From: Kevin Traynor <ktraynor@redhat.com>
To: Tiwei Bie <tiwei.bie@intel.com>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>,
dpdk stable <stable@dpdk.org>
Subject: [dpdk-stable] patch 'vhost: fix potential use-after-free for memory region' has been queued to LTS release 18.11.2
Date: Wed, 10 Apr 2019 17:43:43 +0100 [thread overview]
Message-ID: <20190410164411.10546-35-ktraynor@redhat.com> (raw)
In-Reply-To: <20190410164411.10546-1-ktraynor@redhat.com>
Hi,
FYI, your patch has been queued to LTS release 18.11.2
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 04/16/19. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Thanks.
Kevin Traynor
---
From 33e48fdb4e408df754a8d668bfdd0b77dceba0e4 Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie@intel.com>
Date: Fri, 22 Feb 2019 10:42:08 +0800
Subject: [PATCH] vhost: fix potential use-after-free for memory region
[ upstream commit 2a2904fa9cc44493bcea495bab944b032b24f7cb ]
Reclaim outstanding zmbufs first before freeing memory regions,
otherwise there could be use-after-free.
Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/librte_vhost/vhost.h | 6 +++++
lib/librte_vhost/vhost_user.c | 46 +++++++++++++++++++++++++----------
lib/librte_vhost/virtio_net.c | 6 -----
3 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h
index 24702b4a1..0f9fc9edd 100644
--- a/lib/librte_vhost/vhost.h
+++ b/lib/librte_vhost/vhost.h
@@ -784,3 +784,9 @@ mbuf_is_consumed(struct rte_mbuf *m)
}
+static __rte_always_inline void
+put_zmbuf(struct zcopy_mbuf *zmbuf)
+{
+ zmbuf->in_use = 0;
+}
+
#endif /* _VHOST_NET_CDEV_H_ */
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index d19c09cbe..be4f3c6c8 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -94,4 +94,27 @@ get_blk_size(int fd)
}
+/*
+ * Reclaim all the outstanding zmbufs for a virtqueue.
+ */
+static void
+drain_zmbuf_list(struct vhost_virtqueue *vq)
+{
+ struct zcopy_mbuf *zmbuf, *next;
+
+ for (zmbuf = TAILQ_FIRST(&vq->zmbuf_list);
+ zmbuf != NULL; zmbuf = next) {
+ next = TAILQ_NEXT(zmbuf, next);
+
+ while (!mbuf_is_consumed(zmbuf->mbuf))
+ usleep(1000);
+
+ TAILQ_REMOVE(&vq->zmbuf_list, zmbuf, next);
+ restore_mbuf(zmbuf->mbuf);
+ rte_pktmbuf_free(zmbuf->mbuf);
+ put_zmbuf(zmbuf);
+ vq->nr_zmbuf -= 1;
+ }
+}
+
static void
free_mem_region(struct virtio_net *dev)
@@ -99,8 +122,17 @@ free_mem_region(struct virtio_net *dev)
uint32_t i;
struct rte_vhost_mem_region *reg;
+ struct vhost_virtqueue *vq;
if (!dev || !dev->mem)
return;
+ if (dev->dequeue_zero_copy) {
+ for (i = 0; i < dev->nr_vring; i++) {
+ vq = dev->virtqueue[i];
+ if (vq)
+ drain_zmbuf_list(vq);
+ }
+ }
+
for (i = 0; i < dev->mem->nregions; i++) {
reg = &dev->mem->regions[i];
@@ -1213,17 +1245,5 @@ static void
free_zmbufs(struct vhost_virtqueue *vq)
{
- struct zcopy_mbuf *zmbuf, *next;
-
- for (zmbuf = TAILQ_FIRST(&vq->zmbuf_list);
- zmbuf != NULL; zmbuf = next) {
- next = TAILQ_NEXT(zmbuf, next);
-
- while (!mbuf_is_consumed(zmbuf->mbuf))
- usleep(1000);
-
- restore_mbuf(zmbuf->mbuf);
- rte_pktmbuf_free(zmbuf->mbuf);
- TAILQ_REMOVE(&vq->zmbuf_list, zmbuf, next);
- }
+ drain_zmbuf_list(vq);
rte_free(vq->zmbufs);
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 206c1f125..a6576891a 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -1089,10 +1089,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m)
}
-static __rte_always_inline void
-put_zmbuf(struct zcopy_mbuf *zmbuf)
-{
- zmbuf->in_use = 0;
-}
-
static __rte_always_inline int
copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
--
2.20.1
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2019-04-10 14:06:10.595605800 +0100
+++ 0035-vhost-fix-potential-use-after-free-for-memory-region.patch 2019-04-10 14:06:07.925292847 +0100
@@ -1,13 +1,14 @@
-From 2a2904fa9cc44493bcea495bab944b032b24f7cb Mon Sep 17 00:00:00 2001
+From 33e48fdb4e408df754a8d668bfdd0b77dceba0e4 Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie@intel.com>
Date: Fri, 22 Feb 2019 10:42:08 +0800
Subject: [PATCH] vhost: fix potential use-after-free for memory region
+[ upstream commit 2a2904fa9cc44493bcea495bab944b032b24f7cb ]
+
Reclaim outstanding zmbufs first before freeing memory regions,
otherwise there could be use-after-free.
Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")
-Cc: stable@dpdk.org
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
@@ -18,10 +19,10 @@
3 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h
-index 044651b19..f008ec43b 100644
+index 24702b4a1..0f9fc9edd 100644
--- a/lib/librte_vhost/vhost.h
+++ b/lib/librte_vhost/vhost.h
-@@ -770,3 +770,9 @@ mbuf_is_consumed(struct rte_mbuf *m)
+@@ -784,3 +784,9 @@ mbuf_is_consumed(struct rte_mbuf *m)
}
+static __rte_always_inline void
@@ -32,7 +33,7 @@
+
#endif /* _VHOST_NET_CDEV_H_ */
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
-index 6d8253514..36c0c676d 100644
+index d19c09cbe..be4f3c6c8 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -94,4 +94,27 @@ get_blk_size(int fd)
@@ -101,10 +102,10 @@
rte_free(vq->zmbufs);
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
-index 40a292364..a6a33a101 100644
+index 206c1f125..a6576891a 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
-@@ -1064,10 +1064,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m)
+@@ -1089,10 +1089,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m)
}
-static __rte_always_inline void
next prev parent reply other threads:[~2019-04-10 16:45 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-10 16:43 [dpdk-stable] patch 'net/pcap: fix memory leak' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: fix values of descriptor limits' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/sfc: log port ID as 16-bit unsigned integer on panic' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/sfc: remove control path logging from Rx queue count' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/sfc: fix logging from secondary process' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/virtio: set offload flag for jumbo frames' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/virtio: remove forward declaration' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'mbuf: fix a typo' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/mlx5: fix Tx metadata for multi-segment packet' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: fix Tx in 802.3ad mode' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bnxt: support IOVA VA " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/avf: fix admin queue interrupt for ICE' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: fix slave Tx burst for mode 4' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: fix link status' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'doc: fix a minor typo in testpmd guide' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'ethdev: remove unused variable' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/qede: fix Tx packet prepare for tunnel packets' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/bonding: avoid warning for invalid port' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'test/pmd_perf: fix the way to drain the " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/virtio: fix in-order Tx path for split ring' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'vhost: fix sprintf with snprintf' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'mk: fix build of shared library with libbsd' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: add libelf dependency to build test' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: test build of zlib PMD' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: fix test of some build options' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'test/compress: fix missing header include' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'examples/ip_pipeline: disable build when no epoll' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'examples/vhost_crypto: fix dependency on vhost library' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: fix build test on FreeBSD' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/mlx: prefix private structure' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/tap: fix multi-process request' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'mempool/dpaa2: fix continuous print on empty pool' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'vhost: restore mbuf first when freeing zmbuf' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'vhost: fix potential use-after-free for zero copy mbuf' " Kevin Traynor
2019-04-10 16:43 ` Kevin Traynor [this message]
2019-04-10 16:43 ` [dpdk-stable] patch 'app/pdump: remove only created vdevs' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'crypto/virtio: use local log type' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'net/softnic: fix possible buffer overflow' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'drivers/net: fix shifting 32-bit signed variable 31 times' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'devtools: fix result of svg include check' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'doc: remove reference to rte.doc.mk in programmers guide' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'examples/ethtool: fix two typos' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'doc: fix link in Linux getting started guide' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'doc: fix PCI whitelist typo in prog " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'mk: fix AVX512 disabled warning on non x86' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'bus/vdev: fix debug message on probing' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'bus/vdev: fix hotplug twice' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'eal: fix check when retrieving current CPU affinity' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'eal: fix control threads pinnning' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'eal: restrict control threads to startup CPU affinity' " Kevin Traynor
2019-04-10 16:43 ` [dpdk-stable] patch 'eal: remove dead code in core list parsing' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'eal: fix core list validation with disabled cores' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: fix flow director SCTP matching' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: fix SCTP match for flow API' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: allow flow mark ID 0' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: check for unsupported flow item types' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: reset VXLAN port regardless of overlay offload' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: fix VXLAN match' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/enic: fix endianness in VLAN " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'doc: fix tag for inner RSS feature' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/mlx5: fix flow priorities probing error path' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/mlx5: fix hex dump of error completion' " Kevin Traynor
2019-04-10 16:44 ` [dpdk-stable] patch 'net/mlx5: fix sync when handling Tx completions' " Kevin Traynor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190410164411.10546-35-ktraynor@redhat.com \
--to=ktraynor@redhat.com \
--cc=maxime.coquelin@redhat.com \
--cc=stable@dpdk.org \
--cc=tiwei.bie@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).