From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (unknown [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BD11E46054; Thu, 16 Jan 2025 20:57:24 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D535240E35; Thu, 16 Jan 2025 20:56:55 +0100 (CET) Received: from mail-ej1-f98.google.com (mail-ej1-f98.google.com [209.85.218.98]) by mails.dpdk.org (Postfix) with ESMTP id A96F540E2A for ; Thu, 16 Jan 2025 20:56:53 +0100 (CET) Received: by mail-ej1-f98.google.com with SMTP id a640c23a62f3a-aafc9d75f8bso232638066b.2 for ; Thu, 16 Jan 2025 11:56:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; t=1737057413; x=1737662213; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LODOdMgykO+JdnQSIOiFbN0zFxrhoevkVTT9PrriXaw=; b=i/ynusjBO4XOb0l5UAF5t5HvTZAJNmkZP9yss/vwyhAP1cRtQvBbz2Qxefa5hJSvGf s6+Y6k9B3ySplGgILgvqUmqlpHehYM0JGBhcJrKp2p6dl5j/tRxqY8m8SLld1UD1i+kV ii6tmZY5LLIRERMBGo3mDHTba0frzqY1pB04myuNe8youaRiojUw3f6yoPUCmY+oUKkU eBAc59XYaRw0FqnbgqS1aXz1Z8rrDZBiITlAUIiMGXphfJJcnAcGtQmqjVH97y7lp53U l4jDf+a7giIn+OBMKVHf6XTrgBXQuAzclk+cy2A+twMiUqWg/fI7tGRQk26ymwthHgX5 GhFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737057413; x=1737662213; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LODOdMgykO+JdnQSIOiFbN0zFxrhoevkVTT9PrriXaw=; b=iLgUKpFuJ+3l93nudn3LLOhzx3etlSoozVHR3/026L9Uh1Bikf9/HNE8FEh/NMhDRt C6/b7jEkLFXkjywnJvCaeZCv7O4Hws//8XHktRy6QqQpVlM6pin0s+cmyzo7vn9+e/64 c40Gctw+Urs2nN7FOGs9xivMSekdqJbYvdwtNIuBz6DyyAj9dQqlioxgRYL8C4QTocr7 9/KAZ/HHcDFmSgQCv3u/KR4ZpWXLds0gW/Oi0LphyfiRqg2TSxNeHJg94vWpEAI3jM9M mrYiQnfHmHU8JgjUf/9ZPpGhWmdxMTKpE0pkyV/PFz5mG5BXlSCg+qUqxEIqsEGx3LJM T+ag== X-Gm-Message-State: AOJu0YxPxDcLu2Y3fKMJS5ncOYaatGsUpZBlZ6S0aCNZm4XwZHUZgLz5 t6jzy5FHTQT7gBT7TQSymi4Bu/QIikjy0OpCjgCNoAZjjjKDmUq/H7ZG4T0wX5leVNaWOz1CGIk FDEP0/spUYVWF/GcUwqTrf9xAfG3N6VWpSj1a53iG X-Gm-Gg: ASbGncugndtJR+jB0dKhXT+wkHBttUlTdhjU8dAxLnspgOTZT5v5jLVUvaIRY2jEIOz j/4AKkJKXZlCfWRmPr8XQwG5auDIRFQ+7L0jmXho7B31EVh3zFtPP4hyTsLKMbhQSpfyK6nJTb9 mnHzW0N1dCUGW9i/FZQ6NQXn85ELEOaYC1Uho62KgnbTjMXr9datwYUzpKOSLa1bJLYfai8SaMk z2OtHSRky72i2JlB2E5zzN0lEox2Xnu4eID6Vn+kx6e5EjjzJQ1GRk4zjWMTbz+auph5gtdewwI 4a+qcJ/Ku8rihMjVV+5tOG6b7A== X-Google-Smtp-Source: AGHT+IHWWPoKkH9GeqFX3MGKSTCqEXYOnfXWp098O70VcK03IBEFH5ueZGOTYCKStDH2SpbD+VyJ1sYLk8Te X-Received: by 2002:a17:907:7205:b0:ab3:88a0:b71d with SMTP id a640c23a62f3a-ab38b2e734fmr9859366b.34.1737057413277; Thu, 16 Jan 2025 11:56:53 -0800 (PST) Received: from smtpservice.6wind.com ([185.13.181.2]) by smtp-relay.gmail.com with ESMTP id a640c23a62f3a-ab3852d4e78sm1153866b.243.2025.01.16.11.56.53; Thu, 16 Jan 2025 11:56:53 -0800 (PST) X-Relaying-Domain: 6wind.com Received: from localhost (rainbow.dev.6wind.com [10.17.1.165]) by smtpservice.6wind.com (Postfix) with ESMTP id 25F5111C78; Thu, 16 Jan 2025 20:56:53 +0100 (CET) From: Ariel Otilibili To: dev@dpdk.org Cc: stable@dpdk.org, Stephen Hemminger , Thomas Monjalon , David Marchand , Ariel Otilibili , Ciara Loftus , Maryam Tahhan Subject: [PATCH 1/2] net/af_xdp: fix use after free in af_xdp_tx_zc() Date: Thu, 16 Jan 2025 20:56:38 +0100 Message-Id: <20250116195640.68885-2-ariel.otilibili@6wind.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250116195640.68885-1-ariel.otilibili@6wind.com> References: <20250116195640.68885-1-ariel.otilibili@6wind.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org tx_bytes is computed after both branches are tested. This might produce a use after memory free. The computation is now moved into both branches. Bugzilla ID: 1440 Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks") Signed-off-by: Ariel Otilibili --- drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c index 814398ba4b44..4326a29f7042 100644 --- a/drivers/net/af_xdp/rte_eth_af_xdp.c +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c @@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) umem->mb_pool->header_size; offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT; desc->addr = addr | offset; + tx_bytes += mbuf->pkt_len; count++; } else { struct rte_mbuf *local_mbuf = @@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) desc->addr = addr | offset; rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *), desc->len); + tx_bytes += mbuf->pkt_len; rte_pktmbuf_free(mbuf); count++; } - - tx_bytes += mbuf->pkt_len; } out: -- 2.30.2