From: Stephen Hemminger <stephen@networkplumber.org>
To: dev@dpdk.org
Cc: Stephen Hemminger <stephen@networkplumber.org>,
shreyansh.jain@nxp.com, stable@dpdk.org,
Hemant Agrawal <hemant.agrawal@nxp.com>,
Sachin Saxena <sachin.saxena@nxp.com>
Subject: [RFC 3/7] bus/fslmc: fix use after free
Date: Mon, 27 Jan 2025 10:03:57 -0800 [thread overview]
Message-ID: <20250127180842.97907-4-stephen@networkplumber.org> (raw)
In-Reply-To: <20250127180842.97907-1-stephen@networkplumber.org>
The cleanup loop would deference the dpio_dev after freeing.
Use TAILQ_FOREACH_SAFE to fix that.
Found by building with sanitizer undefined flag.
Fixes: e55d0494ab98 ("bus/fslmc: support secondary process")
Cc: shreyansh.jain@nxp.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/bus/fslmc/portal/dpaa2_hw_dpio.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c b/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
index 2dfcf7a498..6ae15c2054 100644
--- a/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
+++ b/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
@@ -15,7 +15,6 @@
#include <signal.h>
#include <pthread.h>
#include <sys/types.h>
-#include <sys/queue.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/mman.h>
@@ -27,6 +26,7 @@
#include <ethdev_driver.h>
#include <rte_malloc.h>
#include <rte_memcpy.h>
+#include <rte_queue.h>
#include <rte_string_fns.h>
#include <rte_cycles.h>
#include <rte_kvargs.h>
@@ -403,6 +403,7 @@ dpaa2_create_dpio_device(int vdev_fd,
struct rte_dpaa2_device *obj)
{
struct dpaa2_dpio_dev *dpio_dev = NULL;
+ struct dpaa2_dpio_dev *dpio_tmp;
struct vfio_region_info reg_info = { .argsz = sizeof(reg_info)};
struct qbman_swp_desc p_des;
struct dpio_attr attr;
@@ -588,7 +589,7 @@ dpaa2_create_dpio_device(int vdev_fd,
rte_free(dpio_dev);
/* For each element in the list, cleanup */
- TAILQ_FOREACH(dpio_dev, &dpio_dev_list, next) {
+ TAILQ_FOREACH_SAFE(dpio_dev, &dpio_dev_list, next, dpio_tmp) {
if (dpio_dev->dpio) {
dpio_disable(dpio_dev->dpio, CMD_PRI_LOW,
dpio_dev->token);
--
2.45.2
next prev parent reply other threads:[~2025-01-27 18:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-27 18:03 [RFC 0/7] Introduce FreeBSD macros for SAFE iteration Stephen Hemminger
2025-01-27 18:03 ` [RFC 1/7] eal: add queue macro extensions from FreeBSD Stephen Hemminger
2025-01-27 18:03 ` [RFC 2/7] net/qede: fix use after free Stephen Hemminger
2025-01-27 18:03 ` Stephen Hemminger [this message]
2025-01-27 18:03 ` [RFC 4/7] net/bnxt: " Stephen Hemminger
2025-01-27 19:25 ` Ajit Khaparde
2025-01-27 18:03 ` [RFC 5/7] net/iavf: replace local version of TAILQ_FOREACH_SAFE Stephen Hemminger
2025-01-27 18:04 ` [RFC 6/7] vhost: replace open coded TAILQ_FOREACH_SAFE Stephen Hemminger
2025-01-27 18:04 ` [RFC 7/7] raw/ifpga: use EAL version of TAILQ_FOREACH_SAFE Stephen Hemminger
2025-01-27 18:16 ` [RFC 0/7] Introduce FreeBSD macros for SAFE iteration Bruce Richardson
2025-01-27 18:43 ` Stephen Hemminger
2025-01-27 19:29 ` Morten Brørup
2025-01-27 23:14 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250127180842.97907-4-stephen@networkplumber.org \
--to=stephen@networkplumber.org \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=sachin.saxena@nxp.com \
--cc=shreyansh.jain@nxp.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).