[dpdk-stable] patch 'vhost: fix potential use-after-free for memory region' has been queued to LTS release 18.11.2
Kevin Traynor
ktraynor at redhat.com
Wed Apr 10 18:43:43 CEST 2019
Hi,
FYI, your patch has been queued to LTS release 18.11.2
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 04/16/19. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Thanks.
Kevin Traynor
---
>From 33e48fdb4e408df754a8d668bfdd0b77dceba0e4 Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie at intel.com>
Date: Fri, 22 Feb 2019 10:42:08 +0800
Subject: [PATCH] vhost: fix potential use-after-free for memory region
[ upstream commit 2a2904fa9cc44493bcea495bab944b032b24f7cb ]
Reclaim outstanding zmbufs first before freeing memory regions,
otherwise there could be use-after-free.
Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")
Signed-off-by: Tiwei Bie <tiwei.bie at intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
lib/librte_vhost/vhost.h | 6 +++++
lib/librte_vhost/vhost_user.c | 46 +++++++++++++++++++++++++----------
lib/librte_vhost/virtio_net.c | 6 -----
3 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h
index 24702b4a1..0f9fc9edd 100644
--- a/lib/librte_vhost/vhost.h
+++ b/lib/librte_vhost/vhost.h
@@ -784,3 +784,9 @@ mbuf_is_consumed(struct rte_mbuf *m)
}
+static __rte_always_inline void
+put_zmbuf(struct zcopy_mbuf *zmbuf)
+{
+ zmbuf->in_use = 0;
+}
+
#endif /* _VHOST_NET_CDEV_H_ */
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index d19c09cbe..be4f3c6c8 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -94,4 +94,27 @@ get_blk_size(int fd)
}
+/*
+ * Reclaim all the outstanding zmbufs for a virtqueue.
+ */
+static void
+drain_zmbuf_list(struct vhost_virtqueue *vq)
+{
+ struct zcopy_mbuf *zmbuf, *next;
+
+ for (zmbuf = TAILQ_FIRST(&vq->zmbuf_list);
+ zmbuf != NULL; zmbuf = next) {
+ next = TAILQ_NEXT(zmbuf, next);
+
+ while (!mbuf_is_consumed(zmbuf->mbuf))
+ usleep(1000);
+
+ TAILQ_REMOVE(&vq->zmbuf_list, zmbuf, next);
+ restore_mbuf(zmbuf->mbuf);
+ rte_pktmbuf_free(zmbuf->mbuf);
+ put_zmbuf(zmbuf);
+ vq->nr_zmbuf -= 1;
+ }
+}
+
static void
free_mem_region(struct virtio_net *dev)
@@ -99,8 +122,17 @@ free_mem_region(struct virtio_net *dev)
uint32_t i;
struct rte_vhost_mem_region *reg;
+ struct vhost_virtqueue *vq;
if (!dev || !dev->mem)
return;
+ if (dev->dequeue_zero_copy) {
+ for (i = 0; i < dev->nr_vring; i++) {
+ vq = dev->virtqueue[i];
+ if (vq)
+ drain_zmbuf_list(vq);
+ }
+ }
+
for (i = 0; i < dev->mem->nregions; i++) {
reg = &dev->mem->regions[i];
@@ -1213,17 +1245,5 @@ static void
free_zmbufs(struct vhost_virtqueue *vq)
{
- struct zcopy_mbuf *zmbuf, *next;
-
- for (zmbuf = TAILQ_FIRST(&vq->zmbuf_list);
- zmbuf != NULL; zmbuf = next) {
- next = TAILQ_NEXT(zmbuf, next);
-
- while (!mbuf_is_consumed(zmbuf->mbuf))
- usleep(1000);
-
- restore_mbuf(zmbuf->mbuf);
- rte_pktmbuf_free(zmbuf->mbuf);
- TAILQ_REMOVE(&vq->zmbuf_list, zmbuf, next);
- }
+ drain_zmbuf_list(vq);
rte_free(vq->zmbufs);
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 206c1f125..a6576891a 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -1089,10 +1089,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m)
}
-static __rte_always_inline void
-put_zmbuf(struct zcopy_mbuf *zmbuf)
-{
- zmbuf->in_use = 0;
-}
-
static __rte_always_inline int
copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
--
2.20.1
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2019-04-10 14:06:10.595605800 +0100
+++ 0035-vhost-fix-potential-use-after-free-for-memory-region.patch 2019-04-10 14:06:07.925292847 +0100
@@ -1,13 +1,14 @@
-From 2a2904fa9cc44493bcea495bab944b032b24f7cb Mon Sep 17 00:00:00 2001
+From 33e48fdb4e408df754a8d668bfdd0b77dceba0e4 Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie at intel.com>
Date: Fri, 22 Feb 2019 10:42:08 +0800
Subject: [PATCH] vhost: fix potential use-after-free for memory region
+[ upstream commit 2a2904fa9cc44493bcea495bab944b032b24f7cb ]
+
Reclaim outstanding zmbufs first before freeing memory regions,
otherwise there could be use-after-free.
Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")
-Cc: stable at dpdk.org
Signed-off-by: Tiwei Bie <tiwei.bie at intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
@@ -18,10 +19,10 @@
3 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/lib/librte_vhost/vhost.h b/lib/librte_vhost/vhost.h
-index 044651b19..f008ec43b 100644
+index 24702b4a1..0f9fc9edd 100644
--- a/lib/librte_vhost/vhost.h
+++ b/lib/librte_vhost/vhost.h
-@@ -770,3 +770,9 @@ mbuf_is_consumed(struct rte_mbuf *m)
+@@ -784,3 +784,9 @@ mbuf_is_consumed(struct rte_mbuf *m)
}
+static __rte_always_inline void
@@ -32,7 +33,7 @@
+
#endif /* _VHOST_NET_CDEV_H_ */
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
-index 6d8253514..36c0c676d 100644
+index d19c09cbe..be4f3c6c8 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -94,4 +94,27 @@ get_blk_size(int fd)
@@ -101,10 +102,10 @@
rte_free(vq->zmbufs);
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
-index 40a292364..a6a33a101 100644
+index 206c1f125..a6576891a 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
-@@ -1064,10 +1064,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m)
+@@ -1089,10 +1089,4 @@ vhost_dequeue_offload(struct virtio_net_hdr *hdr, struct rte_mbuf *m)
}
-static __rte_always_inline void
More information about the stable
mailing list