From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4D55EA0093; Tue, 3 May 2022 17:28:09 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id E895540C35; Tue, 3 May 2022 17:28:08 +0200 (CEST) Received: from nabal.armitage.org.uk (host-92-27-6-192.static.as13285.net [92.27.6.192]) by mails.dpdk.org (Postfix) with ESMTP id 1AAF640691; Tue, 3 May 2022 17:28:06 +0200 (CEST) Received: from localhost (nabal.armitage.org.uk [127.0.0.1]) by nabal.armitage.org.uk (Postfix) with ESMTP id 71E402E4258; Tue, 3 May 2022 16:28:04 +0100 (BST) Authentication-Results: nabal.armitage.org.uk (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=armitage.org.uk DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=armitage.org.uk; h=content-transfer-encoding:mime-version:x-mailer:message-id :date:date:subject:subject:from:from:received; s=20200110; t= 1651591668; x=1652455669; bh=Amy4MSrpmDrUVJ58MBKgwvuBgXdgSoBjaPM wlpysxMs=; b=Hkia7/wsHWJcpJ8igYPEGEC/ohZybV0c/2JWPZVTYkCU9R4J6Or tY75nCOnBmQM1JbBU54iMm5ZqJud2Wy/GZDMAASvXYc3hJ2lB2jjqRzrsMnqEp6+ R6xc8qQ3zvvZFwdjhUhRWI+yenhs1HgvFSaEFjnME+ILu+U1t8NgFbfs= X-Virus-Scanned: amavisd-new at armitage.org.uk Received: from samson.armitage.org.uk (samson.armitage.org.uk [IPv6:2001:470:69dd:35::210]) by nabal.armitage.org.uk (Postfix) with ESMTPSA id 091AD2E424E; Tue, 3 May 2022 16:27:47 +0100 (BST) From: Quentin Armitage To: dev Cc: David Marchand , Harman Kalra , stable@dpdk.org, Quentin Armitage Subject: [PATCH v2] tap: fix write-after-free and double free of intr_handle Date: Tue, 3 May 2022 16:27:32 +0100 Message-Id: <20220503152732.390513-1-quentin@armitage.org.uk> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org rte_pmd_tun/tap_probe() allocates pmd->intr_handle in eth_dev_tap_create() and it should not be freed until rte_pmd_tap_remove() is called. Inspection of tap_rx_intr_vec_set() shows that the call to tap_tx_intr_vec_uninstall() was calling rte_intr_instance_free() but tap_tx_intr_vec_install() can then be immediately called, and this then uses pmd->intr_handle without it being reallocated. This commit moves the call of rte_intr_instance_free() from tap_tx_intr_vec_uninstall() to rte_pmd_tap_remove(). Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") Changes in v2: Move rte_intr_instance_free() from tap_rx_intr_vec_uninstall() to tap_dev_close(). Signed-off-by: Quentin Armitage --- drivers/net/tap/rte_eth_tap.c | 2 ++ drivers/net/tap/tap_intr.c | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c index bc3d56a311..5495818be6 100644 --- a/drivers/net/tap/rte_eth_tap.c +++ b/drivers/net/tap/rte_eth_tap.c @@ -1213,6 +1213,8 @@ tap_dev_close(struct rte_eth_dev *dev) TAP_LOG(DEBUG, "Closing %s Ethernet device on numa %u", tuntap_types[internals->type], rte_socket_id()); + rte_intr_instance_free(internals->intr_handle); + if (internals->ioctl_sock != -1) { close(internals->ioctl_sock); internals->ioctl_sock = -1; diff --git a/drivers/net/tap/tap_intr.c b/drivers/net/tap/tap_intr.c index 56c343acea..a9097def1a 100644 --- a/drivers/net/tap/tap_intr.c +++ b/drivers/net/tap/tap_intr.c @@ -34,8 +34,6 @@ tap_rx_intr_vec_uninstall(struct rte_eth_dev *dev) rte_intr_free_epoll_fd(intr_handle); rte_intr_vec_list_free(intr_handle); rte_intr_nb_efd_set(intr_handle, 0); - - rte_intr_instance_free(intr_handle); } /** -- 2.34.1