RE: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release

[Honnappa Nagarahalli]

> -----Original Message-----
> From: Yunjian Wang <wangyunj...@huawei.com>
> Sent: Thursday, April 20, 2023 1:44 AM
> To: dev@dpdk.org
> Cc: Honnappa Nagarahalli <honnappa.nagaraha...@arm.com>;
> konstantin.v.anan...@yandex.ru; luyi...@huawei.com; Yunjian Wang
> <wangyunj...@huawei.com>; sta...@dpdk.org
> Subject: [dpdk-dev] [PATCH v2] ring: fix use after free in ring release
> 
> After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
> If rte_ring_lookup is called at this time, it will cause a use-after-free 
> problem.
> This change prevents that from happening.
> 
> Fixes: 4e32101f9b01 ("ring: support freeing")
> Cc: sta...@dpdk.org
> 
> Suggested-by: Honnappa Nagarahalli <honnappa.nagaraha...@arm.com>
This is incorrect, this is not a suggestion from me. Please remove this.

> Signed-off-by: Yunjian Wang <wangyunj...@huawei.com>
Other than the above, the patch looks fine.

Reviewed-by: Honnappa Nagarahalli <honnappa.nagaraha...@arm.com>

> ---
> v2: update code suggested by Honnappa Nagarahalli
> ---
>  lib/ring/rte_ring.c | 8 +++-----
>  1 file changed, 3 insertions(+), 5 deletions(-)
> 
> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c index
> 8ed455043d..2755323b8a 100644
> --- a/lib/ring/rte_ring.c
> +++ b/lib/ring/rte_ring.c
> @@ -333,11 +333,6 @@ rte_ring_free(struct rte_ring *r)
>               return;
>       }
> 
> -     if (rte_memzone_free(r->memzone) != 0) {
> -             RTE_LOG(ERR, RING, "Cannot free memory\n");
> -             return;
> -     }
> -
>       ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
>       rte_mcfg_tailq_write_lock();
> 
> @@ -354,6 +349,9 @@ rte_ring_free(struct rte_ring *r)
> 
>       TAILQ_REMOVE(ring_list, te, next);
> 
> +     if (rte_memzone_free(r->memzone) != 0)
> +             RTE_LOG(ERR, RING, "Cannot free memory\n");
> +
>       rte_mcfg_tailq_write_unlock();
> 
>       rte_free(te);
> --
> 2.33.0