[dpdk-dev] [PATCH 3/3] lpm: fix missing free of lpm

Christian Ehrhardt christian.ehrhardt at canonical.com
Wed Mar 16 14:34:28 CET 2016


Hi,
looking at it I think we have intersections but also parts of yours that I
missed.
More than that while applying your changes I found other potential
use-after free cases.

I'll wrap that all up together in a v3 of my series.

Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

On Wed, Mar 16, 2016 at 2:14 PM, Olivier MATZ <olivier.matz at 6wind.com>
wrote:

> Hi Christian,
>
> On 03/16/2016 01:33 PM, Christian Ehrhardt wrote:
>
>> Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm
>> might not be freed if it didn't find a te (early return)
>>
>> Acked-by: Bruce Richardson <bruce.richardson at intel.com>
>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
>> ---
>>   lib/librte_lpm/rte_lpm.c | 8 ++------
>>   1 file changed, 2 insertions(+), 6 deletions(-)
>>
>> diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c
>> index ccaaa2a..d5fa1f8 100644
>> --- a/lib/librte_lpm/rte_lpm.c
>> +++ b/lib/librte_lpm/rte_lpm.c
>> @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm)
>>                 if (te->data == (void *) lpm)
>>                         break;
>>         }
>> -       if (te == NULL) {
>> -               rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK);
>> -               return;
>> -       }
>> -
>> -       TAILQ_REMOVE(lpm_list, te, next);
>> +       if (te != NULL)
>> +               TAILQ_REMOVE(lpm_list, te, next);
>>
>>         rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK);
>>
>>
>>
> I've just seen you had already posted a series on this topic.
> It looks that some free() are missing in lpm.c:
>
> Could you please check my version of the patch (which was not as
> complete as your series)?
> http://dpdk.org/dev/patchwork/patch/11526/
>
> Regards,
> Olivier
>


More information about the dev mailing list