The rx_queues and tx_queues arrays are allocated as contiguous
blocks via rte_zmalloc_socket() in init_internals(). However,
eth_dev_close() incorrectly calls rte_free() on individual array
elements (rxq and rxq->pair) inside the per-queue cleanup loop.
Since rte_free(&rx_queues[0]) releases the entire contiguous
block, the memory backing queues[1..N-1] becomes invalid after
the first iteration. On subsequent iterations, accessing the
freed memory may read NULL (or garbage), causing the loop to
break early via the (rxq->umem == NULL) check.
This results in:
- XSK sockets for queues 1..N-1 not being deleted
- UMEM reference counts not being decremented, leaking memory
- Potential use-after-free if freed memory is reallocated
Fix by removing the per-element rte_free() calls from inside
the loop and instead freeing the entire tx_queues and rx_queues
arrays after the loop completes.
Fixes: 339b88c6a91f ("net/af_xdp: support multi-queue")
Cc: [email protected]
Signed-off-by: Ouyang Hao <[email protected]>
---
drivers/net/af_xdp/rte_eth_af_xdp.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/net/af_xdp/rte_eth_af_xdp.c
b/drivers/net/af_xdp/rte_eth_af_xdp.c
index 10dbcf1333..2cdb533276 100644
--- a/drivers/net/af_xdp/rte_eth_af_xdp.c
+++ b/drivers/net/af_xdp/rte_eth_af_xdp.c
@@ -1069,12 +1069,10 @@ eth_dev_close(struct rte_eth_dev *dev)
if (rte_atomic_fetch_sub_explicit(&rxq->umem->refcnt, 1,
rte_memory_order_acquire) - 1 == 0)
xdp_umem_destroy(rxq->umem);
-
- /* free pkt_tx_queue */
- rte_free(rxq->pair);
- rte_free(rxq);
}
-
+ /* Free Tx and Rx queue arrays */
+ rte_free(internals->tx_queues);
+ rte_free(internals->rx_queues);
/*
* MAC is not allocated dynamically, setting it to NULL would prevent
* from releasing it in rte_eth_dev_release_port.
--
2.37.1
