From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Subject: Re: [PATCH] net/mlx5: Fix possible NULL deref in RX path
Date: Tue, 2 Aug 2016 11:58:52 +0200
Message-ID: <20160802095852.GB30580@6wind.com>
References: <1470041061-8059-1-git-send-email-sagi@grimberg.me>
 <20160801164342.GL9044@6wind.com>
 <0e002bcc-017b-8d5e-f820-111f5c3a7b46@grimberg.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: dev@dpdk.org
To: Sagi Grimberg <sagi@grimberg.me>
Return-path: <dev-bounces@dpdk.org>
Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46])
 by dpdk.org (Postfix) with ESMTP id 773B33977
 for <dev@dpdk.org>; Tue,  2 Aug 2016 11:58:57 +0200 (CEST)
Received: by mail-wm0-f46.google.com with SMTP id i5so281758410wmg.0
 for <dev@dpdk.org>; Tue, 02 Aug 2016 02:58:57 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <0e002bcc-017b-8d5e-f820-111f5c3a7b46@grimberg.me>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Tue, Aug 02, 2016 at 12:31:35PM +0300, Sagi Grimberg wrote:
> 
> 
> On 01/08/16 19:43, Adrien Mazarguil wrote:
> >Hi Sagi,
> >
> >On Mon, Aug 01, 2016 at 11:44:21AM +0300, Sagi Grimberg wrote:
> >>The user is allowed to call ->rx_pkt_burst() even without free
> >>mbufs in the pool. In this scenario we'll fail allocating a rep mbuf
> >>on the first iteration (where pkt is still NULL). This would cause us
> >>to deref a NULL pkt (reset refcount and free).
> >>
> >>Fix this by checking the pkt before freeing it.
> >
> >Just to be sure, did you get an actual NULL deref crash here or is that an
> >assumed possibility?
> >
> >I'm asking because this problem was supposed to be addressed by:
> >
> > a1bdb71a32da ("net/mlx5: fix crash in Rx")
> 
> I actually got the NULL deref. This happens when the application doesn't
> restore mbufs to the pool correctly. In the case rte_mbuf_raw_alloc
> will fail on the first iteration (pkt wasn't assigned) unlike the
> condition handled in a1bdb71a32da.
> 
> With this applied, I didn't see the crash.

Thanks for confirming this, now what about the different approach I
suggested in my previous message to avoid the extra check in the inner loop:

 if (!pkt)
     pkt = seg;
 while (pkt != seg) {
      ...
 }

Also the fixes line in your commit message?

-- 
Adrien Mazarguil
6WIND