULL) { >> - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); >> - return; >> - } >> - >> - TAILQ_REMOVE(lpm_list, te, next); >> + if (te != NULL) >> + TAILQ_REMOVE(lpm_list, te, next); >> >> rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); >> >> >> > I've just seen you had already posted a series on this topic. > It looks that some free() are missing in lpm.c: > > Could you please check my version of the patch (which was not as > complete as your series)? > http://dpdk.org/dev/patchwork/patch/11526/ > > Regards, > Olivier >
diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c index ccaaa2a..d5fa1f8 100644 --- a/lib/librte_lpm/rte_lpm.c +++ b/lib/librte_lpm/rte_lpm.c @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm) if (te->data == (void *) lpm) break; } - if (te == NULL) { - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK); - return; - } - - TAILQ_REMOVE(lpm_list, te, next); + if (te != NULL) + TAILQ_REMOVE(lpm_list, te, next); rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK);