From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 40E92A00C2; Mon, 2 May 2022 21:23:13 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id E8EDF41156; Mon, 2 May 2022 21:23:07 +0200 (CEST) Received: from nabal.armitage.org.uk (host-92-27-6-192.static.as13285.net [92.27.6.192]) by mails.dpdk.org (Postfix) with ESMTP id C389C4069D for ; Mon, 2 May 2022 21:23:05 +0200 (CEST) Received: from localhost (nabal.armitage.org.uk [127.0.0.1]) by nabal.armitage.org.uk (Postfix) with ESMTP id 960FA2E40A4; Mon, 2 May 2022 20:23:05 +0100 (BST) Authentication-Results: nabal.armitage.org.uk (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=armitage.org.uk DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=armitage.org.uk; h=content-transfer-encoding:mime-version:references:in-reply-to :x-mailer:message-id:date:date:subject:subject:from:from :received; s=20200110; t=1651519369; x=1652383370; bh=L9tSF5XHwg RhJnde9xE5Zr9il6XABF04SbJ6BsuIK74=; b=MlYvqqJYuVUaDWBu+HXajw9Opm 8XXunS0L7cVfD6hfLouRslRH0LMe1dailpLqDirdUPI17bbzmu2XzGjg/Q/omWpS gG40O+LoZ1/wqj+yJ+AERr2+C7v/hf4tkILca637RvAeNMZQUTRec1qKeP9qIGnd Q4ICrI+cbgaj1EGJ0= X-Virus-Scanned: amavisd-new at armitage.org.uk Received: from samson.armitage.org.uk (samson.armitage.org.uk [IPv6:2001:470:69dd:35::210]) by nabal.armitage.org.uk (Postfix) with ESMTPSA id 4AA5F2E42D0; Mon, 2 May 2022 20:22:49 +0100 (BST) From: Quentin Armitage To: dev@dpdk.org Cc: Quentin Armitage Subject: [PATCH 1/1] tap: fix write-after-free and double free of intr_handle Date: Mon, 2 May 2022 20:22:38 +0100 Message-Id: <20220502192238.348172-2-quentin@armitage.org.uk> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220502192238.348172-1-quentin@armitage.org.uk> References: <20220502192238.348172-1-quentin@armitage.org.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org rte_pmd_tun/tap_probe() allocates pmd->intr_handle in eth_dev_tap_create() and it should not be freed until rte_pmd_tap_remove() is called. Inspection of tap_rx_intr_vec_set() shows that the call to tap_tx_intr_vec_uninstall() was calling rte_intr_instance_free() but tap_tx_intr_vec_install() can then be immediately called, and this then uses pmd->intr_handle without it being reallocated. This commit moves the call of rte_intr_instance_free() from tap_tx_intr_vec_uninstall() to rte_pmd_tap_remove(). Signed-off-by: Quentin Armitage --- drivers/net/tap/rte_eth_tap.c | 5 +++++ drivers/net/tap/tap_intr.c | 2 -- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c index bc3d56a311..aab1692ebf 100644 --- a/drivers/net/tap/rte_eth_tap.c +++ b/drivers/net/tap/rte_eth_tap.c @@ -2612,14 +2612,19 @@ static int rte_pmd_tap_remove(struct rte_vdev_device *dev) { struct rte_eth_dev *eth_dev = NULL; + struct pmd_internals *pmd; + struct rte_intr_handle *intr_handle; /* find the ethdev entry */ eth_dev = rte_eth_dev_allocated(rte_vdev_device_name(dev)); if (!eth_dev) return 0; + pmd = eth_dev->data->dev_private; + intr_handle = pmd->intr_handle; tap_dev_close(eth_dev); rte_eth_dev_release_port(eth_dev); + rte_intr_instance_free(intr_handle); return 0; } diff --git a/drivers/net/tap/tap_intr.c b/drivers/net/tap/tap_intr.c index 56c343acea..a9097def1a 100644 --- a/drivers/net/tap/tap_intr.c +++ b/drivers/net/tap/tap_intr.c @@ -34,8 +34,6 @@ tap_rx_intr_vec_uninstall(struct rte_eth_dev *dev) rte_intr_free_epoll_fd(intr_handle); rte_intr_vec_list_free(intr_handle); rte_intr_nb_efd_set(intr_handle, 0); - - rte_intr_instance_free(intr_handle); } /** -- 2.34.1