From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 73102A0096 for ; Wed, 10 Apr 2019 18:45:21 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 649791B11F; Wed, 10 Apr 2019 18:45:21 +0200 (CEST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id D59341B105 for ; Wed, 10 Apr 2019 18:45:19 +0200 (CEST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 45BDBC06A80E; Wed, 10 Apr 2019 16:45:19 +0000 (UTC) Received: from rh.redhat.com (ovpn-117-94.ams2.redhat.com [10.36.117.94]) by smtp.corp.redhat.com (Postfix) with ESMTP id 298F35D961; Wed, 10 Apr 2019 16:45:13 +0000 (UTC) From: Kevin Traynor To: Tiwei Bie Cc: Maxime Coquelin , dpdk stable Date: Wed, 10 Apr 2019 17:43:42 +0100 Message-Id: <20190410164411.10546-34-ktraynor@redhat.com> In-Reply-To: <20190410164411.10546-1-ktraynor@redhat.com> References: <20190410164411.10546-1-ktraynor@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 10 Apr 2019 16:45:19 +0000 (UTC) Subject: [dpdk-stable] patch 'vhost: fix potential use-after-free for zero copy mbuf' has been queued to LTS release 18.11.2 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to LTS release 18.11.2 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 04/16/19. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Thanks. Kevin Traynor --- >From 006278a264ba147aa6f613f2313541b38b105f7b Mon Sep 17 00:00:00 2001 From: Tiwei Bie Date: Fri, 22 Feb 2019 10:42:07 +0800 Subject: [PATCH] vhost: fix potential use-after-free for zero copy mbuf [ upstream commit d767436ee5d26d1d417ae17d1a2a47879bf632a6 ] Don't free the zero copy mbufs before they have been consumed, otherwise there could be use-after-free. Fixes: b0a985d1f340 ("vhost: add dequeue zero copy") Signed-off-by: Tiwei Bie Reviewed-by: Maxime Coquelin --- lib/librte_vhost/vhost.h | 12 ++++++++++++ lib/librte_vhost/vhost_user.c | 3 +++ lib/librte_vhost/virtio_net.c | 12 ------------ 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h index d4f34c34a..24702b4a1 100644 --- a/lib/librte_vhost/vhost.h +++ b/lib/librte_vhost/vhost.h @@ -772,3 +772,15 @@ restore_mbuf(struct rte_mbuf *m) } +static __rte_always_inline bool +mbuf_is_consumed(struct rte_mbuf *m) +{ + while (m) { + if (rte_mbuf_refcnt_read(m) > 1) + return false; + m = m->next; + } + + return true; +} + #endif /* _VHOST_NET_CDEV_H_ */ diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index e078473ec..d19c09cbe 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -1219,4 +1219,7 @@ free_zmbufs(struct vhost_virtqueue *vq) next = TAILQ_NEXT(zmbuf, next); + while (!mbuf_is_consumed(zmbuf->mbuf)) + usleep(1000); + restore_mbuf(zmbuf->mbuf); rte_pktmbuf_free(zmbuf->mbuf); diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index d8b6bdea5..206c1f125 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -1332,16 +1332,4 @@ again: } -static __rte_always_inline bool -mbuf_is_consumed(struct rte_mbuf *m) -{ - while (m) { - if (rte_mbuf_refcnt_read(m) > 1) - return false; - m = m->next; - } - - return true; -} - static __rte_always_inline uint16_t virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq, -- 2.20.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2019-04-10 14:06:10.520594931 +0100 +++ 0034-vhost-fix-potential-use-after-free-for-zero-copy-mbu.patch 2019-04-10 14:06:07.918293007 +0100 @@ -1,13 +1,14 @@ -From d767436ee5d26d1d417ae17d1a2a47879bf632a6 Mon Sep 17 00:00:00 2001 +From 006278a264ba147aa6f613f2313541b38b105f7b Mon Sep 17 00:00:00 2001 From: Tiwei Bie Date: Fri, 22 Feb 2019 10:42:07 +0800 Subject: [PATCH] vhost: fix potential use-after-free for zero copy mbuf +[ upstream commit d767436ee5d26d1d417ae17d1a2a47879bf632a6 ] + Don't free the zero copy mbufs before they have been consumed, otherwise there could be use-after-free. Fixes: b0a985d1f340 ("vhost: add dequeue zero copy") -Cc: stable@dpdk.org Signed-off-by: Tiwei Bie Reviewed-by: Maxime Coquelin @@ -18,10 +19,10 @@ 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h -index bcfce274b..044651b19 100644 +index d4f34c34a..24702b4a1 100644 --- a/lib/librte_vhost/vhost.h +++ b/lib/librte_vhost/vhost.h -@@ -758,3 +758,15 @@ restore_mbuf(struct rte_mbuf *m) +@@ -772,3 +772,15 @@ restore_mbuf(struct rte_mbuf *m) } +static __rte_always_inline bool @@ -38,7 +39,7 @@ + #endif /* _VHOST_NET_CDEV_H_ */ diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c -index e3ddf2589..6d8253514 100644 +index e078473ec..d19c09cbe 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -1219,4 +1219,7 @@ free_zmbufs(struct vhost_virtqueue *vq) @@ -50,10 +51,10 @@ restore_mbuf(zmbuf->mbuf); rte_pktmbuf_free(zmbuf->mbuf); diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c -index 862ca5e1a..40a292364 100644 +index d8b6bdea5..206c1f125 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c -@@ -1307,16 +1307,4 @@ again: +@@ -1332,16 +1332,4 @@ again: } -static __rte_always_inline bool