[dpdk-stable] patch 'net/tap: fix crash in flow destroy' has been queued to stable release 19.11.3

luca.boccassi at gmail.com luca.boccassi at gmail.com
Tue May 19 15:05:27 CEST 2020

Previous message: [dpdk-stable] patch 'net/ice: fix crash in switch filter' has been queued to stable release 19.11.3
Next message: [dpdk-stable] patch 'net/bnxt: fix number of TQM ring' has been queued to stable release 19.11.3
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 19.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/21/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From 2befb2f470b5141bead91c26d1220304b0667385 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen at networkplumber.org>
Date: Mon, 27 Apr 2020 14:39:26 -0700
Subject: [PATCH] net/tap: fix crash in flow destroy

[ upstream commit 8451387df206f5ad34461280ab6a2e5bfe382b9b ]

The TAP driver does not initialize all the elements of the rte_flow
structure. This can lead to crash in rte_flow_destroy.

(gdb) where
    flow=0x100e99280, error=0x0)
    at drivers/net/tap/tap_flow.c:1514

(gdb) p remote_flow
$1 = (struct rte_flow *) 0x6b6b6b6b6b6b6b6b

Which is here:
static int
tap_flow_destroy_pmd(struct pmd_internals *pmd,
		     struct rte_flow *flow,
		     struct rte_flow_error *error)
{
	struct rte_flow *remote_flow = flow->remote_flow;
...
	if (remote_flow) {
		remote_flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;

Simplest fix is to use rte_zmalloc() so remote_flow and other fields
are always set at zero.

Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture")

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
Reviewed-by: Ferruh Yigit <ferruh.yigit at intel.com>
---
 drivers/net/tap/tap_flow.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/tap/tap_flow.c b/drivers/net/tap/tap_flow.c
index 9d90361d99..1538349e9c 100644
--- a/drivers/net/tap/tap_flow.c
+++ b/drivers/net/tap/tap_flow.c
@@ -1380,7 +1380,7 @@ tap_flow_create(struct rte_eth_dev *dev,
 			NULL, "priority value too big");
 		goto fail;
 	}
-	flow = rte_malloc(__func__, sizeof(struct rte_flow), 0);
+	flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0);
 	if (!flow) {
 		rte_flow_error_set(error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE,
 				   NULL, "cannot allocate memory for rte_flow");
@@ -1416,7 +1416,7 @@ tap_flow_create(struct rte_eth_dev *dev,
 	 * to the local pmd->if_index.
 	 */
 	if (pmd->remote_if_index) {
-		remote_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0);
+		remote_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0);
 		if (!remote_flow) {
 			rte_flow_error_set(
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE, NULL,
@@ -1693,7 +1693,7 @@ int tap_flow_implicit_create(struct pmd_internals *pmd,
 		}
 	};
 
-	remote_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0);
+	remote_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0);
 	if (!remote_flow) {
 		TAP_LOG(ERR, "Cannot allocate memory for rte_flow");
 		goto fail;
@@ -1896,7 +1896,7 @@ static int rss_enable(struct pmd_internals *pmd,
 			return -ENOTSUP;
 		}
 
-		rss_flow = rte_malloc(__func__, sizeof(struct rte_flow), 0);
+		rss_flow = rte_zmalloc(__func__, sizeof(struct rte_flow), 0);
 		if (!rss_flow) {
 			TAP_LOG(ERR,
 				"Cannot allocate memory for rte_flow");
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-05-19 14:04:52.397843905 +0100
+++ 0192-net-tap-fix-crash-in-flow-destroy.patch	2020-05-19 14:04:44.544654318 +0100
@@ -1,8 +1,10 @@
-From 8451387df206f5ad34461280ab6a2e5bfe382b9b Mon Sep 17 00:00:00 2001
+From 2befb2f470b5141bead91c26d1220304b0667385 Mon Sep 17 00:00:00 2001
 From: Stephen Hemminger <stephen at networkplumber.org>
 Date: Mon, 27 Apr 2020 14:39:26 -0700
 Subject: [PATCH] net/tap: fix crash in flow destroy
 
+[ upstream commit 8451387df206f5ad34461280ab6a2e5bfe382b9b ]
+
 The TAP driver does not initialize all the elements of the rte_flow
 structure. This can lead to crash in rte_flow_destroy.
 
@@ -28,7 +30,6 @@
 are always set at zero.
 
 Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture")
-Cc: stable at dpdk.org
 
 Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
 Reviewed-by: Ferruh Yigit <ferruh.yigit at intel.com>

Previous message: [dpdk-stable] patch 'net/ice: fix crash in switch filter' has been queued to stable release 19.11.3
Next message: [dpdk-stable] patch 'net/bnxt: fix number of TQM ring' has been queued to stable release 19.11.3
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list