On 4/27/2020 10:39 PM, Stephen Hemminger wrote:
> The TAP driver does not initialize all the elements of the rte_flow
> structure. This can lead to crash in rte_flow_destroy.
>
> (gdb) where
> flow=0x100e99280, error=0x0)
> at drivers/net/tap/tap_flow.c:1514
>
> (gdb) p remote_flow
> $1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b
>
> Which is here:
> static int
> tap_flow_destroy_pmd(struct pmd_internals *pmd,
> struct rte_flow *flow,
> struct rte_flow_error *error)
> {
> struct rte_flow *remote_flow = flow->remote_flow;
> ...
> if (remote_flow) {
> remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
>
> Simplest fix is to use rte_zmalloc() so remote_flow and other fields
> are always set at zero.
Both 'rte_malloc' & 'rte_zmalloc' should be zeroing the allocated memory, unless
MALLOC_DEBUG config option set [1], if this is not the case the issue can be
still valid after this change.
[1]
http://lxr.dpdk.org/dpdk/v20.02/source/lib/librte_eal/common/rte_malloc.c#L83
>
> Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture")
> Cc: pascal.ma...@6wind.com
> Signed-off-by: Stephen Hemminger <step...@networkplumber.org>
<...>
