From patchwork Fri Jul 30 18:17:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 96475 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 67E82A0C40; Fri, 30 Jul 2021 20:17:13 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id DFF7D40040; Fri, 30 Jul 2021 20:17:12 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 89C9D4003F; Fri, 30 Jul 2021 20:17:11 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16UIH3P0020996; Fri, 30 Jul 2021 11:17:10 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=3MWIfQrNTvR9lw/coz0ldWcennJaXyOFU/Xu6JadzEA=; b=W/kFtZ9Z/zzBK1naeQEDJQawcaA6eRiOfOrulurjssPTyx3KEycm8/SDswwqdHdFPaPA bTZs+j2341KFASMQOhXqYhNp6g37hQ++9tHF3mlRpQCjeeSYlMmNidTri1iyJKIUCjw5 8mCMMT3pecNiT9rvhPbSdtlCf70XclEABWrD/vgFp10Re/crPiQ66KaO6c7aMbc6H9jx A8GfKbYYnzfa2vJpBq+OByR7DLk9V5rnV21yNL98ALMVWIr1Nmje6QdgsIVCaVao6ZY+ GpB/RbtMhWm4goO+HxR2fjMTvmhdN2hE8bdFU+ZJPR3/PGWaXn0KGSve96nVh7FetKPK Rw== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 3a4866u75c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 30 Jul 2021 11:17:10 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Fri, 30 Jul 2021 11:17:08 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Fri, 30 Jul 2021 11:17:08 -0700 Received: from localhost.localdomain (unknown [10.28.36.185]) by maili.marvell.com (Postfix) with ESMTP id EEFCE3F705D; Fri, 30 Jul 2021 11:17:06 -0700 (PDT) From: Akhil Goyal To: CC: , , , Akhil Goyal , Date: Fri, 30 Jul 2021 23:47:03 +0530 Message-ID: <20210730181703.529468-1-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Proofpoint-GUID: nnC0TuLt_yUMX5OJZ0SxIbPEqI9O42Wq X-Proofpoint-ORIG-GUID: nnC0TuLt_yUMX5OJZ0SxIbPEqI9O42Wq X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-30_11:2021-07-30, 2021-07-30 signatures=0 Subject: [dpdk-dev] [PATCH] crypto/octeontx: fix heap use after free X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" When the PMD is removed, rte_cryptodev_pmd_release_device is called which frees cryptodev->data, and then tries to free cryptodev->data->dev_private, which causes the heap use after free issue. A temporary pointer is set before the free of cryptodev->data, which can then be used afterwards to free dev_private. Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton") Cc: stable@dpdk.org Reported-by: ZhihongX Peng Signed-off-by: Akhil Goyal --- drivers/crypto/octeontx/otx_cryptodev.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/octeontx/otx_cryptodev.c b/drivers/crypto/octeontx/otx_cryptodev.c index 7207909abb..3822c0d779 100644 --- a/drivers/crypto/octeontx/otx_cryptodev.c +++ b/drivers/crypto/octeontx/otx_cryptodev.c @@ -75,6 +75,7 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev) { struct rte_cryptodev *cryptodev; char name[RTE_CRYPTODEV_NAME_MAX_LEN]; + void *dev_priv; if (pci_dev == NULL) return -EINVAL; @@ -88,11 +89,13 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev) if (pci_dev->driver == NULL) return -ENODEV; + dev_priv = cryptodev->data->dev_private; + /* free crypto device */ rte_cryptodev_pmd_release_device(cryptodev); if (rte_eal_process_type() == RTE_PROC_PRIMARY) - rte_free(cryptodev->data->dev_private); + rte_free(dev_priv); cryptodev->device->driver = NULL; cryptodev->device = NULL;