patch 'net/tap: fix use-after-free on remote flow creation failure' has been queued to stable release 24.11.5

luca.boccassi at gmail.com luca.boccassi at gmail.com
Thu Mar 19 23:02:25 CET 2026

Previous message (by thread): patch 'net/tap: free IPC reply buffer on queue count mismatch' has been queued to stable release 24.11.5
Next message (by thread): patch 'net/tap: free remote flow when implicit rule already exists' has been queued to stable release 24.11.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 24.11.5

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/21/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/f34941b2ea5392ac3bff201e4731b803fa705387

Thanks.

Luca Boccassi

---
>From f34941b2ea5392ac3bff201e4731b803fa705387 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen at networkplumber.org>
Date: Sun, 22 Feb 2026 09:30:46 -0800
Subject: [PATCH] net/tap: fix use-after-free on remote flow creation failure

[ upstream commit df92002ddbc856858ebca2c8fa42d975573049ee ]

After a local TC filter rule is installed and the flow is inserted
into pmd->flows, failure during remote flow creation jumps to the
fail label which frees the flow without removing it from the list
and without deleting the kernel-side TC rule.

Send RTM_DELTFILTER to clean up the local rule and call
LIST_REMOVE before freeing.

Bugzilla ID: 1881
Fixes: 2bc06869cd94 ("net/tap: add remote netdevice traffic capture")

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
---
 drivers/net/tap/tap_flow.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/drivers/net/tap/tap_flow.c b/drivers/net/tap/tap_flow.c
index 55fb39fc7d..a1942a9a27 100644
--- a/drivers/net/tap/tap_flow.c
+++ b/drivers/net/tap/tap_flow.c
@@ -1293,7 +1293,7 @@ tap_flow_create(struct rte_eth_dev *dev,
 			rte_flow_error_set(
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE, NULL,
 				"cannot allocate memory for rte_flow");
-			goto fail;
+			goto fail_remove;
 		}
 		msg = &remote_flow->msg;
 		/* set the rule if_index for the remote netdevice */
@@ -1307,14 +1307,14 @@ tap_flow_create(struct rte_eth_dev *dev,
 			rte_flow_error_set(
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE,
 				NULL, "rte flow rule validation failed");
-			goto fail;
+			goto fail_remove;
 		}
 		err = tap_nl_send(pmd->nlsk_fd, &msg->nh);
 		if (err < 0) {
 			rte_flow_error_set(
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE,
 				NULL, "Failure sending nl request");
-			goto fail;
+			goto fail_remove;
 		}
 		err = tap_nl_recv_ack(pmd->nlsk_fd);
 		if (err < 0) {
@@ -1325,15 +1325,22 @@ tap_flow_create(struct rte_eth_dev *dev,
 				error, ENOMEM, RTE_FLOW_ERROR_TYPE_HANDLE,
 				NULL,
 				"overlapping rules or Kernel too old for flower support");
-			goto fail;
+			goto fail_remove;
 		}
 		flow->remote_flow = remote_flow;
 	}
 	return flow;
+
+fail_remove:
+	/* Delete the local TC rule that was already installed */
+	flow->msg.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	flow->msg.nh.nlmsg_type = RTM_DELTFILTER;
+	if (tap_nl_send(pmd->nlsk_fd, &flow->msg.nh) >= 0)
+		tap_nl_recv_ack(pmd->nlsk_fd);
+	LIST_REMOVE(flow, next);
 fail:
 	rte_free(remote_flow);
-	if (flow)
-		tap_flow_free(pmd, flow);
+	tap_flow_free(pmd, flow);
 	return NULL;
 }
 
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-19 22:00:49.001590179 +0000
+++ 0033-net-tap-fix-use-after-free-on-remote-flow-creation-f.patch	2026-03-19 22:00:47.806359366 +0000
@@ -1 +1 @@
-From df92002ddbc856858ebca2c8fa42d975573049ee Mon Sep 17 00:00:00 2001
+From f34941b2ea5392ac3bff201e4731b803fa705387 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit df92002ddbc856858ebca2c8fa42d975573049ee ]
+
@@ -16 +17,0 @@
-Cc: stable at dpdk.org
@@ -24 +25 @@
-index 8877cef3ff..530f6880c7 100644
+index 55fb39fc7d..a1942a9a27 100644
@@ -27 +28 @@
-@@ -1299,7 +1299,7 @@ tap_flow_create(struct rte_eth_dev *dev,
+@@ -1293,7 +1293,7 @@ tap_flow_create(struct rte_eth_dev *dev,
@@ -36 +37 @@
-@@ -1313,14 +1313,14 @@ tap_flow_create(struct rte_eth_dev *dev,
+@@ -1307,14 +1307,14 @@ tap_flow_create(struct rte_eth_dev *dev,
@@ -53 +54 @@
-@@ -1331,15 +1331,22 @@ tap_flow_create(struct rte_eth_dev *dev,
+@@ -1325,15 +1325,22 @@ tap_flow_create(struct rte_eth_dev *dev,

Previous message (by thread): patch 'net/tap: free IPC reply buffer on queue count mismatch' has been queued to stable release 24.11.5
Next message (by thread): patch 'net/tap: free remote flow when implicit rule already exists' has been queued to stable release 24.11.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list