[DPDK/core Bug 1683] use after on interrupt thread during EAL cleanup

All of lore.kernel.org
 help / color / mirror / Atom feed

From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [DPDK/core Bug 1683] use after on interrupt thread during EAL cleanup
Date: Wed, 26 Mar 2025 16:27:16 +0000	[thread overview]
Message-ID: <bug-1683-3@http.bugs.dpdk.org/> (raw)

[-- Attachment #1: Type: text/plain, Size: 6345 bytes --]

https://bugs.dpdk.org/show_bug.cgi?id=1683

            Bug ID: 1683
           Summary: use after on interrupt thread during EAL cleanup
           Product: DPDK
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: core
          Assignee: dev@dpdk.org
          Reporter: david.marchand@redhat.com
  Target Milestone: ---

This was caught with ASan in a CI run in my GHA:

+ devtools/test-null.sh
EAL: Detected CPU lcores: 4
EAL: Detected NUMA nodes: 1
EAL: Detected static linkage of DPDK
EAL: Multi-process socket /run/user/1001/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'VA'
testpmd: create a new mbuf pool <mb_pool_0>: n=2048, size=2176, socket=0
testpmd: preferred mempool ops selected: ring_mp_mc
Interactive-mode selected
Auto-start selected
Configuring Port 0 (socket 0)
...

Shutting down port 1...
=================================================================
==46768==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000008e44
at pc 0x5613ec543091 bp 0x7f87065fd1d0 sp 0x7f87065fd1c8
READ of size 4 at 0x606000008e44 thread T1
    #0 0x5613ec543090 in rte_intr_fd_get
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/eal_common_interrupts.c:210:22
    #1 0x5613ec5a350b in eal_alarm_callback
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_alarm.c:125:19
    #2 0x5613ec5acef1 in eal_intr_process_interrupts
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_interrupts.c:1026:5
    #3 0x5613ec5acef1 in eal_intr_handle_interrupts
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_interrupts.c:1100:7
    #4 0x5613ec5aba06 in eal_intr_thread_main
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_interrupts.c:1172:3
    #5 0x7f870b294ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
    #6 0x7f870b32684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x606000008e44 is located 4 bytes inside of 64-byte region
[0x606000008e40,0x606000008e80)
freed by thread T0 here:
    #0 0x5613eb24ba32 in free
(/home/runner/work/dpdk/dpdk/build/app/dpdk-testpmd+0xb8ca32) (BuildId:
1c1d93dcb4fec8b525f3ed4b97885f75ba17fcb1)
    #1 0x5613ec5a1b7f in rte_eal_cleanup
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal.c:1333:2
    #2 0x5613eb3bf7bc in main
/home/runner/work/dpdk/dpdk/build/../app/test-pmd/testpmd.c:4583:8
    #3 0x7f870b229d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x5613eb24bec8 in __interceptor_calloc
(/home/runner/work/dpdk/dpdk/build/app/dpdk-testpmd+0xb8cec8) (BuildId:
1c1d93dcb4fec8b525f3ed4b97885f75ba17fcb1)
    #1 0x5613ec542b56 in rte_intr_instance_alloc
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/eal_common_interrupts.c:51:17
    #2 0x5613ec5a26ed in rte_eal_alarm_init
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_alarm.c:66:16
    #3 0x5613ec59f5a3 in rte_eal_init
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal.c:1011:6
    #4 0x5613eb3be5b3 in main
/home/runner/work/dpdk/dpdk/build/../app/test-pmd/testpmd.c:4369:9
    #5 0x7f870b229d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

Thread T1 created by T0 here:
    #0 0x5613eb23515c in __interceptor_pthread_create
(/home/runner/work/dpdk/dpdk/build/app/dpdk-testpmd+0xb7615c) (BuildId:
1c1d93dcb4fec8b525f3ed4b97885f75ba17fcb1)
    #1 0x5613ec59d50c in rte_thread_create
/home/runner/work/dpdk/dpdk/build/../lib/eal/unix/rte_thread.c:199:8
    #2 0x5613ec56011b in rte_thread_create_control
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/eal_common_thread.c:308:8
    #3 0x5613ec56096c in rte_thread_create_internal_control
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/eal_common_thread.c:358:9
    #4 0x5613ec5ab811 in rte_eal_intr_init
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal_interrupts.c:1200:8
    #5 0x5613ec59f58a in rte_eal_init
/home/runner/work/dpdk/dpdk/build/../lib/eal/linux/eal.c:1006:6
    #6 0x5613eb3be5b3 in main
/home/runner/work/dpdk/dpdk/build/../app/test-pmd/testpmd.c:4369:9
    #7 0x7f870b229d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free
/home/runner/work/dpdk/dpdk/build/../lib/eal/common/eal_common_interrupts.c:210:22
in rte_intr_fd_get
Shadow bytes around the buggy address:
  0x0c0c7fff9170: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9180: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c7fff9190: 00 00 06 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff91a0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff91b0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x0c0c7fff91c0: fd fd fd fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c0c7fff91d0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff91e0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff91f0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff9200: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9210: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==46768==ABORTING


From a quick reading of the cleanup code, the reason is probably that the
interrupt thread was not killed before releasing the interrupt handler in
rte_eal_alarm_cleanup() call.

There may be a need for killing the interrupt thread or adding some
synchronisation point.

This issue probably affects all OS implementations.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #2: Type: text/html, Size: 8230 bytes --]

next             reply	other threads:[~2025-03-26 16:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-26 16:27 bugzilla [this message]
2025-06-11  9:07 ` [DPDK/core Bug 1683] use after on interrupt thread during EAL cleanup bugzilla

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-1683-3@http.bugs.dpdk.org/ \
    --to=bugzilla@dpdk.org \
    --cc=dev@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.