From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chas Williams <3chas3@gmail.com>
Subject: Re: [PATCH] net/bonding: fix double fetch for
 active_slave_count
Date: Thu, 29 Nov 2018 22:27:03 -0500
Message-ID: <8fdfaff2-8f59-8d4b-db6c-a8a3c26fb4e2@gmail.com>
References: <1543469561-8864-1-git-send-email-haifeng.lin@huawei.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: chas3@att.com
To: Haifeng Lin <haifeng.lin@huawei.com>, dev@dpdk.org
Return-path: <dev-bounces@dpdk.org>
Received: from mail-qt1-f195.google.com (mail-qt1-f195.google.com
 [209.85.160.195]) by dpdk.org (Postfix) with ESMTP id A1ABD2C01
 for <dev@dpdk.org>; Fri, 30 Nov 2018 04:27:04 +0100 (CET)
Received: by mail-qt1-f195.google.com with SMTP id k12so4502165qtf.7
 for <dev@dpdk.org>; Thu, 29 Nov 2018 19:27:04 -0800 (PST)
In-Reply-To: <1543469561-8864-1-git-send-email-haifeng.lin@huawei.com>
Content-Language: en-US
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

I guess this is slightly more correct. There is still a race here though.
After you make your copy of active_slave_count, the number of active
slaves could go to 0 and the memcpy() would copy an invalid element,
acitve_slaves[0].  There is no simple fix to this problem.  Your patch
reduces the opportunity for a race but doesn't eliminate it.

What you are using this API for?

On 11/29/18 12:32 AM, Haifeng Lin wrote:
> 1. when memcpy slaves the internals->active_slave_count 1
> 2. return internals->active_slave_count is 2
> 3. the slaves[1] would be a random invalid value
> 
> Signed-off-by: Haifeng Lin <haifeng.lin@huawei.com>
> ---
>   drivers/net/bonding/rte_eth_bond_api.c | 8 +++++---
>   1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/bonding/rte_eth_bond_api.c b/drivers/net/bonding/rte_eth_bond_api.c
> index 21bcd50..ed7b02e 100644
> --- a/drivers/net/bonding/rte_eth_bond_api.c
> +++ b/drivers/net/bonding/rte_eth_bond_api.c
> @@ -815,6 +815,7 @@
>   		uint16_t len)
>   {
>   	struct bond_dev_private *internals;
> +	uint16_t active_slave_count;
>   
>   	if (valid_bonded_port_id(bonded_port_id) != 0)
>   		return -1;
> @@ -824,13 +825,14 @@
>   
>   	internals = rte_eth_devices[bonded_port_id].data->dev_private;
>   
> -	if (internals->active_slave_count > len)
> +	active_slave_count = internals->active_slave_count;
> +	if (active_slave_count > len)
>   		return -1;
>   
>   	memcpy(slaves, internals->active_slaves,
> -	internals->active_slave_count * sizeof(internals->active_slaves[0]));
> +			active_slave_count * sizeof(internals->active_slaves[0]));
>   
> -	return internals->active_slave_count;
> +	return active_slave_count;
>   }
>   
>   int
>