From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (unknown [217.70.189.124])
by inbox.dpdk.org (Postfix) with ESMTP id 361C6460A4;
Thu, 16 Jan 2025 23:52:31 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
by mails.dpdk.org (Postfix) with ESMTP id CD1FC410E7;
Thu, 16 Jan 2025 23:51:59 +0100 (CET)
Received: from mail-ej1-f99.google.com (mail-ej1-f99.google.com
[209.85.218.99]) by mails.dpdk.org (Postfix) with ESMTP id 9D2D9410D2
for <dev@dpdk.org>; Thu, 16 Jan 2025 23:51:58 +0100 (CET)
Received: by mail-ej1-f99.google.com with SMTP id
a640c23a62f3a-ab2aea81cd8so250933566b.2
for <dev@dpdk.org>; Thu, 16 Jan 2025 14:51:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=6wind.com; s=google; t=1737067918; x=1737672718; darn=dpdk.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=/n2fLuTtbT4OjeQzAmtX52s/dppE3x4lTnbeqj/XXCQ=;
b=aGTCJhKTAeeajKBQRrSPs5JSxINe5b/KoO3DAExGpIJqUxbqZFKXRZ1LEYHTFP0H26
I4EzgvQSBMPlEb9THGK0i1G0MQtIZBV0xrNIbFRuLeGEh6nKE5MQtWdiRk8tF+LK0fW+
yRKtYiLP3bA6FGIAFWfFaoqeE9H+g16AWdP4I4GlaOtfytS8TeLaeog2v7XqSynUF3xU
gQvHz5ERjIFaoKGCSod4zP0l7GmT15kn1U5EpaG+BTC3m4/h/2kQyQZ8FPZY6j8ma73V
2MrxeyeJg07Kp//1btTJFl3zxgsGSNOC9cV+MCkyNTGbHYgrtv+3U583Ud++sBc5fCF6
IRwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1737067918; x=1737672718;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=/n2fLuTtbT4OjeQzAmtX52s/dppE3x4lTnbeqj/XXCQ=;
b=PQerFVDXWor20OVNy6WXmZVzz69jzKcsXHgVYY8tjnIOAMj3vGXTFP3WqcMfiIyNRH
dt7GmS5fbU52tk6JmiWoiAUiKz11okL6V3cEHYz8Wz0u9y1Z9XnFJV8j75XHmeyD78Fl
tIoKB7wD8tApZ5V+OMqLlW5gTUgXChpdp9pmYztPcloO/tRCJ3Ie6UYFgM5nkRHZjTtH
hYm/Q1Rr2YndFMWNkb22esPOQWexPj5jYtGHhg2AUPl39I5YGr87WPAyvSuDJXHx/8r5
+ZZ3CAJbV3Jz4BknsBZoJX9QEkgfnOH+n0jmbGScw1W3bicI7YFGsm/IBvdDOK7LDWVG
2eOA==
X-Gm-Message-State: AOJu0Yw+uVGSScW1ZpbUBTi3Q4tJHxHROK8IvAwKoYgmcbCiw2PnOvzj
pg5vlO5K54CXx3eLKqNiB+Ti3xSzZL33RGiMjW03mIddRd2IgZatJlOgzagSnMfvkiWSlSdoAgi
f5NfE6jROnbLgF98r6vmxurpyFBwRyUr8YNB7pzwt
X-Gm-Gg: ASbGnctIcJ/mgZFp9paH/ZxVjbrYKMCPeSTIWZFWbIisSuPN6tIzQwT9Ig0dgQUgku1
cjcUtMw915JwTLavuDdf7v7iFkRtPhUALrHEuBGyiSrZZCvTz87VDT9Fl1LmMiuNM48SAfR1zAU
72AHkG983bmAYhJHPxL+/aNT+viA7rbNcAwL6JcmoTYUgHtVAcwzU6MTc+4anbrhrmJ8NXIxv9z
cOanp4W9zGEzE9GixraWWjO4oaoAmq+7sTOmML1I/X5+p5F+67ZkCTuIslGmTU2Crpt1jpNypBO
HItDNzVyP3q0FGlUkZK0Ya8MfQ==
X-Google-Smtp-Source: AGHT+IHjCxzm4yVnwJyEY/UkBc5vkOBP1V8hIs9lCtUlJ/EKCCyLkbSNwdNkmfOF+wB0aGG7Z30cacB3A5Pk
X-Received: by 2002:a17:907:7291:b0:aaf:3f57:9d2e with SMTP id
a640c23a62f3a-ab38ad88887mr50724066b.0.1737067918271;
Thu, 16 Jan 2025 14:51:58 -0800 (PST)
Received: from smtpservice.6wind.com ([185.13.181.2])
by smtp-relay.gmail.com with ESMTP id
a640c23a62f3a-ab385263558sm2301166b.167.2025.01.16.14.51.58;
Thu, 16 Jan 2025 14:51:58 -0800 (PST)
X-Relaying-Domain: 6wind.com
Received: from localhost (rainbow.dev.6wind.com [10.17.1.165])
by smtpservice.6wind.com (Postfix) with ESMTP id 1F22411D48;
Thu, 16 Jan 2025 23:51:58 +0100 (CET)
From: Ariel Otilibili <ariel.otilibili@6wind.com>
To: dev@dpdk.org
Cc: stable@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>,
Thomas Monjalon <thomas@monjalon.net>,
David Marchand <david.marchand@redhat.com>,
Ariel Otilibili <ariel.otilibili@6wind.com>,
Ciara Loftus <ciara.loftus@intel.com>, Maryam Tahhan <mtahhan@redhat.com>
Subject: [PATCH v2 1/2] net/af_xdp: fix use after free in af_xdp_tx_zc()
Date: Thu, 16 Jan 2025 23:51:50 +0100
Message-Id: <20250116225151.188214-2-ariel.otilibili@6wind.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20250116225151.188214-1-ariel.otilibili@6wind.com>
References: <20250116195640.68885-1-ariel.otilibili@6wind.com>
<20250116225151.188214-1-ariel.otilibili@6wind.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
<mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
<mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
tx_bytes is computed after both legs are tested. This might
produce a use after memory free.
The computation is now moved into each leg.
Bugzilla ID: 1440
Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
---
drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
index 814398ba4b44..4326a29f7042 100644
--- a/drivers/net/af_xdp/rte_eth_af_xdp.c
+++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
@@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
umem->mb_pool->header_size;
offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT;
desc->addr = addr | offset;
+ tx_bytes += mbuf->pkt_len;
count++;
} else {
struct rte_mbuf *local_mbuf =
@@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
desc->addr = addr | offset;
rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *),
desc->len);
+ tx_bytes += mbuf->pkt_len;
rte_pktmbuf_free(mbuf);
count++;
}
-
- tx_bytes += mbuf->pkt_len;
}
out:
--
2.30.2