[dpdk-dev] [PATCH] net/mlx5: Fix possible NULL deref in RX path

Adrien Mazarguil adrien.mazarguil at 6wind.com
Tue Aug 2 11:58:52 CEST 2016

Previous message: [dpdk-dev] [PATCH] net/mlx5: Fix possible NULL deref in RX path
Next message: [dpdk-dev] [PATCH] net/mlx5: Fix possible NULL deref in RX path
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Aug 02, 2016 at 12:31:35PM +0300, Sagi Grimberg wrote:
> 
> 
> On 01/08/16 19:43, Adrien Mazarguil wrote:
> >Hi Sagi,
> >
> >On Mon, Aug 01, 2016 at 11:44:21AM +0300, Sagi Grimberg wrote:
> >>The user is allowed to call ->rx_pkt_burst() even without free
> >>mbufs in the pool. In this scenario we'll fail allocating a rep mbuf
> >>on the first iteration (where pkt is still NULL). This would cause us
> >>to deref a NULL pkt (reset refcount and free).
> >>
> >>Fix this by checking the pkt before freeing it.
> >
> >Just to be sure, did you get an actual NULL deref crash here or is that an
> >assumed possibility?
> >
> >I'm asking because this problem was supposed to be addressed by:
> >
> > a1bdb71a32da ("net/mlx5: fix crash in Rx")
> 
> I actually got the NULL deref. This happens when the application doesn't
> restore mbufs to the pool correctly. In the case rte_mbuf_raw_alloc
> will fail on the first iteration (pkt wasn't assigned) unlike the
> condition handled in a1bdb71a32da.
> 
> With this applied, I didn't see the crash.

Thanks for confirming this, now what about the different approach I
suggested in my previous message to avoid the extra check in the inner loop:

 if (!pkt)
     pkt = seg;
 while (pkt != seg) {
      ...
 }

Also the fixes line in your commit message?

-- 
Adrien Mazarguil
6WIND

Previous message: [dpdk-dev] [PATCH] net/mlx5: Fix possible NULL deref in RX path
Next message: [dpdk-dev] [PATCH] net/mlx5: Fix possible NULL deref in RX path
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list