Bug 189 - RTE Timer Adapter Use After Free
Summary: RTE Timer Adapter Use After Free
Status: CONFIRMED
Alias: None
Product: DPDK
Classification: Unclassified
Component: eventdev (show other bugs)
Version: 19.02
Hardware: All All
: Normal normal
Target Milestone: ---
Assignee: Jerin
URL:
Depends on:
Blocks:
 
Reported: 2019-01-15 12:27 CET by Mattias Rönnblom
Modified: 2019-07-31 06:10 CEST (History)
2 users (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Mattias Rönnblom 2019-01-15 12:27:56 CET 
Upon event timer expiry, the timer adapter will cause the timer struct to be used after its freed.

rte_event_timer_adapter.c:sw_event_timer_cb() calls rte_mempool_put(), returning the internal timer-related data, including a rte_timer instance, to the pool.

rte_timer_manage() updates fields of the rte_timer struct *after* the expiry call back has finished.

Timers armed on a different core may retrieve this timer struct from the pool, resulting in a data race.
Comment 1 Ajit Khaparde 2019-01-18 01:23:41 CET 
Jerin, since the component says eventdev - can you take a look at this? Thanks
Note You need to log in before you can comment on or make changes to this bug.