From: Ye Xiaolong <xiaolong.ye@intel.com>
To: Wei Zhao <wei.zhao1@intel.com>
Cc: dev@dpdk.org, stable@dpdk.org, jia.guo@intel.com
Subject: Re: [dpdk-dev] [PATCH v5] net/i40e: fix the core dump risk of wild pointer operation
Date: Tue, 19 May 2020 09:28:42 +0800 [thread overview]
Message-ID: <20200519012842.GA37127@intel.com> (raw)
In-Reply-To: <20200518080051.36318-1-wei.zhao1@intel.com>
On 05/18, Wei Zhao wrote:
>In i40e PMD code of function i40e_res_pool_free(), if valid_entry
>is freed by "rte_free(valid_entry);" in the code, then the following
>code for pool update may still use the wild pointer "valid_entry"
>for pool info update. It seems has the risk of core dump for
>using wild pointer operation, we should avoid this risk.
>
>Cc: stable@dpdk.org
>Fixes: 4861cde46116 ("i40e: new poll mode driver")
>
>Signed-off-by: Wei Zhao <wei.zhao1@intel.com>
>
>---
>
>v2:
>update commit log
>
>v3:
>set free pointer to NULL
>
>v4:
>change code style
>
>v5:
>fix an issue in v4
>---
> drivers/net/i40e/i40e_ethdev.c | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
>diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethdev.c
>index 749d85f54..00bb05179 100644
>--- a/drivers/net/i40e/i40e_ethdev.c
>+++ b/drivers/net/i40e/i40e_ethdev.c
>@@ -4935,6 +4935,7 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
> {
> struct pool_entry *entry, *next, *prev, *valid_entry = NULL;
> uint32_t pool_offset;
>+ uint16_t len;
> int insert;
>
> if (pool == NULL) {
>@@ -4973,12 +4974,13 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
> }
>
> insert = 0;
>+ len = valid_entry->len;
> /* Try to merge with next one*/
> if (next != NULL) {
> /* Merge with next one */
>- if (valid_entry->base + valid_entry->len == next->base) {
>+ if (valid_entry->base + len == next->base) {
> next->base = valid_entry->base;
>- next->len += valid_entry->len;
>+ next->len += len;
> rte_free(valid_entry);
> valid_entry = next;
> insert = 1;
>@@ -4988,13 +4990,15 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
> if (prev != NULL) {
> /* Merge with previous one */
> if (prev->base + prev->len == valid_entry->base) {
>- prev->len += valid_entry->len;
>+ prev->len += len;
> /* If it merge with next one, remove next node */
> if (insert == 1) {
> LIST_REMOVE(valid_entry, next);
> rte_free(valid_entry);
>+ valid_entry = NULL;
> } else {
> rte_free(valid_entry);
>+ valid_entry = NULL;
> insert = 1;
> }
> }
>@@ -5010,8 +5014,8 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
> LIST_INSERT_HEAD(&pool->free_list, valid_entry, next);
> }
>
>- pool->num_free += valid_entry->len;
>- pool->num_alloc -= valid_entry->len;
>+ pool->num_free += len;
>+ pool->num_alloc -= len;
>
> return 0;
> }
>--
>2.19.1
>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>
Applied to dpdk-next-net-intel, Thanks.
prev parent reply other threads:[~2020-05-19 1:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-12 15:19 [dpdk-dev] [PATCH] net/i40e: fix the security risk of wild pointer operation Wei Zhao
2020-05-15 2:24 ` Zhao1, Wei
2020-05-15 6:32 ` Jeff Guo
2020-05-15 7:28 ` Ye Xiaolong
2020-05-18 5:24 ` Zhao1, Wei
2020-05-18 5:32 ` Ye Xiaolong
2020-05-18 5:10 ` [dpdk-dev] [PATCH v2] net/i40e: fix the core dump " Wei Zhao
2020-05-18 6:43 ` [dpdk-dev] [PATCH v3] " Wei Zhao
2020-05-18 7:43 ` [dpdk-dev] [PATCH v4] " Wei Zhao
2020-05-18 8:00 ` [dpdk-dev] [PATCH v5] " Wei Zhao
2020-05-18 8:45 ` Jeff Guo
2020-05-19 1:28 ` Ye Xiaolong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519012842.GA37127@intel.com \
--to=xiaolong.ye@intel.com \
--cc=dev@dpdk.org \
--cc=jia.guo@intel.com \
--cc=stable@dpdk.org \
--cc=wei.zhao1@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.