From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 81BA3468E4 for ; Thu, 12 Jun 2025 23:09:11 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7DF8E42DD9; Thu, 12 Jun 2025 23:09:11 +0200 (CEST) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by mails.dpdk.org (Postfix) with ESMTP id 673D742DD9 for ; Thu, 12 Jun 2025 23:09:09 +0200 (CEST) Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-3a507e88b0aso1511220f8f.1 for ; Thu, 12 Jun 2025 14:09:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749762549; x=1750367349; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zn8RLTXG48y6VnRaiB9rtWghI3L178hTG1N2eLioVrA=; b=kECQkz2NJJqrs9uNzqW+57ULzw1iF3xK64w27EUAjPYzwUASDKgCvN90eKy/K8hvl2 jkKm6WUPDWrQgtsOxYwpkqPqQSZ200cqeQly1cPhPHs6caaJe9ljrMi6d0vwQlVEO/73 +V/rC0+4ehR0nK6zn7et7z8rVDFXMnA1s00Vqr6oOGh22mdPaXKHaKENH1FuwThWbzvf QvngOmO6/4i/lxqhIlI2MIYcMiVTD/RchoCNSVSAF731msM/7GP9YiYVomlBYs0W3ERx AtqIMGUaK+3tylD+D0eC1ggJrIv9NnD9d3CuxKxXsQZ9o3MQfxkbq0mGQP7DEJ1VnWpJ fglQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749762549; x=1750367349; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zn8RLTXG48y6VnRaiB9rtWghI3L178hTG1N2eLioVrA=; b=nT89JDYc1uyPrDXPkM8hZXZfQSe295879+TfONs636ZJ0FUlAC99QLO4uzkTxoQjdC oVK490/r/UbilBYInDuQhog30GiC2Ss6DKZMWqcgo8um3U9sjLgTN5u7MZ2o20gD/CcV tn13nfDPnL60zB6+K/er2uz1/KsXEKNYHK/x9VMLSmD4mnN29D9cJGkVV9JX/Mnuetyo 6EliZQg06cDf+DDXb1FNnP0bJhoMecsMImPJrXWgzJSQAX1YCp7ZykNaYvQACOVRGaa4 JP0IX85T3/3D06Qe7SjZUefyDIb0UcGyMZjkkcf4MFaLmtbX0vRJbScUAVyrgYRSChZ6 /www== X-Forwarded-Encrypted: i=1; AJvYcCV+A9+gmT3Q32AeCxRhJZvERw5rnLfEyqdi18uIxKDhDdsUrTl3DdvLRrDxR5xahIPZeBwiXTM=@dpdk.org X-Gm-Message-State: AOJu0YxdklMF5BnEPzHtf88rzZ7SkTUPHR7vY3u3sIWlVyY0G0iPcWAt Omh05tfyyMi3bWQPVy5l9/a9hQ7CYQbzfZd+zg35bGeljSg0U3k4LY70A7LJCRWi X-Gm-Gg: ASbGncsK9MzapGDxbhmbyqoQCniEfapIPSpVwkrWLXvlZdGEOJpslUZJtcJPkM7J/HG DFouAtpeMECUfVf0yQ7zQEoDcYGwEKQ1kAUmYY+dcpu5f5h2sxVv4MgBQirfKW80f3emPoES9yi x1KwZX3JaPUPqllIBGO7XtoLZpG3pU4cNhvJQDpHqlTNv7pTRg/uC9ghrWsrVAO3ir4Sd3Qpukh 9XCYZe0X4zqy2/NPSAa1DvhRQUC8gEwtXs2BhJ8H6K1j+Bb7tQi9Cs1KF8wfHsvtnYk6cYN5554 wEja6jHPwVZmDE575EV0QqmZrGD7Om2jvFoPCI9JZWKX7caakgEYjICh5ikat0jA6xgKctDO/lu e/Gs= X-Google-Smtp-Source: AGHT+IGn42CPtcGDCpMcvhMtnd05/nnaMxtZIMcMurhjhvIIalfHNtk2CUDUpbsaQaZ19KnyTlyJrg== X-Received: by 2002:a05:6000:2c0b:b0:3a4:ee36:ee4b with SMTP id ffacd0b85a97d-3a5686df628mr571617f8f.11.1749762548911; Thu, 12 Jun 2025 14:09:08 -0700 (PDT) Received: from localhost ([2a01:4b00:d036:ae00:f2df:571a:ae4c:bef2]) by smtp.gmail.com with UTF8SMTPSA id 5b1f17b1804b1-4532e232219sm31334235e9.9.2025.06.12.14.09.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Jun 2025 14:09:07 -0700 (PDT) From: luca.boccassi@gmail.com To: Ariel Otilibili Cc: Stephen Hemminger , dpdk stable Subject: patch 'net/af_xdp: fix use after free in zero-copy Tx' has been queued to stable release 22.11.9 Date: Thu, 12 Jun 2025 22:06:43 +0100 Message-ID: <20250612210733.2506558-26-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250612210733.2506558-1-luca.boccassi@gmail.com> References: <20250612210733.2506558-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 22.11.9 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 06/14/25. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/bluca/dpdk-stable This queued commit can be viewed at: https://github.com/bluca/dpdk-stable/commit/081c838388a346c2145e3c2ad71d375a587d178c Thanks. Luca Boccassi --- >From 081c838388a346c2145e3c2ad71d375a587d178c Mon Sep 17 00:00:00 2001 From: Ariel Otilibili Date: Wed, 26 Feb 2025 21:08:40 +0100 Subject: [PATCH] net/af_xdp: fix use after free in zero-copy Tx [ upstream commit a23bf7fde78b10afbbafda252f15495b26e010a9 ] tx_bytes is computed after both legs are tested. This might produce a use after memory free. The computation is now moved into each leg. Bugzilla ID: 1440 Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks") Signed-off-by: Ariel Otilibili Acked-by: Stephen Hemminger --- .mailmap | 1 + drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.mailmap b/.mailmap index b4cce78ea6..7bbd4bb02e 100644 --- a/.mailmap +++ b/.mailmap @@ -121,6 +121,7 @@ Anupam Kapoor Apeksha Gupta Archana Muniganti Archit Pandey +Ariel Otilibili Arkadiusz Kubalewski Arkadiusz Kusztal Arnon Warshavsky diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c index 343b4c40c9..5b50fd3b6b 100644 --- a/drivers/net/af_xdp/rte_eth_af_xdp.c +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c @@ -544,6 +544,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) umem->mb_pool->header_size; offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT; desc->addr = addr | offset; + tx_bytes += desc->len; count++; } else { struct rte_mbuf *local_mbuf = @@ -571,11 +572,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) desc->addr = addr | offset; rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *), desc->len); + tx_bytes += desc->len; rte_pktmbuf_free(mbuf); count++; } - - tx_bytes += mbuf->pkt_len; } out: -- 2.47.2 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2025-06-12 22:06:24.866146174 +0100 +++ 0026-net-af_xdp-fix-use-after-free-in-zero-copy-Tx.patch 2025-06-12 22:06:23.842044047 +0100 @@ -1 +1 @@ -From a23bf7fde78b10afbbafda252f15495b26e010a9 Mon Sep 17 00:00:00 2001 +From 081c838388a346c2145e3c2ad71d375a587d178c Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit a23bf7fde78b10afbbafda252f15495b26e010a9 ] + @@ -13 +14,0 @@ -Cc: stable@dpdk.org @@ -18 +19 @@ - .mailmap | 2 +- + .mailmap | 1 + @@ -20 +21 @@ - 2 files changed, 3 insertions(+), 3 deletions(-) + 2 files changed, 3 insertions(+), 2 deletions(-) @@ -23 +24 @@ -index 4b781bd3fb..822936f615 100644 +index b4cce78ea6..7bbd4bb02e 100644 @@ -26 +27 @@ -@@ -135,7 +135,7 @@ Anupam Kapoor +@@ -121,6 +121,7 @@ Anupam Kapoor @@ -30 +30,0 @@ --Ariel Otilibili @@ -34 +34 @@ - Arnaud Fiorini + Arnon Warshavsky @@ -36 +36 @@ -index 814398ba4b..092bcb73aa 100644 +index 343b4c40c9..5b50fd3b6b 100644 @@ -39 +39 @@ -@@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) +@@ -544,6 +544,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) @@ -47 +47 @@ -@@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) +@@ -571,11 +572,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)