This series include two fixes patches for failsafe/tap Yunjian Wang (2): net/failsafe: fix freeing after device release net/tap: fix use after free on error path drivers/net/failsafe/failsafe.c | 2 +- drivers/net/tap/rte_eth_tap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.27.0
The PMD destroy function was calling the release function, which frees dev->data->dev_private, and then tries to free PRIV(dev)->intr_handle, which causes the heap use after free issue. The free can be moved to before the release function is called. Fixes: d61138d4f0e ("drivers: remove direct access to interrupt handle") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> --- drivers/net/failsafe/failsafe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/failsafe/failsafe.c b/drivers/net/failsafe/failsafe.c index 3c754a5f66..05cf533896 100644 --- a/drivers/net/failsafe/failsafe.c +++ b/drivers/net/failsafe/failsafe.c @@ -308,8 +308,8 @@ fs_rte_eth_free(const char *name) if (dev == NULL) return 0; /* port already released */ ret = failsafe_eth_dev_close(dev); - rte_eth_dev_release_port(dev); rte_intr_instance_free(PRIV(dev)->intr_handle); + rte_eth_dev_release_port(dev); return ret; } -- 2.27.0
The error path was calling rte_eth_dev_release_port() function, which frees eth_dev->data->dev_private, and then tries to free pmd->intr_handle, which causes the use after free issue. The free can be moved to before the release function is called. Fixes: d61138d4f0e ("drivers: remove direct access to interrupt handle") Cc: stable@dpdk.org Signed-off-by: Xiangjun Meng <mengxiangjun4@huawei.com> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> --- drivers/net/tap/rte_eth_tap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c index 5495818be6..9e1032fe72 100644 --- a/drivers/net/tap/rte_eth_tap.c +++ b/drivers/net/tap/rte_eth_tap.c @@ -2179,8 +2179,8 @@ eth_dev_tap_create(struct rte_vdev_device *vdev, const char *tap_name, close(pmd->ioctl_sock); /* mac_addrs must not be freed alone because part of dev_private */ dev->data->mac_addrs = NULL; - rte_eth_dev_release_port(dev); rte_intr_instance_free(pmd->intr_handle); + rte_eth_dev_release_port(dev); error_exit_nodev: TAP_LOG(ERR, "%s Unable to initialize %s", -- 2.27.0
On 6/7/22 09:49, Yunjian Wang wrote:
> This series include two fixes patches for failsafe/tap
>
> Yunjian Wang (2):
> net/failsafe: fix freeing after device release
> net/tap: fix use after free on error path
>
> drivers/net/failsafe/failsafe.c | 2 +-
> drivers/net/tap/rte_eth_tap.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
Series-reviewed-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
Applied to dpdk-next-net/main, thanks.