From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (unknown [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 361C6460A4; Thu, 16 Jan 2025 23:52:31 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id CD1FC410E7; Thu, 16 Jan 2025 23:51:59 +0100 (CET) Received: from mail-ej1-f99.google.com (mail-ej1-f99.google.com [209.85.218.99]) by mails.dpdk.org (Postfix) with ESMTP id 9D2D9410D2 for ; Thu, 16 Jan 2025 23:51:58 +0100 (CET) Received: by mail-ej1-f99.google.com with SMTP id a640c23a62f3a-ab2aea81cd8so250933566b.2 for ; Thu, 16 Jan 2025 14:51:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; t=1737067918; x=1737672718; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/n2fLuTtbT4OjeQzAmtX52s/dppE3x4lTnbeqj/XXCQ=; b=aGTCJhKTAeeajKBQRrSPs5JSxINe5b/KoO3DAExGpIJqUxbqZFKXRZ1LEYHTFP0H26 I4EzgvQSBMPlEb9THGK0i1G0MQtIZBV0xrNIbFRuLeGEh6nKE5MQtWdiRk8tF+LK0fW+ yRKtYiLP3bA6FGIAFWfFaoqeE9H+g16AWdP4I4GlaOtfytS8TeLaeog2v7XqSynUF3xU gQvHz5ERjIFaoKGCSod4zP0l7GmT15kn1U5EpaG+BTC3m4/h/2kQyQZ8FPZY6j8ma73V 2MrxeyeJg07Kp//1btTJFl3zxgsGSNOC9cV+MCkyNTGbHYgrtv+3U583Ud++sBc5fCF6 IRwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737067918; x=1737672718; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/n2fLuTtbT4OjeQzAmtX52s/dppE3x4lTnbeqj/XXCQ=; b=PQerFVDXWor20OVNy6WXmZVzz69jzKcsXHgVYY8tjnIOAMj3vGXTFP3WqcMfiIyNRH dt7GmS5fbU52tk6JmiWoiAUiKz11okL6V3cEHYz8Wz0u9y1Z9XnFJV8j75XHmeyD78Fl tIoKB7wD8tApZ5V+OMqLlW5gTUgXChpdp9pmYztPcloO/tRCJ3Ie6UYFgM5nkRHZjTtH hYm/Q1Rr2YndFMWNkb22esPOQWexPj5jYtGHhg2AUPl39I5YGr87WPAyvSuDJXHx/8r5 +ZZ3CAJbV3Jz4BknsBZoJX9QEkgfnOH+n0jmbGScw1W3bicI7YFGsm/IBvdDOK7LDWVG 2eOA== X-Gm-Message-State: AOJu0Yw+uVGSScW1ZpbUBTi3Q4tJHxHROK8IvAwKoYgmcbCiw2PnOvzj pg5vlO5K54CXx3eLKqNiB+Ti3xSzZL33RGiMjW03mIddRd2IgZatJlOgzagSnMfvkiWSlSdoAgi f5NfE6jROnbLgF98r6vmxurpyFBwRyUr8YNB7pzwt X-Gm-Gg: ASbGnctIcJ/mgZFp9paH/ZxVjbrYKMCPeSTIWZFWbIisSuPN6tIzQwT9Ig0dgQUgku1 cjcUtMw915JwTLavuDdf7v7iFkRtPhUALrHEuBGyiSrZZCvTz87VDT9Fl1LmMiuNM48SAfR1zAU 72AHkG983bmAYhJHPxL+/aNT+viA7rbNcAwL6JcmoTYUgHtVAcwzU6MTc+4anbrhrmJ8NXIxv9z cOanp4W9zGEzE9GixraWWjO4oaoAmq+7sTOmML1I/X5+p5F+67ZkCTuIslGmTU2Crpt1jpNypBO HItDNzVyP3q0FGlUkZK0Ya8MfQ== X-Google-Smtp-Source: AGHT+IHjCxzm4yVnwJyEY/UkBc5vkOBP1V8hIs9lCtUlJ/EKCCyLkbSNwdNkmfOF+wB0aGG7Z30cacB3A5Pk X-Received: by 2002:a17:907:7291:b0:aaf:3f57:9d2e with SMTP id a640c23a62f3a-ab38ad88887mr50724066b.0.1737067918271; Thu, 16 Jan 2025 14:51:58 -0800 (PST) Received: from smtpservice.6wind.com ([185.13.181.2]) by smtp-relay.gmail.com with ESMTP id a640c23a62f3a-ab385263558sm2301166b.167.2025.01.16.14.51.58; Thu, 16 Jan 2025 14:51:58 -0800 (PST) X-Relaying-Domain: 6wind.com Received: from localhost (rainbow.dev.6wind.com [10.17.1.165]) by smtpservice.6wind.com (Postfix) with ESMTP id 1F22411D48; Thu, 16 Jan 2025 23:51:58 +0100 (CET) From: Ariel Otilibili To: dev@dpdk.org Cc: stable@dpdk.org, Stephen Hemminger , Thomas Monjalon , David Marchand , Ariel Otilibili , Ciara Loftus , Maryam Tahhan Subject: [PATCH v2 1/2] net/af_xdp: fix use after free in af_xdp_tx_zc() Date: Thu, 16 Jan 2025 23:51:50 +0100 Message-Id: <20250116225151.188214-2-ariel.otilibili@6wind.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250116225151.188214-1-ariel.otilibili@6wind.com> References: <20250116195640.68885-1-ariel.otilibili@6wind.com> <20250116225151.188214-1-ariel.otilibili@6wind.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org tx_bytes is computed after both legs are tested. This might produce a use after memory free. The computation is now moved into each leg. Bugzilla ID: 1440 Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks") Signed-off-by: Ariel Otilibili --- drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c index 814398ba4b44..4326a29f7042 100644 --- a/drivers/net/af_xdp/rte_eth_af_xdp.c +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c @@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) umem->mb_pool->header_size; offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT; desc->addr = addr | offset; + tx_bytes += mbuf->pkt_len; count++; } else { struct rte_mbuf *local_mbuf = @@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) desc->addr = addr | offset; rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *), desc->len); + tx_bytes += mbuf->pkt_len; rte_pktmbuf_free(mbuf); count++; } - - tx_bytes += mbuf->pkt_len; } out: -- 2.30.2