patch 'net/tap: fix use-after-free on remote flow creation failure' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Thu Mar 19 11:02:47 CET 2026

Previous message (by thread): patch 'net/tap: free IPC reply buffer on queue count mismatch' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/tap: free remote flow when implicit rule already exists' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/23/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/de8e6c1d802656b6b220a00929d9062a30427698

Thanks.

Kevin

---
>From de8e6c1d802656b6b220a00929d9062a30427698 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen at networkplumber.org>
Date: Sun, 22 Feb 2026 09:30:46 -0800
Subject: [PATCH] net/tap: fix use-after-free on remote flow creation failure

[ upstream commit df92002ddbc856858ebca2c8fa42d975573049ee ]

After a local TC filter rule is installed and the flow is inserted
into pmd->flows, failure during remote flow creation jumps to the
fail label which frees the flow without removing it from the list
and without deleting the kernel-side TC rule.

Send RTM_DELTFILTER to clean up the local rule and call
LIST_REMOVE before freeing.

Bugzilla ID: 1881
Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture")

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
---
 drivers/net/tap/tap_flow.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/drivers/net/tap/tap_flow.c b/drivers/net/tap/tap_flow.c
index 9d4ef27a8a..427faf75d5 100644
--- a/drivers/net/tap/tap_flow.c
+++ b/drivers/net/tap/tap_flow.c
@@ -1294,5 +1294,5 @@ tap_flow_create(struct rte_eth_dev *dev,
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE, NULL,
 				"cannot allocate memory for rte_flow");
-			goto fail;
+			goto fail_remove;
 		}
 		msg = &remote_flow->msg;
@@ -1308,5 +1308,5 @@ tap_flow_create(struct rte_eth_dev *dev,
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE,
 				NULL, "rte flow rule validation failed");
-			goto fail;
+			goto fail_remove;
 		}
 		err = tap_nl_send(pmd->nlsk_fd, &msg->nh);
@@ -1315,5 +1315,5 @@ tap_flow_create(struct rte_eth_dev *dev,
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE,
 				NULL, "Failure sending nl request");
-			goto fail;
+			goto fail_remove;
 		}
 		err = tap_nl_recv_ack(pmd->nlsk_fd);
@@ -1326,13 +1326,20 @@ tap_flow_create(struct rte_eth_dev *dev,
 				NULL,
 				"overlapping rules or Kernel too old for flower support");
-			goto fail;
+			goto fail_remove;
 		}
 		flow->remote_flow = remote_flow;
 	}
 	return flow;
+
+fail_remove:
+	/* Delete the local TC rule that was already installed */
+	flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	flow->msg.nh.nlmsg_type = RTM_DELTFILTER;
+	if (tap_nl_send(pmd->nlsk_fd, &flow->msg.nh) >= 0)
+		tap_nl_recv_ack(pmd->nlsk_fd);
+	LIST_REMOVE(flow, next);
 fail:
 	rte_free(remote_flow);
-	if (flow)
-		tap_flow_free(pmd, flow);
+	tap_flow_free(pmd, flow);
 	return NULL;
 }
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-19 10:01:08.549411862 +0000
+++ 0049-net-tap-fix-use-after-free-on-remote-flow-creation-f.patch	2026-03-19 10:01:07.117248355 +0000
@@ -1 +1 @@
-From df92002ddbc856858ebca2c8fa42d975573049ee Mon Sep 17 00:00:00 2001
+From de8e6c1d802656b6b220a00929d9062a30427698 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit df92002ddbc856858ebca2c8fa42d975573049ee ]
+
@@ -16 +17,0 @@
-Cc: stable at dpdk.org
@@ -24 +25 @@
-index 8877cef3ff..530f6880c7 100644
+index 9d4ef27a8a..427faf75d5 100644
@@ -27 +28 @@
-@@ -1300,5 +1300,5 @@ tap_flow_create(struct rte_eth_dev *dev,
+@@ -1294,5 +1294,5 @@ tap_flow_create(struct rte_eth_dev *dev,
@@ -34 +35 @@
-@@ -1314,5 +1314,5 @@ tap_flow_create(struct rte_eth_dev *dev,
+@@ -1308,5 +1308,5 @@ tap_flow_create(struct rte_eth_dev *dev,
@@ -41 +42 @@
-@@ -1321,5 +1321,5 @@ tap_flow_create(struct rte_eth_dev *dev,
+@@ -1315,5 +1315,5 @@ tap_flow_create(struct rte_eth_dev *dev,
@@ -48 +49 @@
-@@ -1332,13 +1332,20 @@ tap_flow_create(struct rte_eth_dev *dev,
+@@ -1326,13 +1326,20 @@ tap_flow_create(struct rte_eth_dev *dev,

Previous message (by thread): patch 'net/tap: free IPC reply buffer on queue count mismatch' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/tap: free remote flow when implicit rule already exists' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list