From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7EEDBA00C4 for ; Wed, 16 Nov 2022 02:49:17 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5BFE840E03; Wed, 16 Nov 2022 02:49:17 +0100 (CET) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mails.dpdk.org (Postfix) with ESMTP id AE5D140DFB for ; Wed, 16 Nov 2022 02:49:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1668563356; x=1700099356; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=9KdUGiKqluc4oUmYLvb3g2TcVbDZxTpUcrDlEZy5QKY=; b=Rsk0J/vpOwLZ1hXrFxFp6+idDm2PeUhw7E2zyhZ/rv7aLPUw0AbwZn0m 5IugkwntzyQyec452TBFOQpjEFC+9sfKXBS39fam68iYaEhh1mS1nWWdE 4Y5AecYqvM4qG9XyLuhKC6wkCI60tI1LF/qEHnO9oRiCuZ/ST4N/tVkcM cuMmuRfVd6rew2hgDNTuYRCUR29GuOvFJg/iWkIoJiH97VWsuSzASWA9q b20klHce7rjdN/t6s1ZFChpafjMY+VvTm32z3VteuiYD+KMz/vUD/A6IT YfSOSbu7Nyij/gvDOJCkAALglPS8EEakbDyp9uo9PpYfw8zSbIdTzOOV4 A==; X-IronPort-AV: E=McAfee;i="6500,9779,10532"; a="310047869" X-IronPort-AV: E=Sophos;i="5.96,167,1665471600"; d="scan'208";a="310047869" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Nov 2022 17:49:14 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10532"; a="702668111" X-IronPort-AV: E=Sophos;i="5.96,167,1665471600"; d="scan'208";a="702668111" Received: from unknown (HELO localhost.localdomain) ([10.239.252.251]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Nov 2022 17:49:11 -0800 From: Wenwu Ma To: stable@dpdk.org Cc: chenbo.xia@intel.com, weix.ling@intel.com, yuanx.wang@intel.com, xingguang.he@intel.com, yux.jiang@intel.com, Wenwu Ma Subject: [PATCH 21.11] examples/vhost: fix use after free Date: Wed, 16 Nov 2022 09:40:22 +0800 Message-Id: <20221116014022.1884914-1-wenwux.ma@intel.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org [ upstream commit 40abb903fe0aff0556d15d96385a4c7b647649b5 ] In async_enqueue_pkts(), the failed pkts will be freed before return, but, the failed pkts may be retried later, it will cause use after free. So, we free the failed pkts after retry. Fixes: 1907ce4baec3 ("examples/vhost: fix retry logic on Rx path") Signed-off-by: Wenwu Ma Tested-by: Wei Ling Reviewed-by: Chenbo Xia --- examples/vhost/main.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/examples/vhost/main.c b/examples/vhost/main.c index f9e932061f..36464922e3 100644 --- a/examples/vhost/main.c +++ b/examples/vhost/main.c @@ -908,17 +908,10 @@ enqueue_pkts(struct vhost_dev *vdev, struct rte_mbuf **pkts, uint16_t rx_count) if (builtin_net_driver) { enqueue_count = vs_enqueue_pkts(vdev, VIRTIO_RXQ, pkts, rx_count); } else if (async_vhost_driver) { - uint16_t enqueue_fail = 0; - complete_async_pkts(vdev); enqueue_count = rte_vhost_submit_enqueue_burst(vdev->vid, VIRTIO_RXQ, pkts, rx_count); __atomic_add_fetch(&vdev->pkts_inflight, enqueue_count, __ATOMIC_SEQ_CST); - - enqueue_fail = rx_count - enqueue_count; - if (enqueue_fail) - free_pkts(&pkts[enqueue_count], enqueue_fail); - } else { enqueue_count = rte_vhost_enqueue_burst(vdev->vid, VIRTIO_RXQ, pkts, rx_count); @@ -944,8 +937,13 @@ drain_vhost(struct vhost_dev *vdev) __ATOMIC_SEQ_CST); } - if (!async_vhost_driver) + if (!async_vhost_driver) { free_pkts(m, nr_xmit); + } else { + uint16_t enqueue_fail = nr_xmit - ret; + if (enqueue_fail > 0) + free_pkts(&m[ret], enqueue_fail); + } } static __rte_always_inline void @@ -1249,8 +1247,13 @@ drain_eth_rx(struct vhost_dev *vdev) __ATOMIC_SEQ_CST); } - if (!async_vhost_driver) + if (!async_vhost_driver) { free_pkts(pkts, rx_count); + } else { + uint16_t enqueue_fail = rx_count - enqueue_count; + if (enqueue_fail > 0) + free_pkts(&pkts[enqueue_count], enqueue_fail); + } } static __rte_always_inline void -- 2.25.1