From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 90B474613A;
	Mon, 27 Jan 2025 19:09:18 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id A33F040B9C;
	Mon, 27 Jan 2025 19:09:01 +0100 (CET)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
 by mails.dpdk.org (Postfix) with ESMTP id 8125840A77
 for <dev@dpdk.org>; Mon, 27 Jan 2025 19:08:57 +0100 (CET)
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-216401de828so86478245ad.3
 for <dev@dpdk.org>; Mon, 27 Jan 2025 10:08:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1738001337;
 x=1738606137; darn=dpdk.org; 
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=BcNj3ayfHKccjAPHmi/DersKGLXC4PnHTP301LYfkzQ=;
 b=YswLj6o0pi+a5GCpk/uGuN+YH1viySjY/TQj/L/xmtWW0zODCTZgErku7/Avzehian
 6FeALk9Ael98nEU2gkyKJR05Xtb5c+dsjP7E9ZPzdCtR46Ytal3rrbwrUwycpI7BeiZL
 XmVQTLY3mTQhVWhtcQUhfggUnUXa2X4/13XWz7VyQyAV/sOaz+hFLQzRrLLArVnpxANH
 fMW3QCdT0s8zoyeyIzOQLSn3Pcbrz4bP66IvdbR/pxrJ6BnYYGeLeNEdTxVu66OruoIC
 G5oe6ZrdhrXLFol5vjPWMFHOl8ARDpkSBjpPL+IizWf1dHr5cSyH8HopG12q1w7xXVFg
 nsKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738001337; x=1738606137;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=BcNj3ayfHKccjAPHmi/DersKGLXC4PnHTP301LYfkzQ=;
 b=hxwyaCMuU4Tolp8nqqWPzH9ea7alom570RspKxFgYft9zME0hd9QWejDeL8b/IqWBL
 MkkJ3eZje9HAa/tIvj1Pw/ih794iZshBB2guVRo9izD/W0QUYNDdnsqHRLYzuOgG47ac
 a4gxyz+VEIb9ikzQeFnB7gqpDKXvwZnOosWJIzEEON95Bj1MKzw5P50fe34to0iCgf0r
 d2015uVtXeafFwcKKjPb2zyOVyr5T69V6gU90Y9lZNwKAg+fWRw7p67JiMZWdjAE95tI
 MhTajmUrzhc1R8F0AKxvO6qSJxZ0ny61J4O5Kl+grl0aoWYa9WL/BIJvH3TczISprJjR
 0ilA==
X-Gm-Message-State: AOJu0Ywq/4mm7UsEKpImzkFH9elpePYI/u5lZnZfXnPTg5Ct31On5ETZ
 44pNSlqWv2k60/LI0xxiMvIjsB5vTmPurf5pEJphGTbMedQHawyojRBAyYKNu5Wu8bXriwiueJ8
 6
X-Gm-Gg: ASbGncucTV7QI2NVVjyyHajx2ftvvIxZRxIQseqHtMVjDMA0AzFCXR8tEKMJbM7CPbn
 5K4xa6whf+mVZadNSkBYDNIQAdbMoG2vC8F79qjyM52NwMJZKRHRj1PD93yUfLvi2droBjOZhFK
 a2vrvqjL9a+52TVI3WAbyr/CF2kLTpiYdsogzJStMjxc5hK68CK2YyNfkeCNooSARytd/j4BF4p
 e8Uq8RnMrY7GiddvMQe90x2hj2yWBIw7Z0OBA+6ajghOHb8/2geiiKO/PHiF4nuRQuXSmEfzCH0
 b4Dk2KH5yY7FZr0Tu8tJKTDpezg9GkY7ejblVAmmCTLHuwqtlunR2Hh/Rw==
X-Google-Smtp-Source: AGHT+IFe+kkTndBDQDmnCAKJYB/R7VIofdorsHcragTpa3+LWWLDKRNXg6c71pDL6XExIh1pdzl6lw==
X-Received: by 2002:a17:903:124e:b0:215:9470:7e82 with SMTP id
 d9443c01a7336-21c351bd3afmr604672555ad.4.1738001335263; 
 Mon, 27 Jan 2025 10:08:55 -0800 (PST)
Received: from hermes.local (204-195-96-226.wavecable.com. [204.195.96.226])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-21da41413absm66166665ad.123.2025.01.27.10.08.54
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 27 Jan 2025 10:08:54 -0800 (PST)
From: Stephen Hemminger <stephen@networkplumber.org>
To: dev@dpdk.org
Cc: Stephen Hemminger <stephen@networkplumber.org>, shreyansh.jain@nxp.com,
 stable@dpdk.org, Hemant Agrawal <hemant.agrawal@nxp.com>,
 Sachin Saxena <sachin.saxena@nxp.com>
Subject: [RFC 3/7] bus/fslmc: fix use after free
Date: Mon, 27 Jan 2025 10:03:57 -0800
Message-ID: <20250127180842.97907-4-stephen@networkplumber.org>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250127180842.97907-1-stephen@networkplumber.org>
References: <20250127180842.97907-1-stephen@networkplumber.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

The cleanup loop would deference the dpio_dev after freeing.
Use TAILQ_FOREACH_SAFE to fix that.
Found by building with sanitizer undefined flag.

Fixes: e55d0494ab98 ("bus/fslmc: support secondary process")
Cc: shreyansh.jain@nxp.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 drivers/bus/fslmc/portal/dpaa2_hw_dpio.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c b/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
index 2dfcf7a498..6ae15c2054 100644
--- a/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
+++ b/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
@@ -15,7 +15,6 @@
 #include <signal.h>
 #include <pthread.h>
 #include <sys/types.h>
-#include <sys/queue.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/mman.h>
@@ -27,6 +26,7 @@
 #include <ethdev_driver.h>
 #include <rte_malloc.h>
 #include <rte_memcpy.h>
+#include <rte_queue.h>
 #include <rte_string_fns.h>
 #include <rte_cycles.h>
 #include <rte_kvargs.h>
@@ -403,6 +403,7 @@ dpaa2_create_dpio_device(int vdev_fd,
 	struct rte_dpaa2_device *obj)
 {
 	struct dpaa2_dpio_dev *dpio_dev = NULL;
+	struct dpaa2_dpio_dev *dpio_tmp;
 	struct vfio_region_info reg_info = { .argsz = sizeof(reg_info)};
 	struct qbman_swp_desc p_des;
 	struct dpio_attr attr;
@@ -588,7 +589,7 @@ dpaa2_create_dpio_device(int vdev_fd,
 	rte_free(dpio_dev);
 
 	/* For each element in the list, cleanup */
-	TAILQ_FOREACH(dpio_dev, &dpio_dev_list, next) {
+	TAILQ_FOREACH_SAFE(dpio_dev, &dpio_dev_list, next, dpio_tmp) {
 		if (dpio_dev->dpio) {
 			dpio_disable(dpio_dev->dpio, CMD_PRI_LOW,
 				dpio_dev->token);
-- 
2.45.2