iflib: fix invalid free during queue allocation failure
ClosedPublic
Actions

Authored by jacob.e.keller_intel.com on May 3 2018, 9:26 PM.

Details

Reviewers

kmacy
gallatin
scottl
shurd
sbruno
cem

Commits

rS333254: iflib: fix invalid free during queue allocation failure

Summary

In commit 2b749a1b9244 ("iflib: Improve cleanup on iflib_queues_alloc
error path", 2016-06-07, github mirror) code was added to cleanup and
prevent memory leaks for the Tx and Rx ring structs. This code carefully
tracked txq and rxq, and made sure to free them properly during cleanup.

Because we assigned the txq and rxq pointers into the ctx->ifc_txqs and
ctx->ifc_rxqs, we carefully reset these pointers to NULL, so that
cleanup code would not accidentally free the memory twice.

This was changed by commit 181dc4875be6 ("Update iflib to support more
NIC designs", 2016-08-12, github mirror), which removed this resetting
of the pointers to NULL, because it re-used the txq and rxq pointers as
an index into the queue set array.

Unfortunately, the cleanup code was left alone. Thus, if we fail to
allocate DMA or fail to configure the queues using the drivers ifdi
methods, we will attempt to free txq and rxq. These variables would now
incorrectly point to the wrong location, resulting in a page fault.

There are a number of methods to correct this, but ultimately the root
cause was that we reuse the txq and rxq pointers for two different
purposes.

Instead, when allocating, store the returned pointer directly into
ctx->ifc_txqs and ctx->ifc_rxqs directly. Then, assign this to txq and
rxq as index pointers before starting the loop to allocate each queue.
Drop the cleanup code for txq and rxq, and only use ctx->ifc_txqs and
ctx->ifc_rxqs.

Thus, we no longer need to free txq or rxq under any error flow, and
intsead rely solely on the pointers stored in ctx->ifc_txqs and
ctx->ifc_rxqs. This prevents the invalid free(), and ensures that we
still properly cleanup after ourselves as before when failing to
allocate.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jacob.e.keller_intel.com created this revision.May 3 2018, 9:26 PM

Herald added a subscriber: ae. · View Herald TranscriptMay 3 2018, 9:26 PM

Harbormaster completed remote builds in B16416: Diff 42106.May 3 2018, 9:26 PM

I've got a copy of the github mirror and wasnt sure how to convert the git commits back to SVN revisions, so I referenced the git commits where this was broken in my summary.

I found this while developing a new iflib driver.

erj added a subscriber: erj.May 3 2018, 9:40 PM

jacob.e.keller_intel.com added a parent revision: D15284: iflib: remove unused brscp pointer from iflib_queues_alloc.May 3 2018, 9:43 PM

Seems fair to me. Your debugging seems to indicate you've traversed the right paths to come to this conclusion.

This revision is now accepted and ready to land.May 3 2018, 11:19 PM

gallatin accepted this revision.May 4 2018, 12:35 PM

Closed by commit rS333254: iflib: fix invalid free during queue allocation failure (authored by shurd). · Explain WhyMay 4 2018, 3:20 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: imp. · View Herald TranscriptMay 4 2018, 3:20 PM

Can we MFC this to stable/11? I originally found the bug on my FreeBSD 11.1 system.