Bug 189

Summary: RTE Timer Adapter Use After Free
Product: DPDK Reporter: Mattias Rönnblom (mattias.ronnblom)
Component: eventdevAssignee: Jerin (jerinjacobk)
Status: CONFIRMED ---    
Severity: normal CC: ajit.khaparde, jerinjacobk
Priority: Normal    
Version: 19.02   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Mattias Rönnblom 2019-01-15 12:27:56 CET 
Upon event timer expiry, the timer adapter will cause the timer struct to be used after its freed.

rte_event_timer_adapter.c:sw_event_timer_cb() calls rte_mempool_put(), returning the internal timer-related data, including a rte_timer instance, to the pool.

rte_timer_manage() updates fields of the rte_timer struct *after* the expiry call back has finished.

Timers armed on a different core may retrieve this timer struct from the pool, resulting in a data race.
Comment 1 Ajit Khaparde 2019-01-18 01:23:41 CET 
Jerin, since the component says eventdev - can you take a look at this? Thanks