<html>
    <head>
      <base href="https://bugs.dpdk.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8" class="bz_new_table">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_UNCONFIRMED "
   title="UNCONFIRMED - Use after free in E1000 driver"
   href="https://bugs.dpdk.org/show_bug.cgi?id=1550">1550</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Use after free in E1000 driver
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>DPDK
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>UNCONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>major
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>ethdev
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>dev@dpdk.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>stephen@networkplumber.org
          </td>
        </tr>

        <tr>
          <th>Target Milestone</th>
          <td>---
          </td>
        </tr></table>
      <p>
        <div class="bz_comment_block">
          <pre class="bz_comment_text">If function attributes are added to rte_malloc() Gcc will detect use after free
in e1000.

[1048/2957] Compiling C object
drivers/libtmp_rte_net_e1000.a.p/net_e1000_igb_ethdev.c.o
In file included from ../drivers/net/e1000/base/e1000_hw.h:8,
                 from ../drivers/net/e1000/base/e1000_api.h:8,
                 from ../drivers/net/e1000/igb_ethdev.c:28:
../drivers/net/e1000/igb_ethdev.c: In function ‘igb_delete_2tuple_filter’:
../drivers/net/e1000/igb_ethdev.c:3914:49: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 3914 |         E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3914:9: note: in expansion of macro
‘E1000_WRITE_REG’
 3914 |         E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3914:29: note: in expansion of macro
‘E1000_IMIREXT’
 3914 |         E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
      |                             ^~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3910:9: note: call to ‘rte_free’ here
 3910 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3913:46: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 3913 |         E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3913:9: note: in expansion of macro
‘E1000_WRITE_REG’
 3913 |         E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3913:29: note: in expansion of macro
‘E1000_IMIR’
 3913 |         E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
      |                             ^~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3910:9: note: call to ‘rte_free’ here
 3910 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3912:46: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 3912 |         E1000_WRITE_REG(hw, E1000_TTQF(filter->index),
E1000_TTQF_DISABLE_MASK);
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3912:9: note: in expansion of macro
‘E1000_WRITE_REG’
 3912 |         E1000_WRITE_REG(hw, E1000_TTQF(filter->index),
E1000_TTQF_DISABLE_MASK);
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3912:29: note: in expansion of macro
‘E1000_TTQF’
 3912 |         E1000_WRITE_REG(hw, E1000_TTQF(filter->index),
E1000_TTQF_DISABLE_MASK);
      |                             ^~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:3910:9: note: call to ‘rte_free’ here
 3910 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c: In function
‘igb_delete_5tuple_filter_82576’:
../drivers/net/e1000/igb_ethdev.c:4359:49: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 4359 |         E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4359:9: note: in expansion of macro
‘E1000_WRITE_REG’
 4359 |         E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4359:29: note: in expansion of macro
‘E1000_IMIREXT’
 4359 |         E1000_WRITE_REG(hw, E1000_IMIREXT(filter->index), 0);
      |                             ^~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4351:9: note: call to ‘rte_free’ here
 4351 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4358:46: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 4358 |         E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4358:9: note: in expansion of macro
‘E1000_WRITE_REG’
 4358 |         E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4358:29: note: in expansion of macro
‘E1000_IMIR’
 4358 |         E1000_WRITE_REG(hw, E1000_IMIR(filter->index), 0);
      |                             ^~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4351:9: note: call to ‘rte_free’ here
 4351 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4357:46: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 4357 |         E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4357:9: note: in expansion of macro
‘E1000_WRITE_REG’
 4357 |         E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4357:29: note: in expansion of macro
‘E1000_SPQF’
 4357 |         E1000_WRITE_REG(hw, E1000_SPQF(filter->index), 0);
      |                             ^~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4351:9: note: call to ‘rte_free’ here
 4351 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4356:46: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 4356 |         E1000_WRITE_REG(hw, E1000_SAQF(filter->index), 0);
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4356:9: note: in expansion of macro
‘E1000_WRITE_REG’
 4356 |         E1000_WRITE_REG(hw, E1000_SAQF(filter->index), 0);
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4356:29: note: in expansion of macro
‘E1000_SAQF’
 4356 |         E1000_WRITE_REG(hw, E1000_SAQF(filter->index), 0);
      |                             ^~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4351:9: note: call to ‘rte_free’ here
 4351 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4355:46: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 4355 |         E1000_WRITE_REG(hw, E1000_DAQF(filter->index), 0);
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4355:9: note: in expansion of macro
‘E1000_WRITE_REG’
 4355 |         E1000_WRITE_REG(hw, E1000_DAQF(filter->index), 0);
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4355:29: note: in expansion of macro
‘E1000_DAQF’
 4355 |         E1000_WRITE_REG(hw, E1000_DAQF(filter->index), 0);
      |                             ^~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4351:9: note: call to ‘rte_free’ here
 4351 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4353:46: warning: pointer ‘filter’ used after
‘rte_free’ [-Wuse-after-free]
 4353 |         E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
../drivers/net/e1000/base/e1000_osdep.h:76:48: note: in definition of macro
‘E1000_PCI_REG_WRITE’
   76 |         rte_write32((rte_cpu_to_le_32(value)), reg)
      |                                                ^~~
../drivers/net/e1000/base/e1000_osdep.h:121:29: note: in expansion of macro
‘E1000_PCI_REG_ADDR’
  121 |         E1000_PCI_REG_WRITE(E1000_PCI_REG_ADDR((hw), (reg)), (value))
      |                             ^~~~~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4353:9: note: in expansion of macro
‘E1000_WRITE_REG’
 4353 |         E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
      |         ^~~~~~~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4353:29: note: in expansion of macro
‘E1000_FTQF’
 4353 |         E1000_WRITE_REG(hw, E1000_FTQF(filter->index),
      |                             ^~~~~~~~~~
../drivers/net/e1000/igb_ethdev.c:4351:9: note: call to ‘rte_free’ here
 4351 |         rte_free(filter);
      |         ^~~~~~~~~~~~~~~~
          </pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
      <div itemscope itemtype="http://schema.org/EmailMessage">
        <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
          
          <link itemprop="url" href="https://bugs.dpdk.org/show_bug.cgi?id=1550">
          <meta itemprop="name" content="View bug">
        </div>
        <meta itemprop="description" content="Bugzilla bug update notification">
      </div>
    </body>
</html>