[PATCH v2] app/testpmd: avoid cmdline use-after-free on SIGINT

Mon, 27 Apr 2026 03:58:24 -0700 

When testpmd runs in interactive mode, SIGINT is handled by setting
the quit flag and calling prompt_exit() so the cmdline input path can
be interrupted.

However, prompt() frees the cmdline object with cmdline_stdin_exit()
after cmdline_interact() returns, while the global testpmd_cl pointer
may still be observed by a later signal during shutdown. If SIGINT
arrives after the cmdline object is freed, prompt_exit() may call
cmdline_quit() on stale state and trigger a use-after-free.

Keep the existing prompt_exit() behavior so interactive input can
still be cancelled, but move the cmdline object lifetime under a
local pointer and use atomic load/store for testpmd_cl so the signal
path cannot observe freed state.

This preserves the interactive-mode fix introduced for Windows while
avoiding a shutdown-time use-after-free.

Fixes: f1d0993e034e ("app/testpmd: fix interactive mode on Windows")
Cc: [email protected]

Signed-off-by: Sunyang Wu <[email protected]>
---
 app/test-pmd/cmdline.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index c5abeb5730..bdc5c3e3eb 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -14500,22 +14500,31 @@ cmdline_read_from_file(const char *filename, bool 
echo)
 void
 prompt_exit(void)
 {
-       cmdline_quit(testpmd_cl);
+       struct cmdline *cl;
+
+       cl = __atomic_load_n(&testpmd_cl, __ATOMIC_ACQUIRE);
+       if (cl != NULL)
+               cmdline_quit(cl);
 }
 
 /* prompt function, called from main on MAIN lcore */
 void
 prompt(void)
 {
-       testpmd_cl = cmdline_stdin_new(main_ctx, "testpmd> ");
-       if (testpmd_cl == NULL) {
+       struct cmdline *cl;
+
+       cl = cmdline_stdin_new(main_ctx, "testpmd> ");
+       if (cl == NULL) {
                fprintf(stderr,
                        "Failed to create stdin based cmdline context\n");
                return;
        }
 
-       cmdline_interact(testpmd_cl);
-       cmdline_stdin_exit(testpmd_cl);
+       __atomic_store_n(&testpmd_cl, cl, __ATOMIC_RELEASE);
+       cmdline_interact(cl);
+       /* Clear global pointer before freeing cmdline object. */
+       __atomic_store_n(&testpmd_cl, NULL, __ATOMIC_RELEASE);
+       cmdline_stdin_exit(cl);
 }
 
 void
-- 
2.19.0.rc0.windows.1

Reply via email to