vhost: fix potential use-after-free for zero copy mbuf

Don't free the zero copy mbufs before they have been consumed, otherwise there could be use-after-free. Fixes: b0a985d1f3 ("vhost: add dequeue zero copy") Cc: stable@dpdk.org Signed-off-by: Tiwei Bie <tiwei.bie@intel.com> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
2019-02-22 10:42:07 +08:00 · 2019-02-22 10:42:07 +08:00 · d767436ee5
commit d767436ee5
parent 041d37b2ef
3 changed files with 15 additions and 12 deletions
--- a/lib/librte_vhost/vhost.h
+++ b/lib/librte_vhost/vhost.h
@ -757,4 +757,16 @@ restore_mbuf(struct rte_mbuf *m)
 	}
 }

+static __rte_always_inline bool
+mbuf_is_consumed(struct rte_mbuf *m)
+{
+	while (m) {
+		if (rte_mbuf_refcnt_read(m) > 1)
+			return false;
+		m = m->next;
+	}
+
+	return true;
+}
+
 #endif /* _VHOST_NET_CDEV_H_ */
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@ -1218,6 +1218,9 @@ free_zmbufs(struct vhost_virtqueue *vq)
 	     zmbuf != NULL; zmbuf = next) {
 		next = TAILQ_NEXT(zmbuf, next);

+		while (!mbuf_is_consumed(zmbuf->mbuf))
+			usleep(1000);
+
 		restore_mbuf(zmbuf->mbuf);
 		rte_pktmbuf_free(zmbuf->mbuf);
 		TAILQ_REMOVE(&vq->zmbuf_list, zmbuf, next);
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@ -1306,18 +1306,6 @@ get_zmbuf(struct vhost_virtqueue *vq)
 	return NULL;
 }

-static __rte_always_inline bool
-mbuf_is_consumed(struct rte_mbuf *m)
-{
-	while (m) {
-		if (rte_mbuf_refcnt_read(m) > 1)
-			return false;
-		m = m->next;
-	}
-
-	return true;
-}
-
 static __rte_always_inline uint16_t
 virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	struct rte_mempool *mbuf_pool, struct rte_mbuf **pkts, uint16_t count)