From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id B6B2BA04FF
	for <public@inbox.dpdk.org>; Wed,  4 May 2022 13:17:44 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id AD578427EF;
	Wed,  4 May 2022 13:17:44 +0200 (CEST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mails.dpdk.org (Postfix) with ESMTP id 451CB40C35
 for <stable@dpdk.org>; Wed,  4 May 2022 13:17:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1651663061;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=r5xFUWM6D9pwcsfkLZGKlbifvKWBIlZVbGDDisTHS5U=;
 b=hqsZ4yhQgOS+J5NRkcPxIB89Abl/Pw/m1X4AqpYdnwPlnBKY/ry1HAV9z2xF8rJvrya3sG
 9/STcgApg1+NiXDXr63odOrYV+eZuUOfODZC20ZpcboIq6BQFqwtH4APE26Loozsfgjd8c
 7nAo7uqPg6fTyukadsyTrNhh2t0dT8Q=
Received: from mail-lf1-f70.google.com (mail-lf1-f70.google.com
 [209.85.167.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-98-v_hijFJGOzmqcFDK29uGNA-1; Wed, 04 May 2022 07:17:38 -0400
X-MC-Unique: v_hijFJGOzmqcFDK29uGNA-1
Received: by mail-lf1-f70.google.com with SMTP id
 l19-20020ac24313000000b004739dbba717so494445lfh.5
 for <stable@dpdk.org>; Wed, 04 May 2022 04:17:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=r5xFUWM6D9pwcsfkLZGKlbifvKWBIlZVbGDDisTHS5U=;
 b=Ng7CK4aCjpy8fuFBpip5QC5cvh3PxjGLFXqBBHXpYMkhPjTuMiOntD0Vx5M8fjNaDU
 m9CXwZigIqmQ/OYRbfwzbW2tPHL2bXkcCRZ2T1mxu/g7Ktmcd0Hu5+y7tTWN/NBAAqtU
 EAUK8LWi1Azv7p5/3ZzAup+yiV/aI3T5+DhC/isU+fXOSmGCgr3gB/tesw430Vzw1nvx
 8WRYnBBWnRqhYCv90cLw5ppphqBac++6bdni5elTTICj4HjYzJ1ah0v2OneX9UvvVsSN
 NLalx+r+m+q+w1bZWBsoxWsZikWUHf/k85MuocCw8gzGx+ZRCkVWL31KxZO2XGXzT2nc
 7enw==
X-Gm-Message-State: AOAM53004rghH559zZGFXgZjlO4TOCkFSz7iA+GtZDUUYrMOz3lCbmvx
 eZr+phg3153lkwpQU5ZP6MoK3z/9ClcdoRx2Xsne3XEyXMzZ7ydEWIvIQWhok4m55F967T902e4
 9ntyctFPqTdU8ajtD6OAI/5U=
X-Received: by 2002:a2e:9d90:0:b0:24f:224:8dfa with SMTP id
 c16-20020a2e9d90000000b0024f02248dfamr12063522ljj.46.1651663056968; 
 Wed, 04 May 2022 04:17:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxGKnTyQYRgyX0blXuk8ygItqqH7WPz6HDrbWmLItuMyJDAtUYckvY5Efm7Iv/bPy77c3AxRsyGZstEZDSAdZc=
X-Received: by 2002:a2e:9d90:0:b0:24f:224:8dfa with SMTP id
 c16-20020a2e9d90000000b0024f02248dfamr12063516ljj.46.1651663056717; Wed, 04
 May 2022 04:17:36 -0700 (PDT)
MIME-Version: 1.0
References: <20220503152732.390513-1-quentin@armitage.org.uk>
In-Reply-To: <20220503152732.390513-1-quentin@armitage.org.uk>
From: David Marchand <david.marchand@redhat.com>
Date: Wed, 4 May 2022 13:17:25 +0200
Message-ID: <CAJFAV8wDsjaeUyjwpjQjBhwFG_HpYkckkQx9vN6T0+-1JtSX0g@mail.gmail.com>
Subject: Re: [PATCH v2] tap: fix write-after-free and double free of
 intr_handle
To: Quentin Armitage <quentin@armitage.org.uk>
Cc: dev <dev@dpdk.org>, Harman Kalra <hkalra@marvell.com>,
 dpdk stable <stable@dpdk.org>
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dmarchan@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

On Tue, May 3, 2022 at 8:23 PM Quentin Armitage <quentin@armitage.org.uk> wrote:
>
> rte_pmd_tun/tap_probe() allocates pmd->intr_handle in eth_dev_tap_create()
> and it should not be freed until rte_pmd_tap_remove() is called.
>
> Inspection of tap_rx_intr_vec_set() shows that the call to
> tap_tx_intr_vec_uninstall() was calling rte_intr_instance_free() but
> tap_tx_intr_vec_install() can then be immediately called, and this then
> uses pmd->intr_handle without it being reallocated.
>
> This commit moves the call of rte_intr_instance_free() from
> tap_tx_intr_vec_uninstall() to rte_pmd_tap_remove().
>
> Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")

Cc: stable@dpdk.org

https://doc.dpdk.org/guides/contributing/patches.html#patch-for-stable-releases
The reason is that backport scripts look for a "Cc: stable@dpdk.org"
in the commitlog itself.

(no need for a v3 just for this, it can be fixed when applying)

>
> Changes in v2:
>   Move rte_intr_instance_free() from tap_rx_intr_vec_uninstall()
>   to tap_dev_close().

Nit: revisions changelog should be added as annotations (i.e. put
after the --- after the commitlog).


>
> Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>

I did not test the change, but the fix lgtm.
The CI failure from UNH is a false positive.

Reviewed-by: David Marchand <david.marchand@redhat.com>


-- 
David Marchand