diff mbox series

[v9,1/2] net/af_xdp: Fix use after free in af_xdp_tx_zc

Message ID	20250207104552.1663519-2-ariel.otilibili@6wind.com (mailing list archive)
State	Changes Requested
Delegated to:	Stephen Hemminger
Headers	From: Ariel Otilibili <ariel.otilibili@6wind.com> To: dev@dpdk.org Cc: stable@dpdk.org, Thomas Monjalon <thomas@monjalon.net>, David Marchand <david.marchand@redhat.com>, Stephen Hemminger <stephen@networkplumber.org>, Maryam Tahhan <mtahhan@redhat.com>, Ciara Loftus <ciara.loftus@intel.com>, Ariel Otilibili <ariel.otilibili@6wind.com> Subject: [PATCH v9 1/2] net/af_xdp: Fix use after free in af_xdp_tx_zc Date: Fri, 7 Feb 2025 11:45:51 +0100 Message-Id: <20250207104552.1663519-2-ariel.otilibili@6wind.com> In-Reply-To: <20250207104552.1663519-1-ariel.otilibili@6wind.com> References: <20250116195640.68885-1-ariel.otilibili@6wind.com> <20250207104552.1663519-1-ariel.otilibili@6wind.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: dev-bounces@dpdk.org
Series	Fix use after free, and refactor af_xdp_tx_zc \| [v9,0/2] Fix use after free, and refactor af_xdp_tx_zc [v9,1/2] net/af_xdp: Fix use after free in af_xdp_tx_zc [v9,2/2] net/af_xdp: Refactor af_xdp_tx_zc

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK

Commit Message

Ariel Otilibili Feb. 7, 2025, 10:45 a.m. UTC

tx_bytes is computed after both legs are tested. This might
produce a use after memory free.

The computation is now moved into each leg.

Bugzilla ID: 1440
Fixes: d8a210774e1d ("net/af_xdp: support unaligned umem chunks")
Signed-off-by: Ariel Otilibili <ariel.otilibili@6wind.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
---
 .mailmap                            | 2 +-
 drivers/net/af_xdp/rte_eth_af_xdp.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff mbox series

Patch

diff --git a/.mailmap b/.mailmap
index 9209a716e047..dbc6b9bdda30 100644
--- a/.mailmap
+++ b/.mailmap
@@ -134,7 +134,7 @@  Anupam Kapoor <anupam.kapoor@gmail.com>
 Apeksha Gupta <apeksha.gupta@nxp.com>
 Archana Muniganti <marchana@marvell.com> <muniganti.archana@caviumnetworks.com>
 Archit Pandey <architpandeynitk@gmail.com>
-Ariel Otilibili <otilibil@eurecom.fr> <ariel.otilibili@6wind.com>
+Ariel Otilibili <ariel.otilibili@6wind.com> <otilibil@eurecom.fr>
 Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
 Arkadiusz Kusztal <arkadiuszx.kusztal@intel.com>
 Arnaud Fiorini <arnaud.fiorini@polymtl.ca>
diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c b/drivers/net/af_xdp/rte_eth_af_xdp.c
index 814398ba4b44..092bcb73aa0a 100644
--- a/drivers/net/af_xdp/rte_eth_af_xdp.c
+++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
@@ -574,6 +574,7 @@  af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 					umem->mb_pool->header_size;
 			offset = offset << XSK_UNALIGNED_BUF_OFFSET_SHIFT;
 			desc->addr = addr | offset;
+			tx_bytes += desc->len;
 			count++;
 		} else {
 			struct rte_mbuf *local_mbuf =
@@ -601,11 +602,10 @@  af_xdp_tx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 			desc->addr = addr | offset;
 			rte_memcpy(pkt, rte_pktmbuf_mtod(mbuf, void *),
 					desc->len);
+			tx_bytes += desc->len;
 			rte_pktmbuf_free(mbuf);
 			count++;
 		}
-
-		tx_bytes += mbuf->pkt_len;
 	}
 
 out: