control_output: fix use-after-free on shutdown

rjarry · rjarry · commit c8d58528d7e8 · 2025-12-04T09:17:58.000+01:00
Since commit e954453 ("control-output: prevent use-after-free on object deletion"), deleting interfaces or nexthops causes a call to control_output_poll() in order to drain the packets that may reference the deleted object. On shutdown, the modules finalization order causes control_output to be finalized before the iface module. When the iface module is finalized, all remaining interfaces are deleted and control_output_poll() accesses the ring that was already "freed". ERROR: AddressSanitizer: heap-use-after-free on address 0x00016d19d608 at pc 0x00000045901c bp 0xffffca318bd0 sp 0xffffca318be8 READ of size 4 at 0x00016d19d608 thread T0 #0 0x000000459018 in rte_ring_dequeue_bulk_elem ../subprojects/dpdk/lib/ring/rte_ring_elem.h:375 #1 0x000000459018 in rte_ring_dequeue_elem ../subprojects/dpdk/lib/ring/rte_ring_elem.h:471 #2 0x000000459018 in rte_ring_dequeue ../subprojects/dpdk/lib/ring/rte_ring.h:496 #3 0x000000459018 in control_output_poll ../modules/infra/control/control_output.c:33 #4 0x0000004648a0 in event_handler ../modules/infra/control/control_output.c:76 #5 0x000000416974 in gr_event_push ../main/event.c:26 #6 0x00000046a930 in iface_destroy ../modules/infra/control/iface.c:424 #7 0x00000046b138 in iface_fini ../modules/infra/control/iface.c:462 #8 0x00000041d63c in modules_fini ../main/module.c:112 #9 0x00000041b5a4 in main ../main/main.c:326 Ensure both iface and nexthop are finalized before control_output. Fixes: e954453 ("control-output: prevent use-after-free on object deletion") Signed-off-by: Robin Jarry <rjarry@redhat.com>
diff --git a/modules/infra/control/graph.c b/modules/infra/control/graph.c
@@ -579,7 +579,6 @@ static void graph_fini(struct event_base *) {
 
 static struct gr_module graph_module = {
 	.name = "graph",
-	.depends_on = "iface",
 	.init = graph_init,
 	.fini = graph_fini,
 };
diff --git a/modules/infra/control/iface.c b/modules/infra/control/iface.c
@@ -469,7 +469,7 @@ static void iface_fini(struct event_base *) {
 
 static struct gr_module iface_module = {
 	.name = "iface",
-	.depends_on = "*route",
+	.depends_on = "*route,control_output",
 	.init = iface_init,
 	.fini = iface_fini,
 };
diff --git a/modules/infra/control/nexthop.c b/modules/infra/control/nexthop.c
@@ -693,7 +693,7 @@ static struct gr_event_serializer nh_serializer = {
 
 static struct gr_module module = {
 	.name = "nexthop",
-	.depends_on = "rcu",
+	.depends_on = "rcu,control_output",
 	.init = nh_init,
 	.fini = nh_fini,
 };
