From patchwork Mon Dec 7 17:33:50 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zoltan Kiss X-Patchwork-Id: 57811 Delivered-To: patch@linaro.org Received: by 10.112.147.194 with SMTP id tm2csp1292441lbb; Mon, 7 Dec 2015 09:34:14 -0800 (PST) X-Received: by 10.140.94.201 with SMTP id g67mr38328270qge.43.1449509654671; Mon, 07 Dec 2015 09:34:14 -0800 (PST) Return-Path: Received: from lists.linaro.org (lists.linaro.org. [54.225.227.206]) by mx.google.com with ESMTP id v17si20027885qhb.37.2015.12.07.09.34.14; Mon, 07 Dec 2015 09:34:14 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.225.227.206 as permitted sender) client-ip=54.225.227.206; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.225.227.206 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dkim=neutral (body hash did not verify) header.i=@linaro-org.20150623.gappssmtp.com Received: by lists.linaro.org (Postfix, from userid 109) id 042A261BB3; Mon, 7 Dec 2015 17:34:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID, URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 337FD61971; Mon, 7 Dec 2015 17:34:10 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id BB40161975; Mon, 7 Dec 2015 17:34:08 +0000 (UTC) Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46]) by lists.linaro.org (Postfix) with ESMTPS id C7814618F0 for ; Mon, 7 Dec 2015 17:34:07 +0000 (UTC) Received: by wmvv187 with SMTP id v187so177752076wmv.1 for ; Mon, 07 Dec 2015 09:34:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro-org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=zL+vw1QcT3uzMk9U474a8K1+jykTJueq2dHI0ThnaZg=; b=CjuOm6iSb3OgbU2ZitzJtDZQFDsOqyTgllDTwm4RGCi5UQCgs+rzVqp6/WGu3M73lT xU78PxP97hT0f3cdTTfi9NGaIZhhOBfKtFCGZSLjoGGUJRNTXe1T3LSJHKabBjkDczPW 66tWYUwZVGfqvUtsxYh/nmb5qE7mKjzgOCGNfbeiVb3Q0Lncpi8HAu2sJLIlMdyDT6aR Pl91RFcCoPStoDTR/qJeu0c2Fbfga8TDyw0jqjEEeUHRiHlb6TfDjU6y60HdQ9jnL8lz x8+VPAuvo2CsZXK7VKOnuNLnfnAkmQ34tUiv1/BOPVtttOd2EVnCL0GcA1uPR6/PMGuG Gp/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=zL+vw1QcT3uzMk9U474a8K1+jykTJueq2dHI0ThnaZg=; b=CGsBY8RBe5saXoc94HXS5T1YynUMxw5vTE987bXQ/WqfOaSXfSbMooOdShMmxcHm24 6MA1y205/E/wcogxhoIjyYvARqBfbeYmF7GRdZMb+u41utYv6xoGwmRqwOhmFsMMgfXL kY2bqA+pyuMbdKuPW5+kyFSgemUQ5P1phBxT1fWyWmtSowJY3asvY5uU+n6R6dMEmQtk REp3O1B9qfoEeHnwmXeN1/MmWyKWkq1mBpDGvoToR/iRdPRA8+3FyjAESu+HT1nRbdHc +nPdoRgjp6/nmA42jM203uRWdnO8GqSeo5oBfNcbe743MNG3FYCZLiNXpd3ECQRZQFdt WqtA== X-Gm-Message-State: ALoCoQndVp6PaQw1hjDJIeV9qTpsbycL6t4rRb7XtkukpeiQrJokD2k0z0djOuTPjqTZsnaZ0A6KSBOEq9bSjYgLSEF7U94LDw== X-Received: by 10.28.147.203 with SMTP id v194mr21633643wmd.16.1449509646980; Mon, 07 Dec 2015 09:34:06 -0800 (PST) Received: from localhost.localdomain ([195.11.233.227]) by smtp.googlemail.com with ESMTPSA id m67sm17654670wmf.16.2015.12.07.09.34.05 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 07 Dec 2015 09:34:05 -0800 (PST) From: Zoltan Kiss To: lng-odp@lists.linaro.org Date: Mon, 7 Dec 2015 17:33:50 +0000 Message-Id: <1449509630-30932-1-git-send-email-zoltan.kiss@linaro.org> X-Mailer: git-send-email 1.9.1 X-Topics: patch Subject: [lng-odp] [PATCH] queue: fix memory corruption in reorder_enq() X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" reorder_prev is set to the address of the pointer origin_qe->s.reorder_head, which is wrong. If the linked list was empty, that won't be corrected, and reorder_prev->next points to the adjacent queue entry's status field. If that entry is used, that queue's metadata will be corrupted. This was found by running the chaos scheduler test with ODP-DPDK. Signed-off-by: Zoltan Kiss Reviewed-by: Bill Fischofer diff --git a/platform/linux-generic/include/odp_queue_internal.h b/platform/linux-generic/include/odp_queue_internal.h index a70044b..1cc0ed2 100644 --- a/platform/linux-generic/include/odp_queue_internal.h +++ b/platform/linux-generic/include/odp_queue_internal.h @@ -212,8 +212,7 @@ static inline void reorder_enq(queue_entry_t *queue, int sustain) { odp_buffer_hdr_t *reorder_buf = origin_qe->s.reorder_head; - odp_buffer_hdr_t *reorder_prev = - (odp_buffer_hdr_t *)(void *)&origin_qe->s.reorder_head; + odp_buffer_hdr_t *reorder_prev = NULL; while (reorder_buf && order >= reorder_buf->order) { reorder_prev = reorder_buf; @@ -221,7 +220,12 @@ static inline void reorder_enq(queue_entry_t *queue, } buf_hdr->next = reorder_buf; - reorder_prev->next = buf_hdr; + + if (reorder_prev) + reorder_prev->next = buf_hdr; + else + origin_qe->s.reorder_head = buf_hdr; + if (!reorder_buf) origin_qe->s.reorder_tail = buf_hdr;