[dpdk-dev] [PATCH] net/bonding: fix double fetch for active_slave_count

[Chas Williams]

I guess this is slightly more correct. There is still a race here though.
After you make your copy of active_slave_count, the number of active
slaves could go to 0 and the memcpy() would copy an invalid element,
acitve_slaves[0].  There is no simple fix to this problem.  Your patch
reduces the opportunity for a race but doesn't eliminate it.

What you are using this API for?

On 11/29/18 12:32 AM, Haifeng Lin wrote:
> 1. when memcpy slaves the internals->active_slave_count 1
> 2. return internals->active_slave_count is 2
> 3. the slaves[1] would be a random invalid value
> 
> Signed-off-by: Haifeng Lin <haifeng.lin at huawei.com>
> ---
>   drivers/net/bonding/rte_eth_bond_api.c | 8 +++++---
>   1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/bonding/rte_eth_bond_api.c b/drivers/net/bonding/rte_eth_bond_api.c
> index 21bcd50..ed7b02e 100644
> --- a/drivers/net/bonding/rte_eth_bond_api.c
> +++ b/drivers/net/bonding/rte_eth_bond_api.c
> @@ -815,6 +815,7 @@
>   		uint16_t len)
>   {
>   	struct bond_dev_private *internals;
> +	uint16_t active_slave_count;
>   
>   	if (valid_bonded_port_id(bonded_port_id) != 0)
>   		return -1;
> @@ -824,13 +825,14 @@
>   
>   	internals = rte_eth_devices[bonded_port_id].data->dev_private;
>   
> -	if (internals->active_slave_count > len)
> +	active_slave_count = internals->active_slave_count;
> +	if (active_slave_count > len)
>   		return -1;
>   
>   	memcpy(slaves, internals->active_slaves,
> -	internals->active_slave_count * sizeof(internals->active_slaves[0]));
> +			active_slave_count * sizeof(internals->active_slaves[0]));
>   
> -	return internals->active_slave_count;
> +	return active_slave_count;
>   }
>   
>   int
>