Hi,
looking at it I think we have intersections but also parts of yours that I
missed.
More than that while applying your changes I found other potential
use-after free cases.
I'll wrap that all up together in a v3 of my series.
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
On Wed, Mar 16, 2016 at 2:14 PM, Olivier MATZ <olivier.matz at 6wind.com>
wrote:
> Hi Christian,
>
> On 03/16/2016 01:33 PM, Christian Ehrhardt wrote:
>
>> Fixing lpm6 regarding a similar issue showed that that in rte_lpm_free lpm
>> might not be freed if it didn't find a te (early return)
>>
>> Acked-by: Bruce Richardson <bruce.richardson at intel.com>
>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
>> ---
>> lib/librte_lpm/rte_lpm.c | 8 ++------
>> 1 file changed, 2 insertions(+), 6 deletions(-)
>>
>> diff --git a/lib/librte_lpm/rte_lpm.c b/lib/librte_lpm/rte_lpm.c
>> index ccaaa2a..d5fa1f8 100644
>> --- a/lib/librte_lpm/rte_lpm.c
>> +++ b/lib/librte_lpm/rte_lpm.c
>> @@ -360,12 +360,8 @@ rte_lpm_free_v20(struct rte_lpm_v20 *lpm)
>> if (te->data == (void *) lpm)
>> break;
>> }
>> - if (te == NULL) {
>> - rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK);
>> - return;
>> - }
>> -
>> - TAILQ_REMOVE(lpm_list, te, next);
>> + if (te != NULL)
>> + TAILQ_REMOVE(lpm_list, te, next);
>>
>> rte_rwlock_write_unlock(RTE_EAL_TAILQ_RWLOCK);
>>
>>
>>
> I've just seen you had already posted a series on this topic.
> It looks that some free() are missing in lpm.c:
>
> Could you please check my version of the patch (which was not as
> complete as your series)?
> http://dpdk.org/dev/patchwork/patch/11526/
>
> Regards,
> Olivier
>
