[dpdk-stable] patch 'vhost: fix potential use-after-free for zero copy mbuf' has been queued to LTS release 18.11.2

Kevin Traynor ktraynor at redhat.com
Wed Apr 10 18:43:42 CEST 2019

Previous message: [dpdk-stable] patch 'vhost: restore mbuf first when freeing zmbuf' has been queued to LTS release 18.11.2
Next message: [dpdk-stable] patch 'vhost: fix potential use-after-free for memory region' has been queued to LTS release 18.11.2
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to LTS release 18.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 04/16/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Kevin Traynor

---
>From 006278a264ba147aa6f613f2313541b38b105f7b Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie at intel.com>
Date: Fri, 22 Feb 2019 10:42:07 +0800
Subject: [PATCH] vhost: fix potential use-after-free for zero copy mbuf

[ upstream commit d767436ee5d26d1d417ae17d1a2a47879bf632a6 ]

Don't free the zero copy mbufs before they have been consumed,
otherwise there could be use-after-free.

Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")

Signed-off-by: Tiwei Bie <tiwei.bie at intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
 lib/librte_vhost/vhost.h      | 12 ++++++++++++
 lib/librte_vhost/vhost_user.c |  3 +++
 lib/librte_vhost/virtio_net.c | 12 ------------
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h
index d4f34c34a..24702b4a1 100644
--- a/lib/librte_vhost/vhost.h
+++ b/lib/librte_vhost/vhost.h
@@ -772,3 +772,15 @@ restore_mbuf(struct rte_mbuf *m)
 }
 
+static __rte_always_inline bool
+mbuf_is_consumed(struct rte_mbuf *m)
+{
+	while (m) {
+		if (rte_mbuf_refcnt_read(m) > 1)
+			return false;
+		m = m->next;
+	}
+
+	return true;
+}
+
 #endif /* _VHOST_NET_CDEV_H_ */
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index e078473ec..d19c09cbe 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -1219,4 +1219,7 @@ free_zmbufs(struct vhost_virtqueue *vq)
 		next = TAILQ_NEXT(zmbuf, next);
 
+		while (!mbuf_is_consumed(zmbuf->mbuf))
+			usleep(1000);
+
 		restore_mbuf(zmbuf->mbuf);
 		rte_pktmbuf_free(zmbuf->mbuf);
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index d8b6bdea5..206c1f125 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -1332,16 +1332,4 @@ again:
 }
 
-static __rte_always_inline bool
-mbuf_is_consumed(struct rte_mbuf *m)
-{
-	while (m) {
-		if (rte_mbuf_refcnt_read(m) > 1)
-			return false;
-		m = m->next;
-	}
-
-	return true;
-}
-
 static __rte_always_inline uint16_t
 virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-04-10 14:06:10.520594931 +0100
+++ 0034-vhost-fix-potential-use-after-free-for-zero-copy-mbu.patch	2019-04-10 14:06:07.918293007 +0100
@@ -1,13 +1,14 @@
-From d767436ee5d26d1d417ae17d1a2a47879bf632a6 Mon Sep 17 00:00:00 2001
+From 006278a264ba147aa6f613f2313541b38b105f7b Mon Sep 17 00:00:00 2001
 From: Tiwei Bie <tiwei.bie at intel.com>
 Date: Fri, 22 Feb 2019 10:42:07 +0800
 Subject: [PATCH] vhost: fix potential use-after-free for zero copy mbuf
 
+[ upstream commit d767436ee5d26d1d417ae17d1a2a47879bf632a6 ]
+
 Don't free the zero copy mbufs before they have been consumed,
 otherwise there could be use-after-free.
 
 Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")
-Cc: stable at dpdk.org
 
 Signed-off-by: Tiwei Bie <tiwei.bie at intel.com>
 Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
@@ -18,10 +19,10 @@
  3 files changed, 15 insertions(+), 12 deletions(-)
 
 diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h
-index bcfce274b..044651b19 100644
+index d4f34c34a..24702b4a1 100644
 --- a/lib/librte_vhost/vhost.h
 +++ b/lib/librte_vhost/vhost.h
-@@ -758,3 +758,15 @@ restore_mbuf(struct rte_mbuf *m)
+@@ -772,3 +772,15 @@ restore_mbuf(struct rte_mbuf *m)
  }
  
 +static __rte_always_inline bool
@@ -38,7 +39,7 @@
 +
  #endif /* _VHOST_NET_CDEV_H_ */
 diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
-index e3ddf2589..6d8253514 100644
+index e078473ec..d19c09cbe 100644
 --- a/lib/librte_vhost/vhost_user.c
 +++ b/lib/librte_vhost/vhost_user.c
 @@ -1219,4 +1219,7 @@ free_zmbufs(struct vhost_virtqueue *vq)
@@ -50,10 +51,10 @@
  		restore_mbuf(zmbuf->mbuf);
  		rte_pktmbuf_free(zmbuf->mbuf);
 diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
-index 862ca5e1a..40a292364 100644
+index d8b6bdea5..206c1f125 100644
 --- a/lib/librte_vhost/virtio_net.c
 +++ b/lib/librte_vhost/virtio_net.c
-@@ -1307,16 +1307,4 @@ again:
+@@ -1332,16 +1332,4 @@ again:
  }
  
 -static __rte_always_inline bool

Previous message: [dpdk-stable] patch 'vhost: restore mbuf first when freeing zmbuf' has been queued to LTS release 18.11.2
Next message: [dpdk-stable] patch 'vhost: fix potential use-after-free for memory region' has been queued to LTS release 18.11.2
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list