From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id BC07D460C4;
	Mon, 20 Jan 2025 15:54:37 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 8E5A640ED3;
	Mon, 20 Jan 2025 15:54:37 +0100 (CET)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mails.dpdk.org (Postfix) with ESMTP id 0741940A77
 for <dev@dpdk.org>; Mon, 20 Jan 2025 15:54:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1737384875;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=WZYTrIWd1PcFx+R2a36Y2Fj6v2L9zIFQxpJ5qLmLbjg=;
 b=BRwjqAU53s239XhDZKs9tVlI/zaSqBSgja67coYtFcpeTlZzdmES2ngDs6fg0q3V/UrnQG
 jHcZu8Rqcy3gktzSVbas/31Co7qOahO+/L2Y+c7Rzs4FPRjRt8X2B43HclJVWaU00Khllq
 mBpeimpZZNw+dLklYKRk17vHZgUD4Zs=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com
 [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-80-3WbK9BEWN-OGGopWrMwC1w-1; Mon, 20 Jan 2025 09:54:34 -0500
X-MC-Unique: 3WbK9BEWN-OGGopWrMwC1w-1
X-Mimecast-MFC-AGG-ID: 3WbK9BEWN-OGGopWrMwC1w
Received: by mail-wm1-f72.google.com with SMTP id
 5b1f17b1804b1-43621907030so36186265e9.1
 for <dev@dpdk.org>; Mon, 20 Jan 2025 06:54:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1737384873; x=1737989673;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:cc:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=WZYTrIWd1PcFx+R2a36Y2Fj6v2L9zIFQxpJ5qLmLbjg=;
 b=dx8LtBPjXhVpiKeTtAJ6dmC4ZbkLTGDGqd3zBTWJglvoLHYr4tMoo5lJX7BHCdpzPm
 xBIHfQRRTsPgVIqVBRkSVZT12uHYozQaRkv1w1a0Lun5ZsOeaiPFBJxD12MDCLXf2nV3
 egwVxiunG8kSRnHN3JUUn1mRKnSl8U/ckevp3R2+jjgUIIIx9Kyt4w1O+DFQiE8S3HTm
 rnMsQi4skvzcKA3MsZTI29f2SFuA7SPokwLv8X4e3Yty1xBnJRnL03aLC3GGCirYTnk5
 JMMB1m571eYgPkLibDd7C3MzWywLPLwK2t9MHCtIzFs0I0lEu7s2w2VDGCFtBEFwh+RJ
 h8sQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCVmMKIlLaZ2f0NHCIaHJX09ZUcd7Rk7cGdAUC8F1vL8zplk2twDwXZkznF5hr9hxJZCe9U=@dpdk.org
X-Gm-Message-State: AOJu0YwCPjPRUtY6OxG2HukXUatGu1ZEfHWAZN8fUNg9lkawOGZjwYBw
 I7gnag0h7HOvn6olDk2kGU28iGcO0eOkH0tdLzm8XqILR3yzHaPme3iV0Yvf9pYZv5TgH/wTg3M
 Fuv1b6nyH+qXwrBjINbK1ngWrDAxWIoWl2iAwNg5W
X-Gm-Gg: ASbGncs6Y3EVA/8duChynvxPQL1VadwRcRIN1c5tzHtFQoRGFMBP8kUBH3T24fuqlbR
 LZGg1WopxV8DWXg7CJyVXUq5Nx5gr4Bx4VUt9YiLLgowfp+aduQZOx7GF7tLcGIvxpn6opCkvAE
 AIUzmr2YbDYaFpZegiCMZ/xTxgFe5LzIR8lfILQ2JPaK7MNpXqK96Bw0WjJ8LMvR+Yc9rI4U9Pc
 oAAHd+RxTzOsw0GGfJvqHDsPA0GcaD+fbxjM3d9HCuLQBcAcQHlmwMo+YRvyNlqUtz/bX3EbP5/
 tnS+MSOTrHKO6ZzHCn7WSZhe4pgT/2ZfSAtWsf0xsTg7ylDqTOcaVLClL6q1311zMQ==
X-Received: by 2002:a05:600c:3548:b0:434:a1d3:a321 with SMTP id
 5b1f17b1804b1-438913c6150mr123570585e9.3.1737384873003; 
 Mon, 20 Jan 2025 06:54:33 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHfsBzFE4W7NnXWBfYxXky5g7l5GPqtK3DZTx/0HKO+bojXSLvyNH2N8fDT0XDM9O4RAjnd+A==
X-Received: by 2002:a05:600c:3548:b0:434:a1d3:a321 with SMTP id
 5b1f17b1804b1-438913c6150mr123570315e9.3.1737384872588; 
 Mon, 20 Jan 2025 06:54:32 -0800 (PST)
Received: from ?IPV6:2a06:5900:c00c:9000:45fa:7c02:baca:2de9?
 ([2a06:5900:c00c:9000:45fa:7c02:baca:2de9])
 by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4389046226asm140694985e9.31.2025.01.20.06.54.31
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 20 Jan 2025 06:54:32 -0800 (PST)
Message-ID: <30d650e7-4f7a-4cd1-92d2-02b049f3889e@redhat.com>
Date: Mon, 20 Jan 2025 14:54:31 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v2 1/2] net/af_xdp: fix use after free in af_xdp_tx_zc()
To: Ariel Otilibili <ariel.otilibili@6wind.com>, dev@dpdk.org
Cc: stable@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>,
 Thomas Monjalon <thomas@monjalon.net>,
 David Marchand <david.marchand@redhat.com>,
 Ciara Loftus <ciara.loftus@intel.com>
References: <20250116195640.68885-1-ariel.otilibili@6wind.com>
 <20250116225151.188214-1-ariel.otilibili@6wind.com>
 <20250116225151.188214-2-ariel.otilibili@6wind.com>
From: Maryam Tahhan <mtahhan@redhat.com>
In-Reply-To: <20250116225151.188214-2-ariel.otilibili@6wind.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: RhdNBeVophBd9qJE57eeSyu93fbjRHsDa6AnHgrkrx0_1737384873
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org


On 16/01/2025 17:51, Ariel Otilibili wrote:
> tx_bytes is computed after both legs are tested. This might
> produce a use after memory free.
>
> The computation is now moved into each leg.
>
> Bugzilla ID: 1440
> Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
> Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
> ---
>   drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
> index 814398ba4b44..4326a29f7042 100644
> --- a/drivers/net/af_xdp/rte_eth_af_xdp.c
> +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
> @@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
>   					umem->mb_pool->header_size;
>   			offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT;
>   			desc->addr = addr | offset;
> +			tx_bytes += mbuf->pkt_len;
>   			count++;
>   		} else {
>   			struct rte_mbuf *local_mbuf =
> @@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
>   			desc->addr = addr | offset;
>   			rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *),
>   					desc->len);
> +			tx_bytes += mbuf->pkt_len;
>   			rte_pktmbuf_free(mbuf);
>   			count++;
>   		}
> -
> -		tx_bytes += mbuf->pkt_len;
>   	}
>   
>   out:

I think that you could've just set tx_bytes to the desc->len as this is 
being set in all scenarios...

tx_bytes += desc->len;