From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 0A081462CC for ; Wed, 26 Feb 2025 21:08:49 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id ABE3940648; Wed, 26 Feb 2025 21:08:48 +0100 (CET) Received: from mail-lf1-f100.google.com (mail-lf1-f100.google.com [209.85.167.100]) by mails.dpdk.org (Postfix) with ESMTP id B869E4029A for ; Wed, 26 Feb 2025 21:08:46 +0100 (CET) Received: by mail-lf1-f100.google.com with SMTP id 2adb3069b0e04-5462ea9691cso138446e87.2 for ; Wed, 26 Feb 2025 12:08:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; t=1740600526; x=1741205326; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3gjWwstkPyJjBBCYsBY0uVtHQOjQfzbSuqE7Eb2knZ4=; b=H1W34bIPtz5C0iIXUErERrxW23O/H7WjAF6KIzJ1Y6/85MpoyEPj4E3rfv5NXgTEhs q21q3bvlY/C4gELuxAnmnFjRFfEFd9ivAyKnTI8VJ+hdYJXg0MEMaKE/MTGWXjUH2Zei 3SPT0VT54TKIzEoahwWFoF7CAFzHIgyy8asekTHeltqRB3IL9+fGzfWKGGccPnQFdH0Z 62RgFG/DeskubdeSLAK/z1WACja9zzIGvebrVP8jaSrNwzqWNrBFiCWxxq1RA9ZXLMxr U97BqD8e2FEXyMKuweWEh8BGR1E4CKPXsp7ZEt5B8IObqRkNRSs9gKXcE1XSTDDZus5j MCtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740600526; x=1741205326; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3gjWwstkPyJjBBCYsBY0uVtHQOjQfzbSuqE7Eb2knZ4=; b=YRAbmPQBnQXRCyVkUnZFmzxcIS+nrOz3P1QDRofUkouW0cQ4GWXr2cTD45uCpHbbwE w9+MaVyRQ8DC6iLuSWb925b03je1Nqu7cbryTJ3lH3aLDcBmOB5e1b2bzQ/CTC4yHdPP YQJL0eLuBAw6tqgN8lPp+G4MVz6nuPBGyC4xp8f3nsHZbCCySzSE2e3OZ9nN9s6kkb9x 5FCUf9f+DJa3RfOuhhCritEzYXedJYzrzZevBs/XH0gLZvUMM9NjtCYqpFLQlryV9YHa ykLP4Ml95koJ3DX+8UfiFS5tzSzAaF5JeFE3nKB2SXwO26Q/UabHFNDdHf0WNdvv/CoU A0VA== X-Forwarded-Encrypted: i=1; AJvYcCVDPBFMIPizEDysTTOSgfh6NfCte6dpTm2b4rVCZiEX1aPgYBrxJ/mGCrhUPis14Z2daYGT7Lc=@dpdk.org X-Gm-Message-State: AOJu0YxZpCxpLEnKL/F+w9BwHJWzUNqNHJiPNJVPTqUZDxs/KlCyNn+A mjNiLXVzpn5zAs4AX6xR50SpePsooF4Lu4xu3BsPRj3wg6DdxGccI1g3AzyklB2UJX3La9ZBlvm 6x11UZntVBL5/Y8aZZ08NrNaz7x++tojD X-Gm-Gg: ASbGncupl/hFOYzr/weoUqqbksJROW6GRWT/Jz8C+oc20IehxzUzSoX+RsUqbnkjlMu XuOKFSGFcRdxA363LRgK9OBIzQ5/X2DDPa90e66bjFJJX+DmU4njbpKb5sv67R+YgtKL6/fFdL8 ApGhhZAGKpJxfXuYQNqtWjCP9dS8koMVt2HCWmQJMx/QEfmT3STUzueIMFPvJYFLYsXn7vmCoVN tw//qErmxPQQlIYPau2gODCU5/gWDDhLEkOFLgBHnqUk1Br0EVbj0FPWcGR9L1wCoX6MEu7XLhY 6oL/Zk/WFj/hAwAPw0tsiTb9hBbkrwXhgHFZdVKhcj9YdnDKeJFAPDTM1fQ/ X-Google-Smtp-Source: AGHT+IF8TNu9tZTw8SQ/fMF+ZX+Fj6dSpHTL5UKiOalCdZI/BVhbf2yMmmcO9aSsfIgqKugOkmN9o+OKHpaq X-Received: by 2002:a05:6512:3e08:b0:545:2ed9:5048 with SMTP id 2adb3069b0e04-5493c5c5c34mr3979621e87.45.1740600526036; Wed, 26 Feb 2025 12:08:46 -0800 (PST) Received: from smtpservice.6wind.com ([185.13.181.2]) by smtp-relay.gmail.com with ESMTP id 2adb3069b0e04-548514f1768sm172055e87.90.2025.02.26.12.08.45; Wed, 26 Feb 2025 12:08:46 -0800 (PST) X-Relaying-Domain: 6wind.com Received: from localhost (rainbow.dev.6wind.com [10.17.1.165]) by smtpservice.6wind.com (Postfix) with ESMTP id A610C17600; Wed, 26 Feb 2025 21:08:45 +0100 (CET) From: Ariel Otilibili To: dev@dpdk.org Cc: Thomas Monjalon , David Marchand , stable@dpdk.org, Stephen Hemminger , Ciara Loftus , Maryam Tahhan , Ariel Otilibili Subject: [PATCH v12 1/2] net/af_xdp: Fix use after free in af_xdp_tx_zc Date: Wed, 26 Feb 2025 21:08:40 +0100 Message-Id: <20250226200841.2342632-2-ariel.otilibili@6wind.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250226200841.2342632-1-ariel.otilibili@6wind.com> References: <20250116195640.68885-1-ariel.otilibili@6wind.com> <20250226200841.2342632-1-ariel.otilibili@6wind.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org tx_bytes is computed after both legs are tested. This might produce a use after memory free. The computation is now moved into each leg. Bugzilla ID: 1440 Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks") Signed-off-by: Ariel Otilibili Acked-by: Stephen Hemminger --- .mailmap | 2 +- drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.mailmap b/.mailmap index a03d3cfb591b..ea68d6180ccc 100644 --- a/.mailmap +++ b/.mailmap @@ -135,7 +135,7 @@ Anupam Kapoor Apeksha Gupta Archana Muniganti Archit Pandey -Ariel Otilibili +Ariel Otilibili Arkadiusz Kubalewski Arkadiusz Kusztal Arnaud Fiorini diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c index 814398ba4b44..092bcb73aa0a 100644 --- a/drivers/net/af_xdp/rte_eth_af_xdp.c +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c @@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) umem->mb_pool->header_size; offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT; desc->addr = addr | offset; + tx_bytes += desc->len; count++; } else { struct rte_mbuf *local_mbuf = @@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) desc->addr = addr | offset; rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *), desc->len); + tx_bytes += desc->len; rte_pktmbuf_free(mbuf); count++; } - - tx_bytes += mbuf->pkt_len; } out: -- 2.30.2