<html>
    <head>
      <base href="https://bugs.dpdk.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8" class="bz_new_table">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_UNCONFIRMED "
   title="UNCONFIRMED - BPF callback wait is not MP safe"
   href="https://bugs.dpdk.org/show_bug.cgi?id=1700">1700</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>BPF callback wait is not MP safe
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>DPDK
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>25.03
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>UNCONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>minor
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>core
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>dev@dpdk.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>stephen@networkplumber.org
          </td>
        </tr>

        <tr>
          <th>Target Milestone</th>
          <td>---
          </td>
        </tr></table>
      <p>
        <div class="bz_comment_block">
          <pre class="bz_comment_text">The mechanism implemented in bpf_pkt.c is like an open coded version of
seqlock.
There is an inherit race because:

If the CPU running the callback doesn't reach the before the count
is executed, it can rance with the CPU doing destroy.

CPU 1:                                CPU 2:
bpf_eth_unload()
    bc = bpf_eth_cbh_find()
                                      bpf_rx_callback_vm (or
bpf_rx_callback_jit)
    rte_eth_remove_rx_callback()
    bpf_eth_cbi_unload(bc)
        bpf_eth_cbi_wait(bc)

at this point bc->inuse == 0 because call back not started
but is going to be used by CPU 2. And calling rte_bpf_destroy
will lead to use after free.

There is no good way to fix this without using RCU.

Also, the code should be consistently using C11 atomic not barriers.
Not sure if anyone ever uses this code anyway!
          </pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
      <div itemscope itemtype="http://schema.org/EmailMessage">
        <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
          
          <link itemprop="url" href="https://bugs.dpdk.org/show_bug.cgi?id=1700">
          <meta itemprop="name" content="View bug">
        </div>
        <meta itemprop="description" content="Bugzilla bug update notification">
      </div>
    </body>
</html>