From patchwork Wed Nov  3 11:16:15 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Marchand <david.marchand@redhat.com>
X-Patchwork-Id: 103644
X-Patchwork-Delegate: david.marchand@redhat.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 071C4A0C53;
	Wed,  3 Nov 2021 12:17:05 +0100 (CET)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 984724115A;
	Wed,  3 Nov 2021 12:17:04 +0100 (CET)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mails.dpdk.org (Postfix) with ESMTP id DE47541134
 for <dev@dpdk.org>; Wed,  3 Nov 2021 12:17:02 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1635938222;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=itVSmTe1fKXGNtAWGFKtNp3oWeIfm4GEOSKcKRBOs8w=;
 b=GHE2iDFypHwjkfomNc0MZ2EHc2RbjsnZ1OrYpH35Sko8Hvl3Ggo/kb4Ej1tDjJqtQdhioN
 qv8mFsdN05wleYVWRXkKNG3/V8LKWZmJ11fBpDGgM1Dc0K46zh8DJ+ZKB45NAdbFkkP/ij
 lplK6A7EhfaTXXJbN1fLE/gC4dWJSZQ=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-58-V84MhwP_NSigwSu9nRYtvA-1; Wed, 03 Nov 2021 07:16:59 -0400
X-MC-Unique: V84MhwP_NSigwSu9nRYtvA-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E2F16800053;
 Wed,  3 Nov 2021 11:16:57 +0000 (UTC)
Received: from dmarchan.remote.csb (unknown [10.40.192.22])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 62A4A5D6B1;
 Wed,  3 Nov 2021 11:16:56 +0000 (UTC)
From: David Marchand <david.marchand@redhat.com>
To: dev@dpdk.org
Cc: yanx.xia@intel.com, Hyong Youb Kim <hyonkim@cisco.com>,
 Harman Kalra <hkalra@marvell.com>
Date: Wed,  3 Nov 2021 12:16:15 +0100
Message-Id: <20211103111615.6271-1-david.marchand@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=david.marchand@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Subject: [dpdk-dev] [PATCH] bus/pci: fix use after free on unplug
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

rte_pci_unmap_device() needs intr_handle objects to unregister
callbacks.

Bugzilla ID: 845
Fixes: d61138d4f0e2 ("drivers: remove direct access to interrupt handle")

Signed-off-by: David Marchand <david.marchand@redhat.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Tested-by: Yan Xia <yanx.xia@intel.com>
---
 drivers/bus/pci/pci_common.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/bus/pci/pci_common.c b/drivers/bus/pci/pci_common.c
index f8fff2c98e..4a3a87f24f 100644
--- a/drivers/bus/pci/pci_common.c
+++ b/drivers/bus/pci/pci_common.c
@@ -271,10 +271,6 @@ rte_pci_probe_one_driver(struct rte_pci_driver *dr,
 		return ret; /* no rollback if already succeeded earlier */
 	if (ret) {
 		dev->driver = NULL;
-		rte_intr_instance_free(dev->vfio_req_intr_handle);
-		dev->vfio_req_intr_handle = NULL;
-		rte_intr_instance_free(dev->intr_handle);
-		dev->intr_handle = NULL;
 		if ((dr->drv_flags & RTE_PCI_DRV_NEED_MAPPING) &&
 			/* Don't unmap if device is unsupported and
 			 * driver needs mapped resources.
@@ -282,6 +278,10 @@ rte_pci_probe_one_driver(struct rte_pci_driver *dr,
 			!(ret > 0 &&
 				(dr->drv_flags & RTE_PCI_DRV_KEEP_MAPPED_RES)))
 			rte_pci_unmap_device(dev);
+		rte_intr_instance_free(dev->vfio_req_intr_handle);
+		dev->vfio_req_intr_handle = NULL;
+		rte_intr_instance_free(dev->intr_handle);
+		dev->intr_handle = NULL;
 	} else {
 		dev->device.driver = &dr->driver;
 	}
@@ -322,15 +322,16 @@ rte_pci_detach_dev(struct rte_pci_device *dev)
 	/* clear driver structure */
 	dev->driver = NULL;
 	dev->device.driver = NULL;
-	rte_intr_instance_free(dev->intr_handle);
-	dev->intr_handle = NULL;
-	rte_intr_instance_free(dev->vfio_req_intr_handle);
-	dev->vfio_req_intr_handle = NULL;
 
 	if (dr->drv_flags & RTE_PCI_DRV_NEED_MAPPING)
 		/* unmap resources for devices that use igb_uio */
 		rte_pci_unmap_device(dev);
 
+	rte_intr_instance_free(dev->intr_handle);
+	dev->intr_handle = NULL;
+	rte_intr_instance_free(dev->vfio_req_intr_handle);
+	dev->vfio_req_intr_handle = NULL;
+
 	return 0;
 }