DPDK patches and discussions
 help / color / mirror / Atom feed
* [PATCH] examples/vhost: fix use after free
@ 2022-07-14  5:11 Wenwu Ma
  2022-07-14  7:55 ` Ling, WeiX
  2022-07-15  5:54 ` Xia, Chenbo
  0 siblings, 2 replies; 5+ messages in thread
From: Wenwu Ma @ 2022-07-14  5:11 UTC (permalink / raw)
  To: maxime.coquelin, chenbo.xia, dev
  Cc: jiayu.hu, yinan.wang, xingguang.he, weix.ling, yuanx.wang,
	Wenwu Ma, stable

In async_enqueue_pkts(), the failed pkts will
be freed before return, but, the failed pkts may be
retried later, it will cause use after free. So,
we free the failed pkts after retry.

Fixes: 1907ce4baec3 ("examples/vhost: fix retry logic on Rx path")
Cc: stable@dpdk.org

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
 examples/vhost/main.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/examples/vhost/main.c b/examples/vhost/main.c
index 7e1666f42a..7956dc4f13 100644
--- a/examples/vhost/main.c
+++ b/examples/vhost/main.c
@@ -1073,8 +1073,13 @@ drain_vhost(struct vhost_dev *vdev)
 				__ATOMIC_SEQ_CST);
 	}
 
-	if (!dma_bind[vid2socketid[vdev->vid]].dmas[VIRTIO_RXQ].async_enabled)
+	if (!dma_bind[vid2socketid[vdev->vid]].dmas[VIRTIO_RXQ].async_enabled) {
 		free_pkts(m, nr_xmit);
+	} else {
+		uint16_t enqueue_fail = nr_xmit - ret;
+		if (enqueue_fail > 0)
+			free_pkts(&m[ret], enqueue_fail);
+	}
 }
 
 static __rte_always_inline void
@@ -1350,17 +1355,12 @@ async_enqueue_pkts(struct vhost_dev *dev, uint16_t queue_id,
 		struct rte_mbuf **pkts, uint32_t rx_count)
 {
 	uint16_t enqueue_count;
-	uint16_t enqueue_fail = 0;
 	uint16_t dma_id = dma_bind[vid2socketid[dev->vid]].dmas[VIRTIO_RXQ].dev_id;
 
 	complete_async_pkts(dev);
 	enqueue_count = rte_vhost_submit_enqueue_burst(dev->vid, queue_id,
 					pkts, rx_count, dma_id, 0);
 
-	enqueue_fail = rx_count - enqueue_count;
-	if (enqueue_fail)
-		free_pkts(&pkts[enqueue_count], enqueue_fail);
-
 	return enqueue_count;
 }
 
@@ -1405,8 +1405,13 @@ drain_eth_rx(struct vhost_dev *vdev)
 				__ATOMIC_SEQ_CST);
 	}
 
-	if (!dma_bind[vid2socketid[vdev->vid]].dmas[VIRTIO_RXQ].async_enabled)
+	if (!dma_bind[vid2socketid[vdev->vid]].dmas[VIRTIO_RXQ].async_enabled) {
 		free_pkts(pkts, rx_count);
+	} else {
+		uint16_t enqueue_fail = rx_count - enqueue_count;
+		if (enqueue_fail > 0)
+			free_pkts(&pkts[enqueue_count], enqueue_fail);
+	}
 }
 
 uint16_t async_dequeue_pkts(struct vhost_dev *dev, uint16_t queue_id,
-- 
2.25.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH] examples/vhost: fix use after free
  2022-07-14  5:11 [PATCH] examples/vhost: fix use after free Wenwu Ma
@ 2022-07-14  7:55 ` Ling, WeiX
  2022-07-15  5:54 ` Xia, Chenbo
  1 sibling, 0 replies; 5+ messages in thread
From: Ling, WeiX @ 2022-07-14  7:55 UTC (permalink / raw)
  To: Ma, WenwuX, maxime.coquelin, Xia, Chenbo, dev
  Cc: Hu, Jiayu, Wang, Yinan, He, Xingguang, Wang, YuanX, stable

> -----Original Message-----
> From: Ma, WenwuX <wenwux.ma@intel.com>
> Sent: Thursday, July 14, 2022 1:11 PM
> To: maxime.coquelin@redhat.com; Xia, Chenbo <chenbo.xia@intel.com>;
> dev@dpdk.org
> Cc: Hu, Jiayu <jiayu.hu@intel.com>; Wang, Yinan <yinan.wang@intel.com>;
> He, Xingguang <xingguang.he@intel.com>; Ling, WeiX
> <weix.ling@intel.com>; Wang, YuanX <yuanx.wang@intel.com>; Ma,
> WenwuX <wenwux.ma@intel.com>; stable@dpdk.org
> Subject: [PATCH] examples/vhost: fix use after free
> 
> In async_enqueue_pkts(), the failed pkts will be freed before return, but,
> the failed pkts may be retried later, it will cause use after free. So, we free
> the failed pkts after retry.
> 
> Fixes: 1907ce4baec3 ("examples/vhost: fix retry logic on Rx path")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
> ---

Tested-by: Wei Ling <weix.ling@intel.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH] examples/vhost: fix use after free
  2022-07-14  5:11 [PATCH] examples/vhost: fix use after free Wenwu Ma
  2022-07-14  7:55 ` Ling, WeiX
@ 2022-07-15  5:54 ` Xia, Chenbo
  2022-09-22 13:46   ` Xia, Chenbo
  1 sibling, 1 reply; 5+ messages in thread
From: Xia, Chenbo @ 2022-07-15  5:54 UTC (permalink / raw)
  To: Ma, WenwuX, maxime.coquelin, dev
  Cc: Hu, Jiayu, Wang, Yinan, He, Xingguang, Ling, WeiX, Wang, YuanX, stable

> -----Original Message-----
> From: Ma, WenwuX <wenwux.ma@intel.com>
> Sent: Thursday, July 14, 2022 1:11 PM
> To: maxime.coquelin@redhat.com; Xia, Chenbo <chenbo.xia@intel.com>;
> dev@dpdk.org
> Cc: Hu, Jiayu <jiayu.hu@intel.com>; Wang, Yinan <yinan.wang@intel.com>; He,
> Xingguang <xingguang.he@intel.com>; Ling, WeiX <weix.ling@intel.com>; Wang,
> YuanX <yuanx.wang@intel.com>; Ma, WenwuX <wenwux.ma@intel.com>;
> stable@dpdk.org
> Subject: [PATCH] examples/vhost: fix use after free
> 
> In async_enqueue_pkts(), the failed pkts will
> be freed before return, but, the failed pkts may be
> retried later, it will cause use after free. So,
> we free the failed pkts after retry.
> 
> Fixes: 1907ce4baec3 ("examples/vhost: fix retry logic on Rx path")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
> ---
>  examples/vhost/main.c | 19 ++++++++++++-------
>  1 file changed, 12 insertions(+), 7 deletions(-)
> 

As discussed in yesterday's release meeting, this issue should have minor impact,
so the fix could be moved to next release.

Thanks,
Chenbo

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH] examples/vhost: fix use after free
  2022-07-15  5:54 ` Xia, Chenbo
@ 2022-09-22 13:46   ` Xia, Chenbo
  2022-09-29  8:40     ` Xia, Chenbo
  0 siblings, 1 reply; 5+ messages in thread
From: Xia, Chenbo @ 2022-09-22 13:46 UTC (permalink / raw)
  To: Ma, WenwuX, maxime.coquelin, dev
  Cc: Hu, Jiayu, Wang, Yinan, He, Xingguang, Ling, WeiX, Wang, YuanX, stable

> -----Original Message-----
> From: Xia, Chenbo <chenbo.xia@intel.com>
> Sent: Friday, July 15, 2022 1:55 PM
> To: Ma, WenwuX <wenwux.ma@intel.com>; maxime.coquelin@redhat.com;
> dev@dpdk.org
> Cc: Hu, Jiayu <jiayu.hu@intel.com>; Wang, Yinan <yinan.wang@intel.com>; He,
> Xingguang <xingguang.he@intel.com>; Ling, WeiX <weix.ling@intel.com>; Wang,
> YuanX <yuanx.wang@intel.com>; stable@dpdk.org
> Subject: RE: [PATCH] examples/vhost: fix use after free
> 
> > -----Original Message-----
> > From: Ma, WenwuX <wenwux.ma@intel.com>
> > Sent: Thursday, July 14, 2022 1:11 PM
> > To: maxime.coquelin@redhat.com; Xia, Chenbo <chenbo.xia@intel.com>;
> > dev@dpdk.org
> > Cc: Hu, Jiayu <jiayu.hu@intel.com>; Wang, Yinan <yinan.wang@intel.com>;
> He,
> > Xingguang <xingguang.he@intel.com>; Ling, WeiX <weix.ling@intel.com>;
> Wang,
> > YuanX <yuanx.wang@intel.com>; Ma, WenwuX <wenwux.ma@intel.com>;
> > stable@dpdk.org
> > Subject: [PATCH] examples/vhost: fix use after free
> >
> > In async_enqueue_pkts(), the failed pkts will
> > be freed before return, but, the failed pkts may be
> > retried later, it will cause use after free. So,
> > we free the failed pkts after retry.
> >
> > Fixes: 1907ce4baec3 ("examples/vhost: fix retry logic on Rx path")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
> > ---
> >  examples/vhost/main.c | 19 ++++++++++++-------
> >  1 file changed, 12 insertions(+), 7 deletions(-)
> >
> 

Reviewed-by: Chenbo Xia <chenbo.xia@intel.com>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH] examples/vhost: fix use after free
  2022-09-22 13:46   ` Xia, Chenbo
@ 2022-09-29  8:40     ` Xia, Chenbo
  0 siblings, 0 replies; 5+ messages in thread
From: Xia, Chenbo @ 2022-09-29  8:40 UTC (permalink / raw)
  To: Ma, WenwuX, maxime.coquelin, dev
  Cc: Hu, Jiayu, Wang, Yinan, He, Xingguang, Ling, WeiX, Wang, YuanX, stable

> -----Original Message-----
> From: Xia, Chenbo <chenbo.xia@intel.com>
> Sent: Thursday, September 22, 2022 9:47 PM
> To: Ma, WenwuX <wenwux.ma@intel.com>; maxime.coquelin@redhat.com;
> dev@dpdk.org
> Cc: Hu, Jiayu <jiayu.hu@intel.com>; Wang, Yinan <yinan.wang@intel.com>; He,
> Xingguang <xingguang.he@intel.com>; Ling, WeiX <weix.ling@intel.com>; Wang,
> YuanX <yuanx.wang@intel.com>; stable@dpdk.org
> Subject: RE: [PATCH] examples/vhost: fix use after free
> 
> > -----Original Message-----
> > From: Xia, Chenbo <chenbo.xia@intel.com>
> > Sent: Friday, July 15, 2022 1:55 PM
> > To: Ma, WenwuX <wenwux.ma@intel.com>; maxime.coquelin@redhat.com;
> > dev@dpdk.org
> > Cc: Hu, Jiayu <jiayu.hu@intel.com>; Wang, Yinan <yinan.wang@intel.com>;
> He,
> > Xingguang <xingguang.he@intel.com>; Ling, WeiX <weix.ling@intel.com>;
> Wang,
> > YuanX <yuanx.wang@intel.com>; stable@dpdk.org
> > Subject: RE: [PATCH] examples/vhost: fix use after free
> >
> > > -----Original Message-----
> > > From: Ma, WenwuX <wenwux.ma@intel.com>
> > > Sent: Thursday, July 14, 2022 1:11 PM
> > > To: maxime.coquelin@redhat.com; Xia, Chenbo <chenbo.xia@intel.com>;
> > > dev@dpdk.org
> > > Cc: Hu, Jiayu <jiayu.hu@intel.com>; Wang, Yinan <yinan.wang@intel.com>;
> > He,
> > > Xingguang <xingguang.he@intel.com>; Ling, WeiX <weix.ling@intel.com>;
> > Wang,
> > > YuanX <yuanx.wang@intel.com>; Ma, WenwuX <wenwux.ma@intel.com>;
> > > stable@dpdk.org
> > > Subject: [PATCH] examples/vhost: fix use after free
> > >
> > > In async_enqueue_pkts(), the failed pkts will
> > > be freed before return, but, the failed pkts may be
> > > retried later, it will cause use after free. So,
> > > we free the failed pkts after retry.
> > >
> > > Fixes: 1907ce4baec3 ("examples/vhost: fix retry logic on Rx path")
> > > Cc: stable@dpdk.org
> > >
> > > Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
> > > ---
> > >  examples/vhost/main.c | 19 ++++++++++++-------
> > >  1 file changed, 12 insertions(+), 7 deletions(-)
> > >
> >
> 
> Reviewed-by: Chenbo Xia <chenbo.xia@intel.com>

Applied to next-virtio/main, thanks

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-09-29  8:40 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-14  5:11 [PATCH] examples/vhost: fix use after free Wenwu Ma
2022-07-14  7:55 ` Ling, WeiX
2022-07-15  5:54 ` Xia, Chenbo
2022-09-22 13:46   ` Xia, Chenbo
2022-09-29  8:40     ` Xia, Chenbo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).