From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 2D6E745FE6;
	Wed, 29 Jan 2025 00:12:08 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 0C29D402E0;
	Wed, 29 Jan 2025 00:12:06 +0100 (CET)
Received: from mail-ed1-f100.google.com (mail-ed1-f100.google.com
 [209.85.208.100])
 by mails.dpdk.org (Postfix) with ESMTP id 802BE4026F
 for <dev@dpdk.org>; Wed, 29 Jan 2025 00:12:01 +0100 (CET)
Received: by mail-ed1-f100.google.com with SMTP id
 4fb4d7f45d1cf-5d4e2aa7ea9so12156755a12.2
 for <dev@dpdk.org>; Tue, 28 Jan 2025 15:12:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=6wind.com; s=google; t=1738105921; x=1738710721; darn=dpdk.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=9hywdngeYrFF1sfCalMyzbNNImjE8DErktp8EGkzE2o=;
 b=BAVx1lTVINLCGagtLM9kJ+KWoNgclA0VTNsg/6E9aJ9ZyTV5qztsFOvVXstzpHvy5L
 fAnn9SouvuhvLGxwgOx37QUk2qE1TN9s7KimYjaTfYLXl4E2mKHRyYF+P5zgVe/VJtGZ
 adnP4zr6ovHEtcF6/UHy/5eaCcflNQrWWMsi6BjsMmvtNDERITzDrsMWley5p5hEuYK/
 FVfVfdgATZIO7Nhgq4uqrHlH5tnPM7GBAAHm3zpYH1IxyUX47zB9PXu+8cMReG8a+Sl2
 ubO0uYnVWCYJ1g1df17md5zbqZQBN9nruiYC54l5EiXD+4nWjWI7B/t5f1X1mvC89yZm
 torA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738105921; x=1738710721;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=9hywdngeYrFF1sfCalMyzbNNImjE8DErktp8EGkzE2o=;
 b=QiaJ4S7kA/ohcWjxmPjB8ri1XIMYENUfowH3CKMd05fIer9Ik5M/FOp3csDi+Iiiy4
 SyDj5CUl4CSNfRW/qAqmp+Lw8ELBB7Vb3gUqHg/qLVJpIKuk1bwwpIiE15UEaX7mmXfP
 hgDwOQWBK+7dfZ24ofDEu4kFWMRfc1hyYLsvFXErzEy3+sJmvOPN6yRv5Y1UhscsaKk1
 LN6g/Lq7RUb5j2t6jIOyFClTqa3SSX9nYgS/a3opdRSuYCCiFLn10SQ8c3iAZYioT8Y/
 6JaWcyjTZ9RTzLpnXXvhPVPngCtID/086I8LnOAHesyYt52h4Azm5W18z5WSAnBBGj1E
 EC1Q==
X-Gm-Message-State: AOJu0YxFK3X0Q7TECwe13HQTbRsZR96q7/SOxJYjfAn5OlpeYdTldeeE
 cIfTDo0NXZhL936p3zF0jWJm3R+GWu4+o9grFnsdWzcTVF8JsYoU9WF6QcfHudbhvBBvDqz+Z5e
 SGNt/l53AxnP/FAVW0JmM+L54xtoSM9ugwQPloxKi
X-Gm-Gg: ASbGncvk05g+V9RThb9gAZ4P9SYY0BsJ/D4bV1YUjZou01ussxiYC6ycdJu3CM8lxO7
 yGkPzvWzqQCfedC5lZZFnjYF5s+/BC6tQZv6r2u0zpfzHmpX3QbUYQ4aojbPycF9qTlSn8PVCZh
 3996RrR9Elu4JdRkhwYWBLE6nxGg5StCmYCX9khb4GYVCW49CfzQEhhdDoAYjcv2+FAaijm5lJI
 OA7KeLA6iJY7dfVJ6RNz0wdwdXvpe5iJ5aSSryJ/mrMCa4TfXGPn0xKhhsVyjyBzcXyFLSQIO5U
 GMharFPR3q3KpmE/eb35iUcRnxTudAyHIqIwec0lBJlT8yy/Kg==
X-Google-Smtp-Source: AGHT+IEXZmiTBSjsMav0if4iha0algeftpTRN0m6t2YD6figI36ir9j2JGkNms8s8WxCB476Z2roVX6o2GlR
X-Received: by 2002:a17:907:6d0a:b0:aa6:7165:5044 with SMTP id
 a640c23a62f3a-ab6cfdbdd59mr89873166b.44.1738105921157; 
 Tue, 28 Jan 2025 15:12:01 -0800 (PST)
Received: from smtpservice.6wind.com ([185.13.181.2])
 by smtp-relay.gmail.com with ESMTP id
 a640c23a62f3a-ab675e254d9sm58383466b.36.2025.01.28.15.12.01; 
 Tue, 28 Jan 2025 15:12:01 -0800 (PST)
X-Relaying-Domain: 6wind.com
Received: from localhost (rainbow.dev.6wind.com [10.17.1.165])
 by smtpservice.6wind.com (Postfix) with ESMTP id 0627C18248;
 Wed, 29 Jan 2025 00:12:01 +0100 (CET)
From: Ariel Otilibili <ariel.otilibili@6wind.com>
To: dev@dpdk.org
Cc: stable@dpdk.org, Thomas Monjalon <thomas@monjalon.net>,
 David Marchand <david.marchand@redhat.com>,
 Stephen Hemminger <stephen@networkplumber.org>,
 Ciara Loftus <ciara.loftus@intel.com>, Maryam Tahhan <mtahhan@redhat.com>,
 Ariel Otilibili <ariel.otilibili@6wind.com>
Subject: [PATCH v3 1/2] net/af_xdp: fix use after free in af_xdp_tx_zc()
Date: Wed, 29 Jan 2025 00:11:51 +0100
Message-Id: <20250128231152.249497-2-ariel.otilibili@6wind.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20250128231152.249497-1-ariel.otilibili@6wind.com>
References: <20250116195640.68885-1-ariel.otilibili@6wind.com>
 <20250128231152.249497-1-ariel.otilibili@6wind.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

tx_bytes is computed after both legs are tested. This might
produce a use after memory free.

The computation is now moved into each leg.

Bugzilla ID: 1440
Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
---
 drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
index 814398ba4b44..092bcb73aa0a 100644
--- a/drivers/net/af_xdp/rte_eth_af_xdp.c
+++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
@@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 					umem->mb_pool->header_size;
 			offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT;
 			desc->addr = addr | offset;
+			tx_bytes += desc->len;
 			count++;
 		} else {
 			struct rte_mbuf *local_mbuf =
@@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 			desc->addr = addr | offset;
 			rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *),
 					desc->len);
+			tx_bytes += desc->len;
 			rte_pktmbuf_free(mbuf);
 			count++;
 		}
-
-		tx_bytes += mbuf->pkt_len;
 	}
 
 out:
-- 
2.30.2