[dpdk-dev] [PATCH 3/3] pci: fix crash caused by invaild memory write

hanxueluo at 126.com hanxueluo at 126.com
Mon Feb 20 15:04:47 CET 2017


From: Huanle Han <hanxueluo at gmail.com>

rte_eal_dev_detach() didn't remove dev from dev_device_list
after free the dev. So the following attached dev wrote to
the freed memory (tailq entry of previous dev) in below stack:

== Invalid write of size 8
==    at 0x43A9CE: rte_eal_device_insert (eal_common_dev.c:71)
==    by 0x42ED9E: pci_scan_one (eal_pci.c:365)
==    by 0x42EF4D: pci_update_device (eal_pci.c:391)
==    by 0x437F59: rte_eal_pci_probe_one (eal_common_pci.c:357)
==    by 0x43AB16: rte_eal_dev_attach (eal_common_dev.c:117)
==    by 0x45B3AA: rte_eth_dev_attach (rte_ethdev.c:489)
==    ...

Signed-off-by: Huanle Han <hanxueluo at gmail.com>
---
 lib/librte_eal/common/eal_common_pci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/librte_eal/common/eal_common_pci.c b/lib/librte_eal/common/eal_common_pci.c
index 72547bd..022fdc7 100644
--- a/lib/librte_eal/common/eal_common_pci.c
+++ b/lib/librte_eal/common/eal_common_pci.c
@@ -393,6 +393,7 @@ rte_eal_pci_detach(const struct rte_pci_addr *addr)
 			goto err_return;
 
 		TAILQ_REMOVE(&pci_device_list, dev, next);
+		rte_eal_device_remove(&dev->device);
 		free(dev);
 		return 0;
 	}
-- 
2.7.4




More information about the dev mailing list