From: Kevin Traynor <ktraynor@redhat.com>
To: Tiwei Bie <tiwei.bie@intel.com>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>,
dpdk stable <stable@dpdk.org>
Subject: [dpdk-stable] patch 'vhost: fix potential use-after-free for zero copy mbuf' has been queued to LTS release 18.11.2
Date: Wed, 10 Apr 2019 17:43:42 +0100 [thread overview]
Message-ID: <20190410164411.10546-34-ktraynor@redhat.com> (raw)
In-Reply-To: <20190410164411.10546-1-ktraynor@redhat.com>
Hi,
FYI, your patch has been queued to LTS release 18.11.2
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 04/16/19. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Thanks.
Kevin Traynor
---
From 006278a264ba147aa6f613f2313541b38b105f7b Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie@intel.com>
Date: Fri, 22 Feb 2019 10:42:07 +0800
Subject: [PATCH] vhost: fix potential use-after-free for zero copy mbuf
[ upstream commit d767436ee5d26d1d417ae17d1a2a47879bf632a6 ]
Don't free the zero copy mbufs before they have been consumed,
otherwise there could be use-after-free.
Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/librte_vhost/vhost.h | 12 ++++++++++++
lib/librte_vhost/vhost_user.c | 3 +++
lib/librte_vhost/virtio_net.c | 12 ------------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h
index d4f34c34a..24702b4a1 100644
--- a/lib/librte_vhost/vhost.h
+++ b/lib/librte_vhost/vhost.h
@@ -772,3 +772,15 @@ restore_mbuf(struct rte_mbuf *m)
}
+static __rte_always_inline bool
+mbuf_is_consumed(struct rte_mbuf *m)
+{
+ while (m) {
+ if (rte_mbuf_refcnt_read(m) > 1)
+ return false;
+ m = m->next;
+ }
+
+ return true;
+}
+
#endif /* _VHOST_NET_CDEV_H_ */
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index e078473ec..d19c09cbe 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -1219,4 +1219,7 @@ free_zmbufs(struct vhost_virtqueue *vq)
next = TAILQ_NEXT(zmbuf, next);
+ while (!mbuf_is_consumed(zmbuf->mbuf))
+ usleep(1000);
+
restore_mbuf(zmbuf->mbuf);
rte_pktmbuf_free(zmbuf->mbuf);
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index d8b6bdea5..206c1f125 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -1332,16 +1332,4 @@ again:
}
-static __rte_always_inline bool
-mbuf_is_consumed(struct rte_mbuf *m)
-{
- while (m) {
- if (rte_mbuf_refcnt_read(m) > 1)
- return false;
- m = m->next;
- }
-
- return true;
-}
-
static __rte_always_inline uint16_t
virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
--
2.20.1
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2019-04-10 14:06:10.520594931 +0100
+++ 0034-vhost-fix-potential-use-after-free-for-zero-copy-mbu.patch 2019-04-10 14:06:07.918293007 +0100
@@ -1,13 +1,14 @@
-From d767436ee5d26d1d417ae17d1a2a47879bf632a6 Mon Sep 17 00:00:00 2001
+From 006278a264ba147aa6f613f2313541b38b105f7b Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie@intel.com>
Date: Fri, 22 Feb 2019 10:42:07 +0800
Subject: [PATCH] vhost: fix potential use-after-free for zero copy mbuf
+[ upstream commit d767436ee5d26d1d417ae17d1a2a47879bf632a6 ]
+
Don't free the zero copy mbufs before they have been consumed,
otherwise there could be use-after-free.
Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")
-Cc: stable@dpdk.org
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
@@ -18,10 +19,10 @@
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h
-index bcfce274b..044651b19 100644
+index d4f34c34a..24702b4a1 100644
--- a/lib/librte_vhost/vhost.h
+++ b/lib/librte_vhost/vhost.h
-@@ -758,3 +758,15 @@ restore_mbuf(struct rte_mbuf *m)
+@@ -772,3 +772,15 @@ restore_mbuf(struct rte_mbuf *m)
}
+static __rte_always_inline bool
@@ -38,7 +39,7 @@
+
#endif /* _VHOST_NET_CDEV_H_ */
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
-index e3ddf2589..6d8253514 100644
+index e078473ec..d19c09cbe 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -1219,4 +1219,7 @@ free_zmbufs(struct vhost_virtqueue *vq)
@@ -50,10 +51,10 @@
restore_mbuf(zmbuf->mbuf);
rte_pktmbuf_free(zmbuf->mbuf);
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
-index 862ca5e1a..40a292364 100644
+index d8b6bdea5..206c1f125 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
-@@ -1307,16 +1307,4 @@ again:
+@@ -1332,16 +1332,4 @@ again:
}
-static __rte_always_inline bool
next prev parent reply other threads:[~2019-04-10 16:45 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-10 16:43 [dpdk-stable] patch 'net/pcap: fix memory leak' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: fix values of descriptor limits' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/sfc: log port ID as 16-bit unsigned integer on panic' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/sfc: remove control path logging from Rx queue count' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/sfc: fix logging from secondary process' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/virtio: set offload flag for jumbo frames' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/virtio: remove forward declaration' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'mbuf: fix a typo' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/mlx5: fix Tx metadata for multi-segment packet' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: fix Tx in 802.3ad mode' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bnxt: support IOVA VA " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/avf: fix admin queue interrupt for ICE' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: fix slave Tx burst for mode 4' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: fix link status' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'doc: fix a minor typo in testpmd guide' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'ethdev: remove unused variable' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/qede: fix Tx packet prepare for tunnel packets' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: avoid warning for invalid port' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'test/pmd_perf: fix the way to drain the " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/virtio: fix in-order Tx path for split ring' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'vhost: fix sprintf with snprintf' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'mk: fix build of shared library with libbsd' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: add libelf dependency to build test' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: test build of zlib PMD' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: fix test of some build options' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'test/compress: fix missing header include' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'examples/ip_pipeline: disable build when no epoll' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'examples/vhost_crypto: fix dependency on vhost library' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: fix build test on FreeBSD' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/mlx: prefix private structure' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/tap: fix multi-process request' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'mempool/dpaa2: fix continuous print on empty pool' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'vhost: restore mbuf first when freeing zmbuf' " Kevin Traynor
2019-04-10 16:43 ` Kevin Traynor [this message]
2019-04-10 16:43 ` [dpdk-stable] patch 'vhost: fix potential use-after-free for memory region' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'app/pdump: remove only created vdevs' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'crypto/virtio: use local log type' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/softnic: fix possible buffer overflow' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'drivers/net: fix shifting 32-bit signed variable 31 times' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: fix result of svg include check' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'doc: remove reference to rte.doc.mk in programmers guide' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'examples/ethtool: fix two typos' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'doc: fix link in Linux getting started guide' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'doc: fix PCI whitelist typo in prog " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'mk: fix AVX512 disabled warning on non x86' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'bus/vdev: fix debug message on probing' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'bus/vdev: fix hotplug twice' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'eal: fix check when retrieving current CPU affinity' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'eal: fix control threads pinnning' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'eal: restrict control threads to startup CPU affinity' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'eal: remove dead code in core list parsing' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'eal: fix core list validation with disabled cores' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: fix flow director SCTP matching' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: fix SCTP match for flow API' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: allow flow mark ID 0' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: check for unsupported flow item types' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: reset VXLAN port regardless of overlay offload' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: fix VXLAN match' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: fix endianness in VLAN " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'doc: fix tag for inner RSS feature' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/mlx5: fix flow priorities probing error path' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/mlx5: fix hex dump of error completion' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/mlx5: fix sync when handling Tx completions' " Kevin Traynor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190410164411.10546-34-ktraynor@redhat.com \
--to=ktraynor@redhat.com \
--cc=maxime.coquelin@redhat.com \
--cc=stable@dpdk.org \
--cc=tiwei.bie@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).