patch 'net/sfc: fix use after free in debug logs' has been queued to stable release 22.11.7

luca.boccassi at gmail.com luca.boccassi at gmail.com
Wed Oct 23 23:15:55 CEST 2024

Previous message (by thread): patch 'net/nfp: fix double free in flow destroy' has been queued to stable release 22.11.7
Next message (by thread): patch 'raw/ifpga/base: fix use after free' has been queued to stable release 22.11.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 22.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 10/25/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/d8c04bbc9bbf10267c00dbf1fff30fc0e08fbfa4

Thanks.

Luca Boccassi

---
>From d8c04bbc9bbf10267c00dbf1fff30fc0e08fbfa4 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen at networkplumber.org>
Date: Tue, 8 Oct 2024 09:47:13 -0700
Subject: [PATCH] net/sfc: fix use after free in debug logs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[ upstream commit 757b0b6f207c072a550f43836856235aa41553ad ]

If compiler detection of use-after-free is enabled then this drivers
debug messages will cause warnings. Change to move debug message
before the object is freed.

Bugzilla ID: 1551
Fixes: 55c1238246d5 ("net/sfc: add more debug messages to transfer flows")

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
Reviewed-by: Ivan Malov <ivan.malov at arknetworks.am>
Acked-by: Andrew Rybchenko <andrew.rybchenko at oktetlabs.ru>
Acked-by: Morten Brørup <mb at smartsharesystems.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
Acked-by: Wathsala Vithanage <wathsala.vithanage at arm.com>
---
 drivers/net/sfc/sfc_flow_rss.c |  4 ++--
 drivers/net/sfc/sfc_mae.c      | 13 +++++--------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/drivers/net/sfc/sfc_flow_rss.c b/drivers/net/sfc/sfc_flow_rss.c
index e28c943335..8e2749833b 100644
--- a/drivers/net/sfc/sfc_flow_rss.c
+++ b/drivers/net/sfc/sfc_flow_rss.c
@@ -303,9 +303,9 @@ sfc_flow_rss_ctx_del(struct sfc_adapter *sa, struct sfc_flow_rss_ctx *ctx)
 
 	TAILQ_REMOVE(&flow_rss->ctx_list, ctx, entries);
 	rte_free(ctx->qid_offsets);
-	rte_free(ctx);
-
 	sfc_dbg(sa, "flow-rss: deleted ctx=%p", ctx);
+
+	rte_free(ctx);
 }
 
 static int
diff --git a/drivers/net/sfc/sfc_mae.c b/drivers/net/sfc/sfc_mae.c
index b61b9658e3..4775953b8d 100644
--- a/drivers/net/sfc/sfc_mae.c
+++ b/drivers/net/sfc/sfc_mae.c
@@ -421,9 +421,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
 	efx_mae_match_spec_fini(sa->nic, rule->match_spec);
 
 	TAILQ_REMOVE(&mae->outer_rules, rule, entries);
-	rte_free(rule);
-
 	sfc_dbg(sa, "deleted outer_rule=%p", rule);
+	rte_free(rule);
 }
 
 static int
@@ -582,9 +581,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
 	}
 
 	TAILQ_REMOVE(&mae->mac_addrs, mac_addr, entries);
-	rte_free(mac_addr);
-
 	sfc_dbg(sa, "deleted mac_addr=%p", mac_addr);
+	rte_free(mac_addr);
 }
 
 enum sfc_mae_mac_addr_type {
@@ -779,10 +777,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
 	}
 
 	TAILQ_REMOVE(&mae->encap_headers, encap_header, entries);
+	sfc_dbg(sa, "deleted encap_header=%p", encap_header);
+
 	rte_free(encap_header->buf);
 	rte_free(encap_header);
-
-	sfc_dbg(sa, "deleted encap_header=%p", encap_header);
 }
 
 static int
@@ -1085,9 +1083,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
 		rte_free(action_set->counters);
 	}
 	TAILQ_REMOVE(&mae->action_sets, action_set, entries);
-	rte_free(action_set);
-
 	sfc_dbg(sa, "deleted action_set=%p", action_set);
+	rte_free(action_set);
 }
 
 static int
-- 
2.45.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-10-23 22:16:41.124423091 +0100
+++ 0015-net-sfc-fix-use-after-free-in-debug-logs.patch	2024-10-23 22:16:40.451940874 +0100
@@ -1 +1 @@
-From 757b0b6f207c072a550f43836856235aa41553ad Mon Sep 17 00:00:00 2001
+From d8c04bbc9bbf10267c00dbf1fff30fc0e08fbfa4 Mon Sep 17 00:00:00 2001
@@ -8,0 +9,2 @@
+[ upstream commit 757b0b6f207c072a550f43836856235aa41553ad ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org
@@ -25,2 +26,2 @@
- drivers/net/sfc/sfc_mae.c      | 25 ++++++++++---------------
- 2 files changed, 12 insertions(+), 17 deletions(-)
+ drivers/net/sfc/sfc_mae.c      | 13 +++++--------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
@@ -45 +46 @@
-index 60ff6d2181..8f74f10390 100644
+index b61b9658e3..4775953b8d 100644
@@ -48 +49 @@
-@@ -400,9 +400,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
+@@ -421,9 +421,8 @@ sfc_mae_outer_rule_del(struct sfc_adapter *sa,
@@ -59 +60 @@
-@@ -585,9 +584,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
+@@ -582,9 +581,8 @@ sfc_mae_mac_addr_del(struct sfc_adapter *sa, struct sfc_mae_mac_addr *mac_addr)
@@ -70 +71 @@
-@@ -785,10 +783,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
+@@ -779,10 +777,10 @@ sfc_mae_encap_header_del(struct sfc_adapter *sa,
@@ -74,4 +75 @@
--	rte_free(encap_header->buf);
--	rte_free(encap_header);
--
- 	sfc_dbg(sa, "deleted encap_header=%p", encap_header);
++	sfc_dbg(sa, "deleted encap_header=%p", encap_header);
@@ -79,10 +77,2 @@
-+	rte_free(encap_header->buf);
-+	rte_free(encap_header);
- }
- 
- static int
-@@ -983,9 +981,8 @@ sfc_mae_counter_del(struct sfc_adapter *sa, struct sfc_mae_counter *counter)
- 	}
- 
- 	TAILQ_REMOVE(&mae->counters, counter, entries);
--	rte_free(counter);
+ 	rte_free(encap_header->buf);
+ 	rte_free(encap_header);
@@ -90,2 +80 @@
- 	sfc_dbg(sa, "deleted counter=%p", counter);
-+	rte_free(counter);
+-	sfc_dbg(sa, "deleted encap_header=%p", encap_header);
@@ -95,3 +84,3 @@
-@@ -1165,9 +1162,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
- 	sfc_mae_mac_addr_del(sa, action_set->src_mac_addr);
- 	sfc_mae_counter_del(sa, action_set->counter);
+@@ -1085,9 +1083,8 @@ sfc_mae_action_set_del(struct sfc_adapter *sa,
+ 		rte_free(action_set->counters);
+ 	}
@@ -103,24 +91,0 @@
- }
- 
- static int
-@@ -1401,10 +1397,10 @@ sfc_mae_action_set_list_del(struct sfc_adapter *sa,
- 		sfc_mae_action_set_del(sa, action_set_list->action_sets[i]);
- 
- 	TAILQ_REMOVE(&mae->action_set_lists, action_set_list, entries);
-+	sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
-+
- 	rte_free(action_set_list->action_sets);
- 	rte_free(action_set_list);
--
--	sfc_dbg(sa, "deleted action_set_list=%p", action_set_list);
- }
- 
- static int
-@@ -1667,9 +1663,8 @@ sfc_mae_action_rule_del(struct sfc_adapter *sa,
- 	sfc_mae_outer_rule_del(sa, rule->outer_rule);
- 
- 	TAILQ_REMOVE(&mae->action_rules, rule, entries);
--	rte_free(rule);
--
- 	sfc_dbg(sa, "deleted action_rule=%p", rule);
-+	rte_free(rule);

Previous message (by thread): patch 'net/nfp: fix double free in flow destroy' has been queued to stable release 22.11.7
Next message (by thread): patch 'raw/ifpga/base: fix use after free' has been queued to stable release 22.11.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list