From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id F0115A0093 for ; Thu, 12 May 2022 10:12:40 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 243AA41145; Thu, 12 May 2022 10:12:40 +0200 (CEST) Received: from shelob.oktetlabs.ru (shelob.oktetlabs.ru [91.220.146.113]) by mails.dpdk.org (Postfix) with ESMTP id A757E4014F; Thu, 12 May 2022 10:12:37 +0200 (CEST) Received: from [192.168.38.17] (aros.oktetlabs.ru [192.168.38.17]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by shelob.oktetlabs.ru (Postfix) with ESMTPSA id 28DDD82; Thu, 12 May 2022 11:12:37 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 shelob.oktetlabs.ru 28DDD82 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=oktetlabs.ru; s=default; t=1652343157; bh=YCrofjekz8O4JiXFe7afw+XUS4GQGbbCZA44GJfLUno=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=dE3ONZqqa8auDcYguzIU+Sv7gMfVGyZTzzoQGgK4BD38cN1THrE6gyHjzRq/nb3e7 NJ5IdzuHYGpZG3cz7I4K1f1NWxNCP0Gh/P1m4Q8XQ1mMreOS1cNPzQVwWJwM7r6FJc uvDjqVd94cZrb7OCi+qLGHn6aY3ojuMHcUnBm7RY= Message-ID: <67b23090-7793-46db-e9f8-c4d17069be9e@oktetlabs.ru> Date: Thu, 12 May 2022 11:12:36 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH v2] tap: fix write-after-free and double free of intr_handle Content-Language: en-US To: David Marchand , Quentin Armitage Cc: dev , Harman Kalra , dpdk stable References: <20220503152732.390513-1-quentin@armitage.org.uk> From: Andrew Rybchenko Organization: OKTET Labs In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org On 5/4/22 14:17, David Marchand wrote: > On Tue, May 3, 2022 at 8:23 PM Quentin Armitage wrote: >> >> rte_pmd_tun/tap_probe() allocates pmd->intr_handle in eth_dev_tap_create() >> and it should not be freed until rte_pmd_tap_remove() is called. >> >> Inspection of tap_rx_intr_vec_set() shows that the call to >> tap_tx_intr_vec_uninstall() was calling rte_intr_instance_free() but >> tap_tx_intr_vec_install() can then be immediately called, and this then >> uses pmd->intr_handle without it being reallocated. >> >> This commit moves the call of rte_intr_instance_free() from >> tap_tx_intr_vec_uninstall() to rte_pmd_tap_remove(). >> >> Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle") > > Cc: stable@dpdk.org > > https://doc.dpdk.org/guides/contributing/patches.html#patch-for-stable-releases > The reason is that backport scripts look for a "Cc: stable@dpdk.org" > in the commitlog itself. > > (no need for a v3 just for this, it can be fixed when applying) > >> >> Changes in v2: >> Move rte_intr_instance_free() from tap_rx_intr_vec_uninstall() >> to tap_dev_close(). > > Nit: revisions changelog should be added as annotations (i.e. put > after the --- after the commitlog). > > >> >> Signed-off-by: Quentin Armitage > > I did not test the change, but the fix lgtm. > The CI failure from UNH is a false positive. > > Reviewed-by: David Marchand > > Applied with minor fixes in summary and description, thanks.