[PATCH v2] app/testpmd: avoid cmdline use-after-free on SIGINT

[PATCH v2] app/testpmd: avoid cmdline use-after-free on SIGINT

[Sunyang Wu]

When testpmd runs in interactive mode, SIGINT is handled by setting
the quit flag and calling prompt_exit() so the cmdline input path can
be interrupted.

However, prompt() frees the cmdline object with cmdline_stdin_exit()
after cmdline_interact() returns, while the global testpmd_cl pointer
may still be observed by a later signal during shutdown. If SIGINT
arrives after the cmdline object is freed, prompt_exit() may call
cmdline_quit() on stale state and trigger a use-after-free.

Keep the existing prompt_exit() behavior so interactive input can
still be cancelled, but move the cmdline object lifetime under a
local pointer and use atomic load/store for testpmd_cl so the signal
path cannot observe freed state.

This preserves the interactive-mode fix introduced for Windows while
avoiding a shutdown-time use-after-free.

Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
Cc: stable@dpdk.org

Signed-off-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
---
 app/test-pmd/cmdline.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index c5abeb5730..bdc5c3e3eb 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -14500,22 +14500,31 @@ cmdline_read_from_file(const char *filename, bool echo)
 void
 prompt_exit(void)
 {
-	cmdline_quit(testpmd_cl);
+	struct cmdline *cl;
+
+	cl = __atomic_load_n(&testpmd_cl, __ATOMIC_ACQUIRE);
+	if (cl != NULL)
+		cmdline_quit(cl);
 }
 
 /* prompt function, called from main on MAIN lcore */
 void
 prompt(void)
 {
-	testpmd_cl = cmdline_stdin_new(main_ctx, "testpmd> ");
-	if (testpmd_cl == NULL) {
+	struct cmdline *cl;
+
+	cl = cmdline_stdin_new(main_ctx, "testpmd> ");
+	if (cl == NULL) {
 		fprintf(stderr,
 			"Failed to create stdin based cmdline context\n");
 		return;
 	}
 
-	cmdline_interact(testpmd_cl);
-	cmdline_stdin_exit(testpmd_cl);
+	__atomic_store_n(&testpmd_cl, cl, __ATOMIC_RELEASE);
+	cmdline_interact(cl);
+	/* Clear global pointer before freeing cmdline object. */
+	__atomic_store_n(&testpmd_cl, NULL, __ATOMIC_RELEASE);
+	cmdline_stdin_exit(cl);
 }
 
 void
-- 
2.19.0.rc0.windows.1

[PATCH v3] app/testpmd: avoid cmdline use-after-free on SIGINT

[Sunyang Wu]

When testpmd runs in interactive mode, SIGINT is handled by setting
the quit flag and calling prompt_exit() so the cmdline input path can
be interrupted.

However, prompt() frees the cmdline object with cmdline_stdin_exit()
after cmdline_interact() returns, while the global testpmd_cl pointer
may still be observed by a later signal during shutdown. If SIGINT
arrives after the cmdline object is freed, prompt_exit() may call
cmdline_quit() on stale state and trigger a use-after-free.

Keep the existing prompt_exit() behavior so interactive input can
still be cancelled, but move the cmdline object lifetime under a
local pointer and use atomic load/store for testpmd_cl so the signal
path cannot observe freed state.

This preserves the interactive-mode fix introduced for Windows while
avoiding a shutdown-time use-after-free.

Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
Cc: stable@dpdk.org

Signed-off-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
---
 app/test-pmd/cmdline.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index c5abeb5730..ee1eff737b 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -41,6 +41,7 @@
 #endif
 #include <rte_mbuf_dyn.h>
 #include <rte_mbuf_history.h>
+#include <rte_stdatomic.h>
 #include <rte_trace.h>
 
 #include <cmdline_rdline.h>
@@ -70,7 +71,7 @@
 #include "cmdline_tm.h"
 #include "bpf_cmd.h"
 
-static struct cmdline *testpmd_cl;
+static RTE_ATOMIC(struct cmdline *) testpmd_cl;
 static cmdline_parse_ctx_t *main_ctx;
 static TAILQ_HEAD(, testpmd_driver_commands) driver_commands_head =
 	TAILQ_HEAD_INITIALIZER(driver_commands_head);
@@ -14500,22 +14501,31 @@ cmdline_read_from_file(const char *filename, bool echo)
 void
 prompt_exit(void)
 {
-	cmdline_quit(testpmd_cl);
+	struct cmdline *cl;
+
+	cl = rte_atomic_load_explicit(&testpmd_cl, rte_memory_order_acquire);
+	if (cl != NULL)
+		cmdline_quit(cl);
 }
 
 /* prompt function, called from main on MAIN lcore */
 void
 prompt(void)
 {
-	testpmd_cl = cmdline_stdin_new(main_ctx, "testpmd> ");
-	if (testpmd_cl == NULL) {
+	struct cmdline *cl;
+
+	cl = cmdline_stdin_new(main_ctx, "testpmd> ");
+	if (cl == NULL) {
 		fprintf(stderr,
 			"Failed to create stdin based cmdline context\n");
 		return;
 	}
 
-	cmdline_interact(testpmd_cl);
-	cmdline_stdin_exit(testpmd_cl);
+	rte_atomic_store_explicit(&testpmd_cl, cl, rte_memory_order_release);
+	cmdline_interact(cl);
+	/* Clear global pointer before freeing cmdline object. */
+	rte_atomic_store_explicit(&testpmd_cl, NULL, rte_memory_order_release);
+	cmdline_stdin_exit(cl);
 }
 
 void
-- 
2.19.0.rc0.windows.1

Re: [PATCH v3] app/testpmd: avoid cmdline use-after-free on SIGINT

[Stephen Hemminger]

On Mon, 27 Apr 2026 19:13:47 +0800
Sunyang Wu <sunyang.wu@jaguarmicro.com> wrote:

> When testpmd runs in interactive mode, SIGINT is handled by setting
> the quit flag and calling prompt_exit() so the cmdline input path can
> be interrupted.
> 
> However, prompt() frees the cmdline object with cmdline_stdin_exit()
> after cmdline_interact() returns, while the global testpmd_cl pointer
> may still be observed by a later signal during shutdown. If SIGINT
> arrives after the cmdline object is freed, prompt_exit() may call
> cmdline_quit() on stale state and trigger a use-after-free.
> 
> Keep the existing prompt_exit() behavior so interactive input can
> still be cancelled, but move the cmdline object lifetime under a
> local pointer and use atomic load/store for testpmd_cl so the signal
> path cannot observe freed state.
> 
> This preserves the interactive-mode fix introduced for Windows while
> avoiding a shutdown-time use-after-free.
> 
> Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
> ---

You don't need stdatomic here, it is over kill.
The signal and command line will run on thread.

It would be better to disarm the signal and make it a one shot
situation.

[PATCH] app/test-pmd: terminate process on second signal

[Stephen Hemminger]

The SIGINT/SIGTERM handler starts a graceful shutdown via
prompt_exit(), after which prompt() frees the cmdline object with
cmdline_stdin_exit(). A second signal delivered during or after
that free re-enters prompt_exit() and dereferences testpmd_cl,
producing a use-after-free.

Set SA_RESETHAND so the second signal terminates the process via
SIG_DFL instead of re-running the shutdown path. On Windows the
C runtime's signal() already resets the disposition after delivery,
so behavior is consistent without an #ifdef.

Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
Cc: stable@dpdk.org
Reported-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 app/test-pmd/testpmd.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/test-pmd/testpmd.c b/app/test-pmd/testpmd.c
index e2569d9e30..d93c696057 100644
--- a/app/test-pmd/testpmd.c
+++ b/app/test-pmd/testpmd.c
@@ -4603,9 +4603,14 @@ main(int argc, char** argv)
 	signal(SIGINT, signal_handler);
 	signal(SIGTERM, signal_handler);
 #else
-	/* Want read() not to be restarted on signal */
+	/*
+	 * Do not restart read() on signal (no SA_RESTART), and reset
+	 * to SIG_DFL after first delivery so a second SIGINT/SIGTERM
+	 * terminates instead of re-entering the shutdown path.
+	 */
 	struct sigaction action = {
 		.sa_handler = signal_handler,
+		.sa_flags = SA_RESETHAND,
 	};
 
 	sigaction(SIGINT, &action, NULL);
-- 
2.53.0

Re: [PATCH] app/test-pmd: terminate process on second signal

[Bruce Richardson]

On Mon, Apr 27, 2026 at 10:26:17AM -0700, Stephen Hemminger wrote:
> The SIGINT/SIGTERM handler starts a graceful shutdown via
> prompt_exit(), after which prompt() frees the cmdline object with
> cmdline_stdin_exit(). A second signal delivered during or after
> that free re-enters prompt_exit() and dereferences testpmd_cl,
> producing a use-after-free.
> 
> Set SA_RESETHAND so the second signal terminates the process via
> SIG_DFL instead of re-running the shutdown path. On Windows the
> C runtime's signal() already resets the disposition after delivery,
> so behavior is consistent without an #ifdef.
> 
> Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
> Cc: stable@dpdk.org
> Reported-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
>  app/test-pmd/testpmd.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
Acked-by: Bruce Richardson <bruce.richardson@intel.com>

[PATCH v2] app/test-pmd: terminate process on second signal

[Stephen Hemminger]

The SIGINT/SIGTERM handler starts a graceful shutdown via
prompt_exit(), after which prompt() frees the cmdline object with
cmdline_stdin_exit(). A second signal delivered during or after
that free re-enters prompt_exit() and dereferences testpmd_cl,
producing a use-after-free.

Reset both signals to SIG_DFL so the process will immediately
exit if second signal arrives.

Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
Cc: stable@dpdk.org
Reported-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
---
v2 - handle the case of SIGINT followed by SIGTERM

 app/test-pmd/testpmd.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/test-pmd/testpmd.c b/app/test-pmd/testpmd.c
index e2569d9e30..59372838a5 100644
--- a/app/test-pmd/testpmd.c
+++ b/app/test-pmd/testpmd.c
@@ -4555,6 +4555,8 @@ print_stats(void)
 static void
 signal_handler(int signum __rte_unused)
 {
+	signal(SIGINT, SIG_DFL);
+	signal(SIGTERM, SIG_DFL);
 	f_quit = 1;
 	prompt_exit();
 }
-- 
2.53.0

Re: [PATCH v2] app/test-pmd: terminate process on second signal

[Stephen Hemminger]

On Tue, 28 Apr 2026 06:52:48 -0700
Stephen Hemminger <stephen@networkplumber.org> wrote:

> The SIGINT/SIGTERM handler starts a graceful shutdown via
> prompt_exit(), after which prompt() frees the cmdline object with
> cmdline_stdin_exit(). A second signal delivered during or after
> that free re-enters prompt_exit() and dereferences testpmd_cl,
> producing a use-after-free.
> 
> Reset both signals to SIG_DFL so the process will immediately
> exit if second signal arrives.
> 
> Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
> Cc: stable@dpdk.org
> Reported-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Bruce Richardson <bruce.richardson@intel.com>
> ---

Applied to next-net