From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 352F0A00C2
	for <public@inbox.dpdk.org>; Wed, 23 Nov 2022 19:13:52 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 3027942DA3;
	Wed, 23 Nov 2022 19:13:52 +0100 (CET)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mails.dpdk.org (Postfix) with ESMTP id D778240E5A
 for <stable@dpdk.org>; Wed, 23 Nov 2022 19:13:50 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1669227230;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=QL7qcIVMh8ue09RmBYgIZpxR0eIDTfF5tx8/RuLeKzY=;
 b=G3lUpmV8uT0W+ddRR6E+tlaXdHTHmLC2w3t7x6I4eHrIUDtgEAgPEsLBWQeS7QOT1L8xrN
 bsC5MVBeE8w5NTq0TyxaaPb6J/UHKmQ0GdTnsJnBX0pYR6H2M4rqBiClu2DhftJzGBTAg/
 OBEk4uSZ3FDTcYasSNgAL0O+QABeybU=
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com
 [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id
 us-mta-281-GCxo_OQiPCqRIr_Yo9UNSA-1; Wed, 23 Nov 2022 13:13:49 -0500
X-MC-Unique: GCxo_OQiPCqRIr_Yo9UNSA-1
Received: by mail-wm1-f71.google.com with SMTP id
 1-20020a05600c028100b003cf7833293cso1380125wmk.3
 for <stable@dpdk.org>; Wed, 23 Nov 2022 10:13:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=QL7qcIVMh8ue09RmBYgIZpxR0eIDTfF5tx8/RuLeKzY=;
 b=tcqO7pzfWFX6xto2xeyfv0gxhIioRTtUKqIDofu2DT6CMgcBy+jFiGjpI3oOnHbmVv
 YclWmes46WhZFuIpYTPgtK1PpTrzQ6TCDTkimq4Q45g6coHPxHR5gKoR1pq+sjlk+rGK
 ESQkRvzJ2rcCv6MELJx+qgEmV+BM7UV91e9uJascoquct5xOxbZB+r2Wy12sYppan+Ah
 NYnVFIrhr29sWKrWovB3zS86JLRBaZo8k7+FPrDP5aFnlTKuGnqw/6BqbZMMQcNwZgzy
 6bgAZJdj/SMSL0e/7IU+urlmF4xneDFzCmfjN50cS7JpVLXAGMcgQNSlThR78ug8UmOF
 AOew==
X-Gm-Message-State: ANoB5pnMtitU9kJwiPNH1TnapnfaKRweWEa5WQ8/lIOdiVd3kbrdTsk4
 SwmhtmTlVam35nzhwQ2XapcaflAMn2tVnd/ZKQZtGuCc0yvMBJi494QVKv6WP7jZP9j2CLAwnll
 pvSHgsVM=
X-Received: by 2002:a5d:68cd:0:b0:241:d609:9d40 with SMTP id
 p13-20020a5d68cd000000b00241d6099d40mr9976981wrw.305.1669227227717; 
 Wed, 23 Nov 2022 10:13:47 -0800 (PST)
X-Google-Smtp-Source: AA0mqf7BcUES29Oy9mdx7fGyPWU0ZAqSI/0m6TB7tsVd58pl8DdE/rfDS1BOhP5kvqjWqC7ZA4TBdQ==
X-Received: by 2002:a5d:68cd:0:b0:241:d609:9d40 with SMTP id
 p13-20020a5d68cd000000b00241d6099d40mr9976972wrw.305.1669227227488; 
 Wed, 23 Nov 2022 10:13:47 -0800 (PST)
Received: from [192.168.0.36] ([78.19.108.40])
 by smtp.gmail.com with ESMTPSA id
 iv19-20020a05600c549300b003cf87623c16sm3568159wmb.4.2022.11.23.10.13.46
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Wed, 23 Nov 2022 10:13:47 -0800 (PST)
Message-ID: <9c1f0556-89b6-9cb4-9d3d-05cfa9da6f9c@redhat.com>
Date: Wed, 23 Nov 2022 18:13:46 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.5.0
Subject: Re: [PATCH 21.11] examples/vhost: fix use after free
To: Wenwu Ma <wenwux.ma@intel.com>, stable@dpdk.org
Cc: chenbo.xia@intel.com, weix.ling@intel.com, yuanx.wang@intel.com,
 xingguang.he@intel.com, yux.jiang@intel.com
References: <20221116014022.1884914-1-wenwux.ma@intel.com>
From: Kevin Traynor <ktraynor@redhat.com>
In-Reply-To: <20221116014022.1884914-1-wenwux.ma@intel.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

On 16/11/2022 01:40, Wenwu Ma wrote:
> [ upstream commit 40abb903fe0aff0556d15d96385a4c7b647649b5 ]
> 
> In async_enqueue_pkts(), the failed pkts will
> be freed before return, but, the failed pkts may be
> retried later, it will cause use after free. So,
> we free the failed pkts after retry.
> 
> Fixes: 1907ce4baec3 ("examples/vhost: fix retry logic on Rx path")
> 
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
> Tested-by: Wei Ling <weix.ling@intel.com>
> Reviewed-by: Chenbo Xia <chenbo.xia@intel.com>
> ---

Thanks for the backport. This is not pushed to 21.11 branch.

>   examples/vhost/main.c | 21 ++++++++++++---------
>   1 file changed, 12 insertions(+), 9 deletions(-)
> 
> diff --git a/examples/vhost/main.c b/examples/vhost/main.c
> index f9e932061f..36464922e3 100644
> --- a/examples/vhost/main.c
> +++ b/examples/vhost/main.c
> @@ -908,17 +908,10 @@ enqueue_pkts(struct vhost_dev *vdev, struct rte_mbuf **pkts, uint16_t rx_count)
>   	if (builtin_net_driver) {
>   		enqueue_count = vs_enqueue_pkts(vdev, VIRTIO_RXQ, pkts, rx_count);
>   	} else if (async_vhost_driver) {
> -		uint16_t enqueue_fail = 0;
> -
>   		complete_async_pkts(vdev);
>   		enqueue_count = rte_vhost_submit_enqueue_burst(vdev->vid,
>   					VIRTIO_RXQ, pkts, rx_count);
>   		__atomic_add_fetch(&vdev->pkts_inflight, enqueue_count, __ATOMIC_SEQ_CST);
> -
> -		enqueue_fail = rx_count - enqueue_count;
> -		if (enqueue_fail)
> -			free_pkts(&pkts[enqueue_count], enqueue_fail);
> -
>   	} else {
>   		enqueue_count = rte_vhost_enqueue_burst(vdev->vid, VIRTIO_RXQ,
>   						pkts, rx_count);
> @@ -944,8 +937,13 @@ drain_vhost(struct vhost_dev *vdev)
>   				__ATOMIC_SEQ_CST);
>   	}
>   
> -	if (!async_vhost_driver)
> +	if (!async_vhost_driver) {
>   		free_pkts(m, nr_xmit);
> +	} else {
> +		uint16_t enqueue_fail = nr_xmit - ret;
> +		if (enqueue_fail > 0)
> +			free_pkts(&m[ret], enqueue_fail);
> +	}
>   }
>   
>   static __rte_always_inline void
> @@ -1249,8 +1247,13 @@ drain_eth_rx(struct vhost_dev *vdev)
>   				__ATOMIC_SEQ_CST);
>   	}
>   
> -	if (!async_vhost_driver)
> +	if (!async_vhost_driver) {
>   		free_pkts(pkts, rx_count);
> +	} else {
> +		uint16_t enqueue_fail = rx_count - enqueue_count;
> +		if (enqueue_fail > 0)
> +			free_pkts(&pkts[enqueue_count], enqueue_fail);
> +	}
>   }
>   
>   static __rte_always_inline void