From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id BAD3946162
	for <public@inbox.dpdk.org>; Sat,  1 Feb 2025 11:03:14 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id B3E7C402E7;
	Sat,  1 Feb 2025 11:03:14 +0100 (CET)
Received: from mail-wm1-f98.google.com (mail-wm1-f98.google.com
 [209.85.128.98]) by mails.dpdk.org (Postfix) with ESMTP id 22781402DA
 for <stable@dpdk.org>; Sat,  1 Feb 2025 11:03:12 +0100 (CET)
Received: by mail-wm1-f98.google.com with SMTP id
 5b1f17b1804b1-436345cc17bso21041285e9.0
 for <stable@dpdk.org>; Sat, 01 Feb 2025 02:03:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=6wind.com; s=google; t=1738404192; x=1739008992; darn=dpdk.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=goNQLdxV8GPZKjJhQxNbRZ11lznIXp+Qg3b9P4fWxQw=;
 b=biLRMl+pnXSd+csdWV3s2e5kYUWHWHKoe8++MpTIGBQCBV/UDtEBNpwpIX7ogIp9rB
 lG/SupGPxl/7GjSU7CGlrIsVI9Zu05b1H9UFOxTRepv49TOkRHHmLw80396ObDAs6Tlr
 EHdecMwZwe5VN42GQXRlFNBNdWB7CtbiwP/ITIDNBQRuZMqgI32FtJr/moBsLS27hcdb
 exn3kAg1TViPy8PGPPLr0mF+EUZZ+MaGp5vxP8R49On1yg79s1PDZs7GqlO2zeIf3nr0
 z0pPb06HUb9sJarwo1ArYBsW5MT+LZ1qNlQArVAoJvsVq7ymUOZ97qOTw27sVTxAeufX
 jUJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738404192; x=1739008992;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=goNQLdxV8GPZKjJhQxNbRZ11lznIXp+Qg3b9P4fWxQw=;
 b=Ovu0694ffpTY/WyQYNQ+b5cJ0IU1QA+S4MaagcRs2FVfSCYIjE5putJZTv5NoyRC3o
 Y1Ql/3DDFtxGxwn/WZINx5NBhgybSsKqZOnb5jpqo54ElIOo46JSAdkMgKDjDkFh/hal
 JGkQ0RMPc46X1z+0kvIX+skx3bvQKH/6H3cOehsrVgW7l1is38wt3xgsion04dDEXCgp
 zYu8P+R3S9JoytGKUhh5zVrtNwmjLx1XaiZP5mnj3p/EpdYr2FtUGd1TSvDBEUo/d0V7
 Z3Sz5zZIJEjzjzoP8yAisI0LoZq0Z1DuK/ec05Axn9+Hg4hzrXXK/jzC3EfzAvhSt8qH
 lkIg==
X-Gm-Message-State: AOJu0YxG/OxpsXzqesLXEHyjCLUk41i5w64qW8kyyEFJvUf6LysqrPL/
 f4L7ygJILVwW6w9x597jhy7d948jLQsqyiY8VnLwDAIN0kovujDyztX46n5dBK6dicHEJCaMsB6
 1riI55RD6L5fV+v9CgHl3h4WIdVHO1RZJ
X-Gm-Gg: ASbGncvdrRaZnKbExMiM3umd1rfKySAzYYFvK+HCW0fspuFXsxQ3pa3cA3jHkaNw/aa
 DkKQnRr58oR1hzcmJ6dUzrFHGRybSaVoQubIJ26Wv3ADgkyIDGCcpeXfLKpJOKbNOdF5PZtW9m0
 Vq8ClN6Vsk4k+9SLa4qiAPcgVkk3AOLBv3RTKIIiPyzQKcdRHtJbBRdCY456B78wiKxB4gV+L9E
 RBYxCPJfAPKVy8PntnduYPqvogSKB8vI1q7F1oJ28TmvEZY8oP80nD2VpRMsoM1nlzj0BGuiOCv
 MaLziJ5icvot2Clna1yPd4qnrO2gYc4yvaqsdo7Qp5eUf8Sp5A==
X-Google-Smtp-Source: AGHT+IE2e8zh/n9gj91ycmfz6HS8MxkMYjzUwzRqHhc1C5ue4paolyuwtLbBwsPXfXCyXjok8DsDl4ngmIxT
X-Received: by 2002:a05:600c:310f:b0:434:fdbc:5cf7 with SMTP id
 5b1f17b1804b1-438dc41e96emr114504575e9.27.1738404191681; 
 Sat, 01 Feb 2025 02:03:11 -0800 (PST)
Received: from smtpservice.6wind.com ([185.13.181.2])
 by smtp-relay.gmail.com with ESMTP id
 5b1f17b1804b1-438dcc12c2esm8699235e9.10.2025.02.01.02.03.11; 
 Sat, 01 Feb 2025 02:03:11 -0800 (PST)
X-Relaying-Domain: 6wind.com
Received: from localhost (rainbow.dev.6wind.com [10.17.1.165])
 by smtpservice.6wind.com (Postfix) with ESMTP id 914301A106;
 Sat,  1 Feb 2025 11:03:11 +0100 (CET)
From: Ariel Otilibili <ariel.otilibili@6wind.com>
To: dev@dpdk.org
Cc: stable@dpdk.org, Thomas Monjalon <thomas@monjalon.net>,
 David Marchand <david.marchand@redhat.com>,
 Stephen Hemminger <stephen@networkplumber.org>,
 Maryam Tahhan <mtahhan@redhat.com>, Ciara Loftus <ciara.loftus@intel.com>,
 Ariel Otilibili <ariel.otilibili@6wind.com>
Subject: [PATCH v7 1/2] net/af_xdp: Fix use after free in af_xdp_tx_zc
Date: Sat,  1 Feb 2025 11:02:59 +0100
Message-Id: <20250201100300.2194018-2-ariel.otilibili@6wind.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20250201100300.2194018-1-ariel.otilibili@6wind.com>
References: <20250116195640.68885-1-ariel.otilibili@6wind.com>
 <20250201100300.2194018-1-ariel.otilibili@6wind.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

tx_bytes is computed after both legs are tested. This might
produce a use after memory free.

The computation is now moved into each leg.

Bugzilla ID: 1440
Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
---
 .mailmap                            | 2 +-
 drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.mailmap b/.mailmap
index 76f65e5114d4..42fcefacf573 100644
--- a/.mailmap
+++ b/.mailmap
@@ -134,7 +134,7 @@ Anupam Kapoor <anupam.kapoor@gmail.com>
 Apeksha Gupta <apeksha.gupta@nxp.com>
 Archana Muniganti <marchana@marvell.com> <muniganti.archana@caviumnetworks.com>
 Archit Pandey <architpandeynitk@gmail.com>
-Ariel Otilibili <otilibil@eurecom.fr> <ariel.otilibili@6wind.com>
+Ariel Otilibili <ariel.otilibili@6wind.com> <otilibil@eurecom.fr>
 Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
 Arkadiusz Kusztal <arkadiuszx.kusztal@intel.com>
 Arnaud Fiorini <arnaud.fiorini@polymtl.ca>
diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
index 814398ba4b44..092bcb73aa0a 100644
--- a/drivers/net/af_xdp/rte_eth_af_xdp.c
+++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
@@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 					umem->mb_pool->header_size;
 			offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT;
 			desc->addr = addr | offset;
+			tx_bytes += desc->len;
 			count++;
 		} else {
 			struct rte_mbuf *local_mbuf =
@@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 			desc->addr = addr | offset;
 			rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *),
 					desc->len);
+			tx_bytes += desc->len;
 			rte_pktmbuf_free(mbuf);
 			count++;
 		}
-
-		tx_bytes += mbuf->pkt_len;
 	}
 
 out:
-- 
2.30.2