patch 'net/nfp: fix double free in flow destroy' has been queued to stable release 22.11.7
luca.boccassi at gmail.com
luca.boccassi at gmail.com
Wed Oct 23 23:15:54 CEST 2024
Hi,
FYI, your patch has been queued to stable release 22.11.7
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 10/25/24. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable
This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/8bd09aed9cf598b6b0088bdd70d4d8c0c00b908c
Thanks.
Luca Boccassi
---
>From 8bd09aed9cf598b6b0088bdd70d4d8c0c00b908c Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen at networkplumber.org>
Date: Tue, 8 Oct 2024 09:47:15 -0700
Subject: [PATCH] net/nfp: fix double free in flow destroy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
[ upstream commit fae5c633522efd30b6cb2c7a1bdfeb7e19e2f369 ]
Calling rte_free twice on same object will corrupt the heap.
Warning is:
In function 'nfp_pre_tun_table_check_del',
inlined from 'nfp_flow_destroy' at
../drivers/net/nfp/flower/nfp_flower_flow.c:5143:9:
../drivers/net/nfp/flower/nfp_flower_flow.c:3830:9:
error: pointer 'entry' used after 'rte_free'
[-Werror=use-after-free]
3830 | rte_free(entry);
| ^~~~~~~~~~~~~~~
../drivers/net/nfp/flower/nfp_flower_flow.c:3825:9:
note: call to 'rte_free' here
3825 | rte_free(entry);
| ^~~~~~~~~~~~~~~
Bugzilla ID: 1555
Fixes: d3c33bdf1f18 ("net/nfp: prepare for IPv4 UDP tunnel decap flow action")
Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
Acked-by: Morten Brørup <mb at smartsharesystems.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
Acked-by: Wathsala Vithanage <wathsala.vithanage at arm.com>
---
drivers/net/nfp/nfp_flow.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/nfp/nfp_flow.c b/drivers/net/nfp/nfp_flow.c
index 17c091ffa0..3746aa2d0f 100644
--- a/drivers/net/nfp/nfp_flow.c
+++ b/drivers/net/nfp/nfp_flow.c
@@ -3019,7 +3019,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
goto free_entry;
}
- rte_free(entry);
rte_free(find_entry);
priv->pre_tun_cnt--;
--
2.45.2
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2024-10-23 22:16:41.085777453 +0100
+++ 0014-net-nfp-fix-double-free-in-flow-destroy.patch 2024-10-23 22:16:40.447940718 +0100
@@ -1 +1 @@
-From fae5c633522efd30b6cb2c7a1bdfeb7e19e2f369 Mon Sep 17 00:00:00 2001
+From 8bd09aed9cf598b6b0088bdd70d4d8c0c00b908c Mon Sep 17 00:00:00 2001
@@ -8,0 +9,2 @@
+[ upstream commit fae5c633522efd30b6cb2c7a1bdfeb7e19e2f369 ]
+
@@ -26 +27,0 @@
-Cc: stable at dpdk.org
@@ -33 +34 @@
- drivers/net/nfp/flower/nfp_flower_flow.c | 1 -
+ drivers/net/nfp/nfp_flow.c | 1 -
@@ -36,5 +37,5 @@
-diff --git a/drivers/net/nfp/flower/nfp_flower_flow.c b/drivers/net/nfp/flower/nfp_flower_flow.c
-index 0078455658..64a0062c8b 100644
---- a/drivers/net/nfp/flower/nfp_flower_flow.c
-+++ b/drivers/net/nfp/flower/nfp_flower_flow.c
-@@ -3822,7 +3822,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
+diff --git a/drivers/net/nfp/nfp_flow.c b/drivers/net/nfp/nfp_flow.c
+index 17c091ffa0..3746aa2d0f 100644
+--- a/drivers/net/nfp/nfp_flow.c
++++ b/drivers/net/nfp/nfp_flow.c
+@@ -3019,7 +3019,6 @@ nfp_pre_tun_table_check_del(struct nfp_flower_representor *repr,
More information about the stable
mailing list