From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 889C9A0096 for ; Wed, 10 Apr 2019 18:45:23 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 7C69D1B105; Wed, 10 Apr 2019 18:45:23 +0200 (CEST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 4F85A1B105 for ; Wed, 10 Apr 2019 18:45:21 +0200 (CEST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BB0D23078AAE; Wed, 10 Apr 2019 16:45:20 +0000 (UTC) Received: from rh.redhat.com (ovpn-117-94.ams2.redhat.com [10.36.117.94]) by smtp.corp.redhat.com (Postfix) with ESMTP id AD2035D965; Wed, 10 Apr 2019 16:45:19 +0000 (UTC) From: Kevin Traynor To: Tiwei Bie Cc: Maxime Coquelin , dpdk stable Date: Wed, 10 Apr 2019 17:43:43 +0100 Message-Id: <20190410164411.10546-35-ktraynor@redhat.com> In-Reply-To: <20190410164411.10546-1-ktraynor@redhat.com> References: <20190410164411.10546-1-ktraynor@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Wed, 10 Apr 2019 16:45:20 +0000 (UTC) Subject: [dpdk-stable] patch 'vhost: fix potential use-after-free for memory region' has been queued to LTS release 18.11.2 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to LTS release 18.11.2 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 04/16/19. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Thanks. Kevin Traynor --- >From 33e48fdb4e408df754a8d668bfdd0b77dceba0e4 Mon Sep 17 00:00:00 2001 From: Tiwei Bie Date: Fri, 22 Feb 2019 10:42:08 +0800 Subject: [PATCH] vhost: fix potential use-after-free for memory region [ upstream commit 2a2904fa9cc44493bcea495bab944b032b24f7cb ] Reclaim outstanding zmbufs first before freeing memory regions, otherwise there could be use-after-free. Fixes: b0a985d1f340 ("vhost: add dequeue zero copy") Signed-off-by: Tiwei Bie Reviewed-by: Maxime Coquelin --- lib/librte_vhost/vhost.h | 6 +++++ lib/librte_vhost/vhost_user.c | 46 +++++++++++++++++++++++++---------- lib/librte_vhost/virtio_net.c | 6 ----- 3 files changed, 39 insertions(+), 19 deletions(-) diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h index 24702b4a1..0f9fc9edd 100644 --- a/lib/librte_vhost/vhost.h +++ b/lib/librte_vhost/vhost.h @@ -784,3 +784,9 @@ mbuf_is_consumed(struct rte_mbuf *m) } +static __rte_always_inline void +put_zmbuf(struct zcopy_mbuf *zmbuf) +{ + zmbuf->in_use = 0; +} + #endif /* _VHOST_NET_CDEV_H_ */ diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index d19c09cbe..be4f3c6c8 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -94,4 +94,27 @@ get_blk_size(int fd) } +/* + * Reclaim all the outstanding zmbufs for a virtqueue. + */ +static void +drain_zmbuf_list(struct vhost_virtqueue *vq) +{ + struct zcopy_mbuf *zmbuf, *next; + + for (zmbuf = TAILQ_FIRST(&vq->zmbuf_list); + zmbuf != NULL; zmbuf = next) { + next = TAILQ_NEXT(zmbuf, next); + + while (!mbuf_is_consumed(zmbuf->mbuf)) + usleep(1000); + + TAILQ_REMOVE(&vq->zmbuf_list, zmbuf, next); + restore_mbuf(zmbuf->mbuf); + rte_pktmbuf_free(zmbuf->mbuf); + put_zmbuf(zmbuf); + vq->nr_zmbuf -= 1; + } +} + static void free_mem_region(struct virtio_net *dev) @@ -99,8 +122,17 @@ free_mem_region(struct virtio_net *dev) uint32_t i; struct rte_vhost_mem_region *reg; + struct vhost_virtqueue *vq; if (!dev || !dev->mem) return; + if (dev->dequeue_zero_copy) { + for (i = 0; i < dev->nr_vring; i++) { + vq = dev->virtqueue[i]; + if (vq) + drain_zmbuf_list(vq); + } + } + for (i = 0; i < dev->mem->nregions; i++) { reg = &dev->mem->regions[i]; @@ -1213,17 +1245,5 @@ static void free_zmbufs(struct vhost_virtqueue *vq) { - struct zcopy_mbuf *zmbuf, *next; - - for (zmbuf = TAILQ_FIRST(&vq->zmbuf_list); - zmbuf != NULL; zmbuf = next) { - next = TAILQ_NEXT(zmbuf, next); - - while (!mbuf_is_consumed(zmbuf->mbuf)) - usleep(1000); - - restore_mbuf(zmbuf->mbuf); - rte_pktmbuf_free(zmbuf->mbuf); - TAILQ_REMOVE(&vq->zmbuf_list, zmbuf, next); - } + drain_zmbuf_list(vq); rte_free(vq->zmbufs); diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 206c1f125..a6576891a 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -1089,10 +1089,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m) } -static __rte_always_inline void -put_zmbuf(struct zcopy_mbuf *zmbuf) -{ - zmbuf->in_use = 0; -} - static __rte_always_inline int copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, -- 2.20.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2019-04-10 14:06:10.595605800 +0100 +++ 0035-vhost-fix-potential-use-after-free-for-memory-region.patch 2019-04-10 14:06:07.925292847 +0100 @@ -1,13 +1,14 @@ -From 2a2904fa9cc44493bcea495bab944b032b24f7cb Mon Sep 17 00:00:00 2001 +From 33e48fdb4e408df754a8d668bfdd0b77dceba0e4 Mon Sep 17 00:00:00 2001 From: Tiwei Bie Date: Fri, 22 Feb 2019 10:42:08 +0800 Subject: [PATCH] vhost: fix potential use-after-free for memory region +[ upstream commit 2a2904fa9cc44493bcea495bab944b032b24f7cb ] + Reclaim outstanding zmbufs first before freeing memory regions, otherwise there could be use-after-free. Fixes: b0a985d1f340 ("vhost: add dequeue zero copy") -Cc: stable@dpdk.org Signed-off-by: Tiwei Bie Reviewed-by: Maxime Coquelin @@ -18,10 +19,10 @@ 3 files changed, 39 insertions(+), 19 deletions(-) diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h -index 044651b19..f008ec43b 100644 +index 24702b4a1..0f9fc9edd 100644 --- a/lib/librte_vhost/vhost.h +++ b/lib/librte_vhost/vhost.h -@@ -770,3 +770,9 @@ mbuf_is_consumed(struct rte_mbuf *m) +@@ -784,3 +784,9 @@ mbuf_is_consumed(struct rte_mbuf *m) } +static __rte_always_inline void @@ -32,7 +33,7 @@ + #endif /* _VHOST_NET_CDEV_H_ */ diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c -index 6d8253514..36c0c676d 100644 +index d19c09cbe..be4f3c6c8 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -94,4 +94,27 @@ get_blk_size(int fd) @@ -101,10 +102,10 @@ rte_free(vq->zmbufs); diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c -index 40a292364..a6a33a101 100644 +index 206c1f125..a6576891a 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c -@@ -1064,10 +1064,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m) +@@ -1089,10 +1089,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m) } -static __rte_always_inline void