From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id D62FD462A2
	for <public@inbox.dpdk.org>; Sun, 23 Feb 2025 22:53:05 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id C3983402E4;
	Sun, 23 Feb 2025 22:53:05 +0100 (CET)
Received: from mail-ed1-f98.google.com (mail-ed1-f98.google.com
 [209.85.208.98]) by mails.dpdk.org (Postfix) with ESMTP id 1FC86402CF
 for <stable@dpdk.org>; Sun, 23 Feb 2025 22:53:04 +0100 (CET)
Received: by mail-ed1-f98.google.com with SMTP id
 4fb4d7f45d1cf-5ded1395213so6340619a12.2
 for <stable@dpdk.org>; Sun, 23 Feb 2025 13:53:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=6wind.com; s=google; t=1740347584; x=1740952384; darn=dpdk.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=3gjWwstkPyJjBBCYsBY0uVtHQOjQfzbSuqE7Eb2knZ4=;
 b=BXQhuuY3qnf5PfmReuLG6OfliVABqFlU39540IEPL1EQ5TpziopEM2TW3pjcdnJ5Ht
 N5vFj/FXxhyS2MyTFPV3XA+Ikb5amwkmloBcEXRODp44AH19e8N2vsjWlgw+D+K45wHJ
 cqxRzp5mrl7lde2M3+Yw/JBXMAXqk8BN7TeAe5WhyidLj1dADa/j69CzbBcHTXFkl9KZ
 nh4RN41kGhpPtliBfP7Ex+aSvhEVdIyOMnYcbS2C8R+E6486wmDroUqQ9U7svolDdFZu
 QW954rraXlUQkEyD69EMo8ARw5amfoC6qOb6uvMxRcrqnbud+JxmEdJ0WLV37ByKPq6I
 RBwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1740347584; x=1740952384;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=3gjWwstkPyJjBBCYsBY0uVtHQOjQfzbSuqE7Eb2knZ4=;
 b=AVAHh/r5mGkThkzzX46p6anrcsiHcJjQrl5zULjGAYBE09THU6WjjxZXKeDys/flGR
 dZTai3aBgZ+0bFPZorQV1lPVRnsHQJBrnKBUouVEpLcY2Xyyi2OpfK4b+ecCb/xjxGon
 CB/WiuLJ763HVPgfcMg4kuDd2vSX6gtbE7KQZ+/W2TjKNMWl6szA4KWxercalI79Hfyo
 w9MEqMoz7Rkdda2do/0vw5Lf+QqdlGTAaso9J7fNJNut0p4z7XUZdHGbkH36YJoMhBSo
 gh35mDfKUrcqcC7cXBCDoLtCOMnUhvU/sW3N1aFI83p0EBl3eJh23eOAyxDbyM/Wkv27
 LZSw==
X-Forwarded-Encrypted: i=1;
 AJvYcCU++fOIkwZiU1TH/5KqzcObZgf9nUOUUlVKOCUSpDfDYUUrFdi9HQ2fAQATwIKl96mP0/0BrnM=@dpdk.org
X-Gm-Message-State: AOJu0YwMDN+f+LvXxPc2DTAMM7G7rEabHQ2axbc+oTqPo/JVHqsDbACw
 x9rMxM/RnAhcwO9PkcxllADE8Ks2H1S/pNVMx7G6JFqz/e1AvrsvNEIZGz/yASL+NEHWBhOYdEP
 gcBQ+7MkupC9rfqSoIhqHDApkwZXTVjMQ
X-Gm-Gg: ASbGncvioq22uCIjwQ99iJOqjA4hT8HPKcxMVg+MDkAvjlNj2iHNAvLPxiEvYUH/nGb
 jXnPmuzvy2ib5Fg9HEYoEsWy/YItOTYKKL6X8VuN5AaXWK1ydZS3O4oq6NksjlVcC/BS6cIaT2w
 9WK+Yi42HGYzy+ON6YdMwDZp7jQbPD8u31DA/Jl4tyxrQ8ayIR0oL1s/vR9MApzvFg32FrXvIy/
 VmLlqqLpCaLaIl5V0jzwVpwb1u5nPCWmZsw4aiB9paG18VDu3zvZfw7nmUsvqrpzOmN/nUEgkSa
 XsIOweszTvnGOFZFQAsxwvl9wWRc2g4OG4DTxpXQcGLLoZEO3dBLZEuJ7Uxa
X-Google-Smtp-Source: AGHT+IFt+vD9DTpksJDmrbUFOLaufU4OcMUvDAc5f7xQ9VHvhZqbKenBIIG4fjkZEpR/jmcvsyfLKV5g39ee
X-Received: by 2002:a17:907:2d06:b0:ab6:ed9e:9739 with SMTP id
 a640c23a62f3a-abc09c0aa77mr1232698866b.42.1740347583766; 
 Sun, 23 Feb 2025 13:53:03 -0800 (PST)
Received: from smtpservice.6wind.com ([185.13.181.2])
 by smtp-relay.gmail.com with ESMTP id
 a640c23a62f3a-abb9de4ad49sm103390866b.2.2025.02.23.13.53.03; 
 Sun, 23 Feb 2025 13:53:03 -0800 (PST)
X-Relaying-Domain: 6wind.com
Received: from localhost (rainbow.dev.6wind.com [10.17.1.165])
 by smtpservice.6wind.com (Postfix) with ESMTP id 9A3D314F04;
 Sun, 23 Feb 2025 22:53:03 +0100 (CET)
From: Ariel Otilibili <ariel.otilibili@6wind.com>
To: dev@dpdk.org
Cc: Thomas Monjalon <thomas@monjalon.net>,
 David Marchand <david.marchand@redhat.com>, stable@dpdk.org,
 Stephen Hemminger <stephen@networkplumber.org>,
 Ciara Loftus <ciara.loftus@intel.com>, Maryam Tahhan <mtahhan@redhat.com>,
 Ariel Otilibili <ariel.otilibili@6wind.com>
Subject: [PATCH v10 1/2] net/af_xdp: Fix use after free in af_xdp_tx_zc
Date: Sun, 23 Feb 2025 22:52:58 +0100
Message-Id: <20250223215259.448723-2-ariel.otilibili@6wind.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20250223215259.448723-1-ariel.otilibili@6wind.com>
References: <20250116195640.68885-1-ariel.otilibili@6wind.com>
 <20250223215259.448723-1-ariel.otilibili@6wind.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

tx_bytes is computed after both legs are tested. This might
produce a use after memory free.

The computation is now moved into each leg.

Bugzilla ID: 1440
Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
---
 .mailmap                            | 2 +-
 drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.mailmap b/.mailmap
index a03d3cfb591b..ea68d6180ccc 100644
--- a/.mailmap
+++ b/.mailmap
@@ -135,7 +135,7 @@ Anupam Kapoor <anupam.kapoor@gmail.com>
 Apeksha Gupta <apeksha.gupta@nxp.com>
 Archana Muniganti <marchana@marvell.com> <muniganti.archana@caviumnetworks.com>
 Archit Pandey <architpandeynitk@gmail.com>
-Ariel Otilibili <otilibil@eurecom.fr> <ariel.otilibili@6wind.com>
+Ariel Otilibili <ariel.otilibili@6wind.com> <otilibil@eurecom.fr>
 Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
 Arkadiusz Kusztal <arkadiuszx.kusztal@intel.com>
 Arnaud Fiorini <arnaud.fiorini@polymtl.ca>
diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
index 814398ba4b44..092bcb73aa0a 100644
--- a/drivers/net/af_xdp/rte_eth_af_xdp.c
+++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
@@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 					umem->mb_pool->header_size;
 			offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT;
 			desc->addr = addr | offset;
+			tx_bytes += desc->len;
 			count++;
 		} else {
 			struct rte_mbuf *local_mbuf =
@@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 			desc->addr = addr | offset;
 			rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *),
 					desc->len);
+			tx_bytes += desc->len;
 			rte_pktmbuf_free(mbuf);
 			count++;
 		}
-
-		tx_bytes += mbuf->pkt_len;
 	}
 
 out:
-- 
2.30.2