diff mbox series

net/mlx5: fix use after free in mlx5_dma_unmap

Message ID	cdb08954493d44155cf04fd813cfd3a41255bd4c.1625909056.git.wangyunjian@huawei.com (mailing list archive)
State	Superseded, archived
Delegated to:	Raslan Darawsheh
Headers	From: wangyunjian <wangyunjian@huawei.com> To: <dev@dpdk.org> CC: <matan@nvidia.com>, <shahafs@nvidia.com>, <viacheslavo@nvidia.com>, <dingxiaoxiong@huawei.com>, Yunjian Wang <wangyunjian@huawei.com>, <stable@dpdk.org> Date: Sat, 10 Jul 2021 18:35:22 +0800 Message-ID: <cdb08954493d44155cf04fd813cfd3a41255bd4c.1625909056.git.wangyunjian@huawei.com> MIME-Version: 1.0 Content-Type: text/plain Subject: [dpdk-dev] [PATCH] net/mlx5: fix use after free in mlx5_dma_unmap Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	net/mlx5: fix use after free in mlx5_dma_unmap \| net/mlx5: fix use after free in mlx5_dma_unmap

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS
ci/github-robot	success	github build: passed
ci/iol-abi-testing	warning	Testing issues
ci/iol-testing	fail	Testing issues
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS

Commit Message

Yunjian Wang July 10, 2021, 10:35 a.m. UTC

  From: Yunjian Wang <wangyunjian@huawei.com>

This patch fixes the use-after-free bug which was reported by Coverity
Scan in the mlx5_dma_unmap function.

Coverity issue: 371679
Fixes: 992e6df3dafe ("common/mlx5: free MR resource on device DMA unmap")
Cc: stable@dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 drivers/net/mlx5/mlx5_mr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Thomas Monjalon July 22, 2021, 2:10 p.m. UTC | #1

10/07/2021 12:35, wangyunjian:
> From: Yunjian Wang <wangyunjian@huawei.com>
> 
> This patch fixes the use-after-free bug which was reported by Coverity
> Scan in the mlx5_dma_unmap function.
> 
> Coverity issue: 371679
> Fixes: 992e6df3dafe ("common/mlx5: free MR resource on device DMA unmap")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  	LIST_REMOVE(mr, mr);
> -	mlx5_mr_free(mr, sh->share_cache.dereg_mr_cb);
>  	DRV_LOG(DEBUG, "port %u remove MR(%p) from list", dev->data->port_id,
>  	      (void *)mr);
> +	mlx5_mr_free(mr, sh->share_cache.dereg_mr_cb);
>  	mlx5_mr_rebuild_cache(&sh->share_cache);

Sorry, it seems this fix has been integrated as part of this patch
(for no good reason):
	https://git.dpdk.org/dpdk/commit/?id=a7f34989e9

diff mbox series

Patch

diff --git a/drivers/net/mlx5/mlx5_mr.c b/drivers/net/mlx5/mlx5_mr.c
index 89c43fc9e9..e87f138564 100644
--- a/drivers/net/mlx5/mlx5_mr.c
+++ b/drivers/net/mlx5/mlx5_mr.c
@@ -315,9 +315,9 @@  mlx5_dma_unmap(struct rte_pci_device *pdev, void *addr,
 		return -1;
 	}
 	LIST_REMOVE(mr, mr);
-	mlx5_mr_free(mr, sh->share_cache.dereg_mr_cb);
 	DRV_LOG(DEBUG, "port %u remove MR(%p) from list", dev->data->port_id,
 	      (void *)mr);
+	mlx5_mr_free(mr, sh->share_cache.dereg_mr_cb);
 	mlx5_mr_rebuild_cache(&sh->share_cache);
 	/*
 	 * No explicit wmb is needed after updating dev_gen due to