From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 63B30460C4
	for <public@inbox.dpdk.org>; Mon, 20 Jan 2025 15:54:37 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 4E19E4021F;
	Mon, 20 Jan 2025 15:54:37 +0100 (CET)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mails.dpdk.org (Postfix) with ESMTP id EAA524021F
 for <stable@dpdk.org>; Mon, 20 Jan 2025 15:54:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1737384875;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=WZYTrIWd1PcFx+R2a36Y2Fj6v2L9zIFQxpJ5qLmLbjg=;
 b=BRwjqAU53s239XhDZKs9tVlI/zaSqBSgja67coYtFcpeTlZzdmES2ngDs6fg0q3V/UrnQG
 jHcZu8Rqcy3gktzSVbas/31Co7qOahO+/L2Y+c7Rzs4FPRjRt8X2B43HclJVWaU00Khllq
 mBpeimpZZNw+dLklYKRk17vHZgUD4Zs=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com
 [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-607-3D9sIJ2bNqKfj5FRSF8glQ-1; Mon, 20 Jan 2025 09:54:34 -0500
X-MC-Unique: 3D9sIJ2bNqKfj5FRSF8glQ-1
X-Mimecast-MFC-AGG-ID: 3D9sIJ2bNqKfj5FRSF8glQ
Received: by mail-wm1-f72.google.com with SMTP id
 5b1f17b1804b1-436723bf7ffso36132045e9.3
 for <stable@dpdk.org>; Mon, 20 Jan 2025 06:54:33 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1737384873; x=1737989673;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:cc:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=WZYTrIWd1PcFx+R2a36Y2Fj6v2L9zIFQxpJ5qLmLbjg=;
 b=MApzv03iGi3Ef+uVeT4kS2iEnJtkknzHIJ8pcW68dWQSCJMEOiLEUcAyLjI2Fg6+Lh
 36YTMWq3KhhujcPoK8Ss57IqEd6ub6EgJRLflG5lOR2mhXTWq+K9RN2BxTzrb7elVN2r
 87hTqXYEzcHAc83opO5XdB2A4RDg3N0xI0C/iJubcWHK+r7SFNu/Az7hLwazQNubEEhc
 DVmAv2pHgshb5eAc7Qk0qqMTVbVeyErw7FKdu4qYCHMqPpktRx2d3pwrjBkuuRfW7Srs
 4Pzd95SF2JSln/KeLfV3ZPNTBBKcLCj0pdm84DDixUrQ44LzVs0bBPSYNw1DSVBXyJ9b
 Kfdw==
X-Gm-Message-State: AOJu0YzUrf7us+u5hx4UxHGpwlFfdFm+fGUrojrL+k5ShnMdoZclW5Ie
 suTvi5q3iUimBI5daK+1n4XWcEbC5IRnoggktBSx28xDGDZc2OZubBmP45KNIQfZ2CeJ2okKdd4
 CwnQfAbvghzdQoJ2DNUNhvTF7UJxY6PB2X8BBvroaLPRl
X-Gm-Gg: ASbGncvDWFTeKXb4PAvywx3UdpWV9Gxnr+Exgbkb4ds/TsRpEpJ3iq7PP8yH65s3ASS
 htJChXr6IXqpfJx608OLA5FI35Xbja/Ye8FyTORS2ZkvIAtgI3pKQ9GfqezfYT0XgYOl/iNHXmS
 Jnseg0Px9ypFZBGl8QWw/llgwhQKavbb3pLxH+WyCdYpNRVWVG0dyeVRvXAMtBZBKRclAVC7USq
 U6G+QCG9eKBdLaZqU4Ocw/uip5GOWSBrizjAcNf7lOm6fVF5yuuMc4O60juyXdqoy0wK9Kw+MxJ
 PTRGpdQOhRYgnhGAZS3kfQ6kFeQYcXs6rLO9YQsI04KT/17APneMdKpE5TxKt3rPfA==
X-Received: by 2002:a05:600c:3548:b0:434:a1d3:a321 with SMTP id
 5b1f17b1804b1-438913c6150mr123570645e9.3.1737384873009; 
 Mon, 20 Jan 2025 06:54:33 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHfsBzFE4W7NnXWBfYxXky5g7l5GPqtK3DZTx/0HKO+bojXSLvyNH2N8fDT0XDM9O4RAjnd+A==
X-Received: by 2002:a05:600c:3548:b0:434:a1d3:a321 with SMTP id
 5b1f17b1804b1-438913c6150mr123570315e9.3.1737384872588; 
 Mon, 20 Jan 2025 06:54:32 -0800 (PST)
Received: from ?IPV6:2a06:5900:c00c:9000:45fa:7c02:baca:2de9?
 ([2a06:5900:c00c:9000:45fa:7c02:baca:2de9])
 by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4389046226asm140694985e9.31.2025.01.20.06.54.31
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 20 Jan 2025 06:54:32 -0800 (PST)
Message-ID: <30d650e7-4f7a-4cd1-92d2-02b049f3889e@redhat.com>
Date: Mon, 20 Jan 2025 14:54:31 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v2 1/2] net/af_xdp: fix use after free in af_xdp_tx_zc()
To: Ariel Otilibili <ariel.otilibili@6wind.com>, dev@dpdk.org
Cc: stable@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>,
 Thomas Monjalon <thomas@monjalon.net>,
 David Marchand <david.marchand@redhat.com>,
 Ciara Loftus <ciara.loftus@intel.com>
References: <20250116195640.68885-1-ariel.otilibili@6wind.com>
 <20250116225151.188214-1-ariel.otilibili@6wind.com>
 <20250116225151.188214-2-ariel.otilibili@6wind.com>
From: Maryam Tahhan <mtahhan@redhat.com>
In-Reply-To: <20250116225151.188214-2-ariel.otilibili@6wind.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: eHfRNAKs-2TNveokiJokvVZBZ5ppnvoNAMTbCgI_a4M_1737384873
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org


On 16/01/2025 17:51, Ariel Otilibili wrote:
> tx_bytes is computed after both legs are tested. This might
> produce a use after memory free.
>
> The computation is now moved into each leg.
>
> Bugzilla ID: 1440
> Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
> Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
> ---
>   drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
> index 814398ba4b44..4326a29f7042 100644
> --- a/drivers/net/af_xdp/rte_eth_af_xdp.c
> +++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
> @@ -574,6 +574,7 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
>   					umem->mb_pool->header_size;
>   			offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT;
>   			desc->addr = addr | offset;
> +			tx_bytes += mbuf->pkt_len;
>   			count++;
>   		} else {
>   			struct rte_mbuf *local_mbuf =
> @@ -601,11 +602,10 @@ af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
>   			desc->addr = addr | offset;
>   			rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *),
>   					desc->len);
> +			tx_bytes += mbuf->pkt_len;
>   			rte_pktmbuf_free(mbuf);
>   			count++;
>   		}
> -
> -		tx_bytes += mbuf->pkt_len;
>   	}
>   
>   out:

I think that you could've just set tx_bytes to the desc->len as this is 
being set in all scenarios...

tx_bytes += desc->len;