port: unplug from graph before destroy

rjarry · maxime-leroy · commit ddf306703565 · 2026-01-29T11:41:13.000+01:00
The port_rx node stores a direct pointer to its associated struct iface in its context (ctx->iface). This pointer is set during graph initialization and is used directly to access interface data without going through iface_from_id(). When deleting a port interface, the previous sequence was: 1. gr_event_push(IFACE_PRE_REMOVE) 2. cleanup (status down, vrf decref, nexthop cleanup) 3. ifaces[iface->id] = NULL 4. rte_rcu_qsbr_synchronize() 5. gr_event_push(IFACE_REMOVE) 6. rte_free(iface) This was not sufficient to prevent use-after-free. Even after setting ifaces[id] to NULL and waiting for RCU sync, the port_rx node would continue running and receiving packets while holding a stale pointer to the freed iface memory. This was detected by libasan: + grcli interface del p0 ... DEBUG: GROUT: iface_event: iface event [0xacdc0003] PRE_REMOVE triggered for iface p0. ... DEBUG: GROUT: iface_event: iface event [0xacdc0007] STATUS_DOWN triggered for iface p0. DEBUG: GROUT: iface_event: iface event [0xacdc0004] REMOVE triggered for iface p0. ... NOTICE: GROUT: [rx p0] 02:e3:ad:74:50:9b > 01:80:c2:00:00:02 / LACP active fast aggreg sync collect distrib, (pkt_len=124) ... INFO: GROUT: iface_port_fini: port 0 destroyed ================================================================= ==72683==ERROR: AddressSanitizer: heap-use-after-free ... READ of size 1 at 0x7f9764309b02 thread T0 lacp_input_cb ../modules/infra/control/lacp.c:42 control_queue_poll ../modules/infra/control/control_queue.c:52 event_base_loop (/lib/x86_64-linux-gnu/libevent_core-2.1.so.7+0x20fae) main ../main/main.c:326 Fix this by subscribing to GR_EVENT_IFACE_PRE_REMOVE and calling port_unplug() which disables the port queue mappings and reloads all worker graphs, effectively removing the port_rx nodes for that port. Fixes: 587d5e4 ("rx,tx: use one node per port queue") Signed-off-by: Robin Jarry <rjarry@redhat.com> Reviewed-by: Anthony Harivel <aharivel@redhat.com> Reviewed-by: Maxime Leroy <maxime@leroys.fr>
diff --git a/modules/infra/control/port.c b/modules/infra/control/port.c
@@ -815,7 +815,22 @@ static struct gr_module port_module = {
 	.fini = port_fini,
 };
 
+static void port_unplug_cb(uint32_t /*event*/, const void *obj) {
+	const struct iface *iface = obj;
+	if (iface->type != GR_IFACE_TYPE_PORT)
+		return;
+	if (port_unplug(iface_info_port(iface)) < 0)
+		LOG(WARNING, "port_unplug(%s): %s", iface->name, strerror(errno));
+}
+
+static struct gr_event_subscription port_subscription = {
+	.callback = port_unplug_cb,
+	.ev_count = 1,
+	.ev_types = {GR_EVENT_IFACE_PRE_REMOVE},
+};
+
 RTE_INIT(port_constructor) {
 	iface_type_register(&iface_type_port);
 	gr_register_module(&port_module);
+	gr_event_subscribe(&port_subscription);
 }
diff --git a/modules/infra/control/port_test.c b/modules/infra/control/port_test.c
@@ -22,6 +22,7 @@ void gr_register_api_handler(struct gr_api_handler *) { }
 void gr_register_module(struct gr_module *) { }
 void iface_type_register(struct iface_type *) { }
 void gr_event_push(uint32_t, const void *) { }
+void gr_event_subscribe(struct gr_event_subscription *) { }
 mock_func(struct rte_mempool *, gr_pktmbuf_pool_get(int8_t, uint32_t));
 void gr_pktmbuf_pool_release(struct rte_mempool *, uint32_t) { }
 struct rte_rcu_qsbr *gr_datapath_rcu(void) {
diff --git a/modules/infra/control/worker_test.c b/modules/infra/control/worker_test.c
@@ -38,6 +38,7 @@ int gr_rte_log_type;
 struct gr_config gr_config;
 void gr_register_api_handler(struct gr_api_handler *) { }
 void gr_register_module(struct gr_module *) { }
+void gr_event_subscribe(struct gr_event_subscription *) { }
 void iface_type_register(struct iface_type *) { }
 void gr_metrics_ctx_init(struct gr_metrics_ctx *, struct gr_metrics_writer *, ...) { }
 void gr_metrics_labels_add(struct gr_metrics_ctx *, ...) { }
