|SUCCESS| app/testpmd: avoid cmdline use-after-free on SIGINT

[dpdklab at iol.unh.edu]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/163306

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-04-27

I will review this DPDK patch for correctness, coding style, and guideline compliance.

```
commit <sha-from-patchwork>
Author: Sunyang Wu <sunyang.wu at jaguarmicro.com>

app/testpmd: avoid cmdline use-after-free on SIGINT

When testpmd runs in interactive mode, SIGINT is handled by setting
the quit flag and calling prompt_exit() so the cmdline input path can
be interrupted.

However, prompt() frees the cmdline object with cmdline_stdin_exit()
after cmdline_interact() returns, while the global testpmd_cl pointer
may still be observed by a later signal during shutdown. If SIGINT
arrives after the cmdline object is freed, prompt_exit() may call
cmdline_quit() on stale state and trigger a use-after-free.

Keep the existing prompt_exit() behavior so interactive input can
still be cancelled, but store the cmdline object in a local variable
and clear testpmd_cl before freeing it.

This preserves the interactive-mode fix introduced for Windows while
avoiding a shutdown-time use-after-free.

Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
Cc: stable at dpdk.org

Signed-off-by: Sunyang Wu <sunyang.wu at jaguarmicro.com>

---
 app/test-pmd/cmdline.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index c5abeb5730..e3ed0f1865 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -14500,22 +14500,28 @@ cmdline_read_from_file(const char *filename, bool echo)
 void
 prompt_exit(void)
 {
-	cmdline_quit(testpmd_cl);
+	if (testpmd_cl != NULL)
+		cmdline_quit(testpmd_cl);
 }

Does this introduce a race condition? If a SIGINT arrives after
prompt() sets testpmd_cl = NULL but while another thread still holds a
reference, could the pointer check in prompt_exit() pass while
testpmd_cl becomes NULL before cmdline_quit() executes?

Is there a time-of-check-to-time-of-use window between the NULL check
and the cmdline_quit() call if signals can arrive on different threads?

[ ... ]

@@ -14500,22 +14500,28 @@ cmdline_read_from_file(const char *filename, bool echo)
 void
 prompt(void)
 {
-	testpmd_cl = cmdline_stdin_new(main_ctx, "testpmd> ");
-	if (testpmd_cl == NULL) {
+	struct cmdline *cl;
+
+	cl = cmdline_stdin_new(main_ctx, "testpmd> ");
+	if (cl == NULL) {
 		fprintf(stderr,
 			"Failed to create stdin based cmdline context\n");
 		return;
 	}
 
-	cmdline_interact(testpmd_cl);
-	cmdline_stdin_exit(testpmd_cl);
+	testpmd_cl = cl;
+	cmdline_interact(cl);
+	/* Clear global pointer before freeing cmdline object. */
+	testpmd_cl = NULL;
+	cmdline_stdin_exit(cl);
 }

Does this code have a race between setting testpmd_cl = cl and a signal
arriving that tries to use testpmd_cl? Between the assignment and the
cmdline_interact() call, could a SIGINT fire and attempt to use the
incompletely initialized cmdline object?

Could the sequence testpmd_cl = NULL followed by cmdline_stdin_exit(cl)
leave a window where prompt_exit() observes NULL while cl is still
being freed, and then another SIGINT during the free could corrupt
internal state if cmdline_stdin_exit() is not reentrant?

```