From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BF776A00C2 for ; Thu, 3 Nov 2022 10:30:16 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B77C940694; Thu, 3 Nov 2022 10:30:16 +0100 (CET) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mails.dpdk.org (Postfix) with ESMTP id 0FE7E40693 for ; Thu, 3 Nov 2022 10:30:16 +0100 (CET) Received: by mail-wr1-f45.google.com with SMTP id z14so1710971wrn.7 for ; Thu, 03 Nov 2022 02:30:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yQJPSShJwGfatwfh2UIAKPSuphQ38mGIQWfU1Sjt3ts=; b=eE9B3LSFM50IfAwl3NAaCbpjCB8E7zCQ130/XKQrG89HmQ79rB8WrQx2o1g95ZYBOG 2i2EWjGyBgxj5UGmYgmo0kICfHDlj8ed+56YzeMjqoYKN4U7cmr/Qg2obrLIh4i6J8SE x2QeBDWFN/1yPzfDwmT0zRrsglu/grEHKnonxjq5Mx2tImEs9ule3lFgvkkfx6BAcdBN idbAqH/BZeFCoDyyq5ZnzT6bpw+VrrVyy6/i/FkrUoPbj3IoEyniLF5tiRKG5B4O0DL9 cBIjEqd6jyxn6KjkKIzKCPtTauHerW3Ut9zJNNagjN2rp4H9CjEjKV+QBEAolBApaTlU TIzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yQJPSShJwGfatwfh2UIAKPSuphQ38mGIQWfU1Sjt3ts=; b=WFBIBo/A6qupFTEBdlxstT9qmKy11v3BOEadsvAeXfEYAiO3jFAWqT0ZjUWfNuLOBg MCiJwV1wiDv6qTveub/34jy5OjQzcIbfN6I+dBQJm/OR2hOe60RPSU1wA6SsDXI4HXSv anugNy4ZDCzi8/ZdtYWSoMdXusW3AZOn/wlExSTr8HuHct0RgASwU4xjoIg4el0Fnm2Q wUNcuEXrvapZnK0pC2+tssN4sNabx3o+ZkyVAK8A1W4Sc5Slr756oKAjhNlI6mLBieT6 yre2aIdXvdIJHytgFbRLff5K/6jbinLqmaIkQZ6375JVPo4xwBccmS4GgC/UaxMNHvHj Vs6A== X-Gm-Message-State: ACrzQf0sQndyBAfunt/LJu1Pxr3Ayz010K65n59Vm5RFCb92yZ97kcOX PjalPSnAdZZl3ZIyuGw2aQq3lxdgUhkZ7Jr8 X-Google-Smtp-Source: AMsMyM51gZp4RMwTV93/aOSRsJelxmK8dXtsMb80yTQqPIqthhX6JQLT03qplELnZliZf/6RgNY1sw== X-Received: by 2002:a5d:698e:0:b0:236:4b95:17ff with SMTP id g14-20020a5d698e000000b002364b9517ffmr18746130wru.196.1667467815718; Thu, 03 Nov 2022 02:30:15 -0700 (PDT) Received: from localhost ([137.220.119.58]) by smtp.gmail.com with ESMTPSA id b3-20020adff903000000b00228d52b935asm330012wrr.71.2022.11.03.02.30.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Nov 2022 02:30:15 -0700 (PDT) From: luca.boccassi@gmail.com To: Wenwu Ma Cc: Wei Ling , Chenbo Xia , dpdk stable Subject: patch 'examples/vhost: fix use after free' has been queued to stable release 20.11.7 Date: Thu, 3 Nov 2022 09:26:58 +0000 Message-Id: <20221103092758.1099402-40-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221103092758.1099402-1-luca.boccassi@gmail.com> References: <20221103092758.1099402-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 20.11.7 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/05/22. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/cc65c7fccf4f361551ffa7526d61c3073fa04bbe Thanks. Luca Boccassi --- >From cc65c7fccf4f361551ffa7526d61c3073fa04bbe Mon Sep 17 00:00:00 2001 From: Wenwu Ma Date: Thu, 14 Jul 2022 13:11:06 +0800 Subject: [PATCH] examples/vhost: fix use after free [ upstream commit 40abb903fe0aff0556d15d96385a4c7b647649b5 ] In async_enqueue_pkts(), the failed pkts will be freed before return, but, the failed pkts may be retried later, it will cause use after free. So, we free the failed pkts after retry. Fixes: 1907ce4baec3 ("examples/vhost: fix retry logic on Rx path") Signed-off-by: Wenwu Ma Tested-by: Wei Ling Reviewed-by: Chenbo Xia --- examples/vhost/main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/examples/vhost/main.c b/examples/vhost/main.c index 24e37f7ce5..b7ac9c2f15 100644 --- a/examples/vhost/main.c +++ b/examples/vhost/main.c @@ -1163,8 +1163,13 @@ drain_eth_rx(struct vhost_dev *vdev) rte_atomic64_add(&vdev->stats.rx_atomic, enqueue_count); } - if (!async_vhost_driver) + if (!async_vhost_driver) { free_pkts(pkts, rx_count); + } else { + uint16_t enqueue_fail = rx_count - enqueue_count; + if (enqueue_fail > 0) + free_pkts(&pkts[enqueue_count], enqueue_fail); + } } static __rte_always_inline void -- 2.34.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2022-11-03 09:27:27.870280891 +0000 +++ 0040-examples-vhost-fix-use-after-free.patch 2022-11-03 09:27:25.413423215 +0000 @@ -1 +1 @@ -From 40abb903fe0aff0556d15d96385a4c7b647649b5 Mon Sep 17 00:00:00 2001 +From cc65c7fccf4f361551ffa7526d61c3073fa04bbe Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 40abb903fe0aff0556d15d96385a4c7b647649b5 ] + @@ -12 +13,0 @@ -Cc: stable@dpdk.org @@ -18,2 +19,2 @@ - examples/vhost/main.c | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) + examples/vhost/main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) @@ -22 +23 @@ -index 0fa4753e70..195ef84b3b 100644 +index 24e37f7ce5..b7ac9c2f15 100644 @@ -25,35 +26,2 @@ -@@ -1075,8 +1075,13 @@ drain_vhost(struct vhost_dev *vdev) - __ATOMIC_SEQ_CST); - } - -- if (!dma_bind[vid2socketid[vdev->vid]].dmas[VIRTIO_RXQ].async_enabled) -+ if (!dma_bind[vid2socketid[vdev->vid]].dmas[VIRTIO_RXQ].async_enabled) { - free_pkts(m, nr_xmit); -+ } else { -+ uint16_t enqueue_fail = nr_xmit - ret; -+ if (enqueue_fail > 0) -+ free_pkts(&m[ret], enqueue_fail); -+ } - } - - static __rte_always_inline void -@@ -1352,17 +1357,12 @@ async_enqueue_pkts(struct vhost_dev *dev, uint16_t queue_id, - struct rte_mbuf **pkts, uint32_t rx_count) - { - uint16_t enqueue_count; -- uint16_t enqueue_fail = 0; - uint16_t dma_id = dma_bind[vid2socketid[dev->vid]].dmas[VIRTIO_RXQ].dev_id; - - complete_async_pkts(dev); - enqueue_count = rte_vhost_submit_enqueue_burst(dev->vid, queue_id, - pkts, rx_count, dma_id, 0); - -- enqueue_fail = rx_count - enqueue_count; -- if (enqueue_fail) -- free_pkts(&pkts[enqueue_count], enqueue_fail); -- - return enqueue_count; - } - -@@ -1407,8 +1407,13 @@ drain_eth_rx(struct vhost_dev *vdev) - __ATOMIC_SEQ_CST); +@@ -1163,8 +1163,13 @@ drain_eth_rx(struct vhost_dev *vdev) + rte_atomic64_add(&vdev->stats.rx_atomic, enqueue_count); @@ -62,2 +30,2 @@ -- if (!dma_bind[vid2socketid[vdev->vid]].dmas[VIRTIO_RXQ].async_enabled) -+ if (!dma_bind[vid2socketid[vdev->vid]].dmas[VIRTIO_RXQ].async_enabled) { +- if (!async_vhost_driver) ++ if (!async_vhost_driver) { @@ -72 +40 @@ - uint16_t async_dequeue_pkts(struct vhost_dev *dev, uint16_t queue_id, + static __rte_always_inline void