patch 'eal/linux: unregister alarm callback before free' has been queued to stable release 23.11.5

[Xueming Li]

Hi,

FYI, your patch has been queued to stable release 23.11.5

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/28/25. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=57bb5ce25eaf5ed693a387b152b476c68e16c041

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From 57bb5ce25eaf5ed693a387b152b476c68e16c041 Mon Sep 17 00:00:00 2001
From: Rui Ferreira <rui.ferreira1 at h-partners.com>
Date: Fri, 30 May 2025 09:18:43 +0100
Subject: [PATCH] eal/linux: unregister alarm callback before free
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit d84bf0d9aeb474d89a412b6af8e947b16bfcb895 ]

This was flagged by Address sanitizer as a use after free. The
intr_handle ptr is shared between the main thread and the interrupt
thread. The interrupt thread can dereference the ptr after free (from
the alarm callback). free is called when the main thread cleans up.

The interrupt thread never terminates (eal_intr_thread_main) so
use rte_intr_callback_unregister_sync during cleanup to
ensure the callback is removed before freeing the ptr.

To be more defensive clear out the pointer and registration
variable if we can unregister.

rte_intr_callback_unregister_sync may (optionally) use traces
so the alarm cleanup must happen before eal_trace_fini to avoid
accessing freed memory.

Bugzilla ID: 1683
Fixes: 90b13ab8d4f7 ("alarm: remove direct access to interrupt handle")

Signed-off-by: Rui Ferreira <rui.ferreira1 at h-partners.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
Signed-off-by: Thomas Monjalon <thomas at monjalon.net>
---
 .mailmap                  | 1 +
 lib/eal/linux/eal.c       | 2 +-
 lib/eal/linux/eal_alarm.c | 9 ++++++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.mailmap b/.mailmap
index b4e75a6046..b1e5e00cb7 100644
--- a/.mailmap
+++ b/.mailmap
@@ -1255,6 +1255,7 @@ Rosen Xu <rosen.xu at intel.com>
 Roy Franz <roy.franz at cavium.com>
 Roy Pledge <roy.pledge at nxp.com>
 Roy Shterman <roy.shterman at vastdata.com>
+Rui Ferreira <rui.ferreira1 at h-partners.com>
 Ruifeng Wang <ruifeng.wang at arm.com>
 Rushil Gupta <rushilg at google.com>
 Ryan E Hall <ryan.e.hall at intel.com>
diff --git a/lib/eal/linux/eal.c b/lib/eal/linux/eal.c
index 57da058cec..b3b69a090a 100644
--- a/lib/eal/linux/eal.c
+++ b/lib/eal/linux/eal.c
@@ -1371,10 +1371,10 @@ rte_eal_cleanup(void)
 #endif
 	rte_mp_channel_cleanup();
 	eal_bus_cleanup();
+	rte_eal_alarm_cleanup();
 	rte_trace_save();
 	eal_trace_fini();
 	eal_mp_dev_hotplug_cleanup();
-	rte_eal_alarm_cleanup();
 	/* after this point, any DPDK pointers will become dangling */
 	rte_eal_memory_detach();
 	rte_eal_malloc_heap_cleanup();
diff --git a/lib/eal/linux/eal_alarm.c b/lib/eal/linux/eal_alarm.c
index 766ba2c251..8f98726a57 100644
--- a/lib/eal/linux/eal_alarm.c
+++ b/lib/eal/linux/eal_alarm.c
@@ -56,7 +56,14 @@ static void eal_alarm_callback(void *arg);
 void
 rte_eal_alarm_cleanup(void)
 {
-	rte_intr_instance_free(intr_handle);
+	/* unregister callback using intr_handle in interrupt thread */
+	int ret = rte_intr_callback_unregister_sync(intr_handle,
+						eal_alarm_callback, (void *)-1);
+	if (ret >= 0) {
+		rte_intr_instance_free(intr_handle);
+		intr_handle = NULL;
+		handler_registered = 0;
+	}
 }
 
 int
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2025-06-26 19:59:20.562834711 +0800
+++ 0075-eal-linux-unregister-alarm-callback-before-free.patch	2025-06-26 19:59:17.498418039 +0800
@@ -1 +1 @@
-From d84bf0d9aeb474d89a412b6af8e947b16bfcb895 Mon Sep 17 00:00:00 2001
+From 57bb5ce25eaf5ed693a387b152b476c68e16c041 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit d84bf0d9aeb474d89a412b6af8e947b16bfcb895 ]
@@ -24 +26,0 @@
-Cc: stable at dpdk.org
@@ -36 +38 @@
-index fb90483bee..9135f06efc 100644
+index b4e75a6046..b1e5e00cb7 100644
@@ -39 +41 @@
-@@ -1339,6 +1339,7 @@ Rosen Xu <rosen.xu at altera.com> <rosen.xu at intel.com>
+@@ -1255,6 +1255,7 @@ Rosen Xu <rosen.xu at intel.com>
@@ -45 +46,0 @@
- Rupesh Chiluka <rchiluka at marvell.com>
@@ -46,0 +48 @@
+ Ryan E Hall <ryan.e.hall at intel.com>
@@ -48 +50 @@
-index 20f777b8b0..de90ab3b86 100644
+index 57da058cec..b3b69a090a 100644
@@ -51 +53 @@
-@@ -1328,10 +1328,10 @@ rte_eal_cleanup(void)
+@@ -1371,10 +1371,10 @@ rte_eal_cleanup(void)
@@ -64 +66 @@
-index b216a007a3..eb6a21d4f0 100644
+index 766ba2c251..8f98726a57 100644
@@ -67 +69 @@
-@@ -57,7 +57,14 @@ static void eal_alarm_callback(void *arg);
+@@ -56,7 +56,14 @@ static void eal_alarm_callback(void *arg);