From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 28287460F6 for ; Fri, 31 Jan 2025 19:34:50 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id DDC8440649; Fri, 31 Jan 2025 19:34:49 +0100 (CET) Received: from mail-wr1-f100.google.com (mail-wr1-f100.google.com [209.85.221.100]) by mails.dpdk.org (Postfix) with ESMTP id A1E0840274 for ; Fri, 31 Jan 2025 19:34:46 +0100 (CET) Received: by mail-wr1-f100.google.com with SMTP id ffacd0b85a97d-38a34e8410bso1215776f8f.2 for ; Fri, 31 Jan 2025 10:34:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; t=1738348486; x=1738953286; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=goNQLdxV8GPZKjJhQxNbRZ11lznIXp+Qg3b9P4fWxQw=; b=YUJ4z2ULrT6IZ2sPz1sC9/uZKGMIrl8GQTjEl3LzEphZMWfhcgzag1Qg94KWS1LZGS OmaLas/W8H0EyLGTXBd9YN53HQ9W5sXiigeb1HEZk3GsisCS6iNt0EA5f6IGzKavM1Fx JCeJog9hdaU3iHxtpvJbjbPI/FHPwKkLL42aX0GlBg9cTZj/sVEY/yQOyb5mIaaouHYT hH7pZuj0ZJ8GUGsyvZbBhqSfqR/CRn8ozcjuZY6C0VM9GyhGQHwd3+Bz0c8UUM5T/FVU 2xXrDOyOEpHtt/M++HmXPPLyMm8HyY8Lcq8WlnYuGtExE5DDF/eKfKq/ChqALTs2vnZV hzbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738348486; x=1738953286; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=goNQLdxV8GPZKjJhQxNbRZ11lznIXp+Qg3b9P4fWxQw=; b=iF+zh1W7oG0NY2JcYLQ/jr8V1kmzdwEbWWaRydkxi6DJa7LckDVC6mNVwuC0Q5bKfD 14bJkij+LvL2UFLbHNNWA73jX5Ugml3PR/Kv87wI8K8BBViirkOhF2Z1fzOaPc9k7fGV dWlCtKeBO1iB9oFx5sx+UH4TclQzicPL4E1w/G+CLVYN9DWv+HDx1sOBhNxkazYG2S29 d2vIbDl5ZP9OTq3fFglpkjuB7NPNBps72uiahlSXNtGow+vUciaBJBIvUqttqj00LQ4i F2xMvSsffIiBMaZ4l9fGEw7a8dhRbbbi+j7OFPjPtmHRXa7oec06B5qfLWqvJ+E8jzXV 1hmg== X-Gm-Message-State: AOJu0YyxNgfPpL9kg25sfs2LpvRBuXzPVp1pZx3Y2157v0HGT7NZv/FT yx7vwmEnMXtwFNOyFgMzxhNEp9ECOz6l3shwZZKWsY4P8hMFy0t9sqQSj6LgtB8VgH8tBBBHEvA uF3Dfxq/zuHaOlYfViN/mgGy3d+N+rHv+ X-Gm-Gg: ASbGncvv+OsS5yqbyogGdNMEzLQdsGaoNylOavASjqdroD3zv+4TjA4acCU3e4A93ZH Mo2d/glys/VPlVOpCXmrnYQIBHtZFGelVsWsPNTsaplKlOLie5q0gTTcX839ivKKqNXCPN75QcC +RV2puD5rP41AHOV94BXNwGAYNa3JmAUrSqDX1qZ7gzeQXXgdTilz6HuBjkJaqaAwv8HiS093CT g7HVjuE/uRVgg/7l62bpUY0cd/M4cGtFHGMKP8F9m2xYzF5UtTAORcfabpLRBCpdoDik7xXV1Sh 1JJE4KmfGyCNRsWtD24E49Q31llyHLkCBsPt7OFaA1xq2K52EA== X-Google-Smtp-Source: AGHT+IG7TjGyk71TMDAXX0qJm3pvLWUAlW2UFCX+OclXdgMkn1PQyJrMd2jNPfzjgMQcymFECkbDVw6YGPHn X-Received: by 2002:a5d:47a4:0:b0:387:86cf:4e87 with SMTP id ffacd0b85a97d-38c5195e5c4mr10759838f8f.15.1738348486305; Fri, 31 Jan 2025 10:34:46 -0800 (PST) Received: from smtpservice.6wind.com ([185.13.181.2]) by smtp-relay.gmail.com with ESMTP id 5b1f17b1804b1-438e23deebdsm4881365e9.13.2025.01.31.10.34.46; Fri, 31 Jan 2025 10:34:46 -0800 (PST) X-Relaying-Domain: 6wind.com Received: from localhost (rainbow.dev.6wind.com [10.17.1.165]) by smtpservice.6wind.com (Postfix) with ESMTP id 35A7919C94; Fri, 31 Jan 2025 19:34:46 +0100 (CET) From: Ariel Otilibili To: dev@dpdk.org Cc: stable@dpdk.org, Thomas Monjalon , David Marchand , Ariel Otilibili , Ciara Loftus , Maryam Tahhan , Stephen Hemminger Subject: [PATCH v5 1/2] net/af_xdp: Fix use after free in af_xdp_tx_zc Date: Fri, 31 Jan 2025 19:34:38 +0100 Message-Id: <20250131183439.909831-2-ariel.otilibili@6wind.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250131183439.909831-1-ariel.otilibili@6wind.com> References: <20250116195640.68885-1-ariel.otilibili@6wind.com> <20250131183439.909831-1-ariel.otilibili@6wind.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org tx_bytes is computed after both legs are tested. This might produce a use after memory free. The computation is now moved into each leg. Bugzilla ID: 1440 Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks") Signed-off-by: Ariel Otilibili Acked-by: Stephen Hemminger --- .mailmap | 2 +- drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.mailmap b/.mailmap index 76f65e5114d4..42fcefacf573 100644 --- a/.mailmap +++ b/.mailmap @@ -134,7 +134,7 @@ Anupam Kapoor Apeksha Gupta Archana Muniganti Archit Pandey -Ariel Otilibili +Ariel Otilibili Arkadiusz Kubalewski Arkadiusz Kusztal Arnaud Fiorini diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c index 814398ba4b44..092bcb73aa0a 100644 --- a/drivers/net/af_xdp/rte_eth_af_xdp.c +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c @@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) umem->mb_pool->header_size; offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT; desc->addr = addr | offset; + tx_bytes += desc->len; count++; } else { struct rte_mbuf *local_mbuf = @@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) desc->addr = addr | offset; rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *), desc->len); + tx_bytes += desc->len; rte_pktmbuf_free(mbuf); count++; } - - tx_bytes += mbuf->pkt_len; } out: -- 2.30.2