From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DE264460B1 for ; Wed, 29 Jan 2025 00:12:02 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id DA757402E0; Wed, 29 Jan 2025 00:12:02 +0100 (CET) Received: from mail-ed1-f99.google.com (mail-ed1-f99.google.com [209.85.208.99]) by mails.dpdk.org (Postfix) with ESMTP id 7FDF840265 for ; Wed, 29 Jan 2025 00:12:01 +0100 (CET) Received: by mail-ed1-f99.google.com with SMTP id 4fb4d7f45d1cf-5dbfab8a2b0so11968444a12.3 for ; Tue, 28 Jan 2025 15:12:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; t=1738105921; x=1738710721; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9hywdngeYrFF1sfCalMyzbNNImjE8DErktp8EGkzE2o=; b=BAVx1lTVINLCGagtLM9kJ+KWoNgclA0VTNsg/6E9aJ9ZyTV5qztsFOvVXstzpHvy5L fAnn9SouvuhvLGxwgOx37QUk2qE1TN9s7KimYjaTfYLXl4E2mKHRyYF+P5zgVe/VJtGZ adnP4zr6ovHEtcF6/UHy/5eaCcflNQrWWMsi6BjsMmvtNDERITzDrsMWley5p5hEuYK/ FVfVfdgATZIO7Nhgq4uqrHlH5tnPM7GBAAHm3zpYH1IxyUX47zB9PXu+8cMReG8a+Sl2 ubO0uYnVWCYJ1g1df17md5zbqZQBN9nruiYC54l5EiXD+4nWjWI7B/t5f1X1mvC89yZm torA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738105921; x=1738710721; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9hywdngeYrFF1sfCalMyzbNNImjE8DErktp8EGkzE2o=; b=syFOEK2Y3p2J8vUAkXB7nEUVvj8mbk+ite0vwQi+4SFfVfGBUA6uAn+z2ndr1PZ42f R3Z7TY0UwcVxmD4WbGIQTNMEKoDcn4R92MLlKvY4koG5zYQwhNPV0bEucu/bU1SjRqKX EGKgVMvmsm3z2SebHUczGpgFWvYLJ2VnOk1Zr+qZjoEINr6yCyG5UJ7xFkb7io3s5oF9 THOJxO6XAcFYqCeKJof5GX81yiPihxrGAgcEVjrs+My9FAGKfWyh82vr/xdU9D/jPGQI TOnJh7HhEvmCH8OgZObuCJT7Otv0NeCiUzfeHMLjAPCV83ecFeAb5ulj8vAiE3x0klFa o5dw== X-Gm-Message-State: AOJu0Yxn4eV8SfqQNMoTMKvh1A7hPJeANbgtwvixUlPhzz/doDYGYQ2a XABE958DAYDoHbLA/bLQu+3gm8bjvQRwOhsDjTiMyYJhbtjwVjTVfSIOIDVIvpGFOAV+jjCjjqi lbd1sp78FBltFAkqIlCJC3vUREi4vjimn X-Gm-Gg: ASbGncvj2xjXoXZTSjtEysav6nLb/GWdxRn/KQ1Vy+Yr/zIOGSvJVC+wBpELY0hnD9u aZeIzcIK4J4iH68k2paxgzWqvS2BXSthq1cp5wT3lJQ5mLS9ht44YKyECrJbiCVHFS/hgyNX4O/ 0k3T6juF8dUjJoJcx79ZCKjsBDfHSyOF7fIhcX8gMm4O3QF11VMDoRw6ZFpVEa40wEuM/Jww3ei d47kyUxQvRD20ibTHWLb101x40cvLaDUm3jOGeHmP+q6QdBY61VeQHqMqL2D/tU15x7Cx/GHMu+ bMN4M5a/shbJyrEHi6s7A4XHoYc/yUG2yy2mihu0zZfHl8YPzw== X-Google-Smtp-Source: AGHT+IEXZmiTBSjsMav0if4iha0algeftpTRN0m6t2YD6figI36ir9j2JGkNms8s8WxCB476Z2roVX6o2GlR X-Received: by 2002:a17:907:6d0a:b0:aa6:7165:5044 with SMTP id a640c23a62f3a-ab6cfdbdd59mr89873166b.44.1738105921157; Tue, 28 Jan 2025 15:12:01 -0800 (PST) Received: from smtpservice.6wind.com ([185.13.181.2]) by smtp-relay.gmail.com with ESMTP id a640c23a62f3a-ab675e254d9sm58383466b.36.2025.01.28.15.12.01; Tue, 28 Jan 2025 15:12:01 -0800 (PST) X-Relaying-Domain: 6wind.com Received: from localhost (rainbow.dev.6wind.com [10.17.1.165]) by smtpservice.6wind.com (Postfix) with ESMTP id 0627C18248; Wed, 29 Jan 2025 00:12:01 +0100 (CET) From: Ariel Otilibili To: dev@dpdk.org Cc: stable@dpdk.org, Thomas Monjalon , David Marchand , Stephen Hemminger , Ciara Loftus , Maryam Tahhan , Ariel Otilibili Subject: [PATCH v3 1/2] net/af_xdp: fix use after free in af_xdp_tx_zc() Date: Wed, 29 Jan 2025 00:11:51 +0100 Message-Id: <20250128231152.249497-2-ariel.otilibili@6wind.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250128231152.249497-1-ariel.otilibili@6wind.com> References: <20250116195640.68885-1-ariel.otilibili@6wind.com> <20250128231152.249497-1-ariel.otilibili@6wind.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org tx_bytes is computed after both legs are tested. This might produce a use after memory free. The computation is now moved into each leg. Bugzilla ID: 1440 Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks") Signed-off-by: Ariel Otilibili --- drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c index 814398ba4b44..092bcb73aa0a 100644 --- a/drivers/net/af_xdp/rte_eth_af_xdp.c +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c @@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) umem->mb_pool->header_size; offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT; desc->addr = addr | offset; + tx_bytes += desc->len; count++; } else { struct rte_mbuf *local_mbuf = @@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) desc->addr = addr | offset; rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *), desc->len); + tx_bytes += desc->len; rte_pktmbuf_free(mbuf); count++; } - - tx_bytes += mbuf->pkt_len; } out: -- 2.30.2