* [PATCH] net/netvsc: fix use after free in cache list cleanup
@ 2025-11-03 16:37 Stephen Hemminger
0 siblings, 0 replies; only message in thread
From: Stephen Hemminger @ 2025-11-03 16:37 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, longli, stable, Wei Hu
The variable cache is referred to by LIST_FOREACH macro
after was freed. Replace by the standard LIST_FOREACH_SAFE
from BSD (and other drivers).
Fixes: 9a9d038c782e ("net/netvsc: cache device parameters for hotplug events")
Cc: longli@microsoft.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/netvsc/hn_ethdev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/netvsc/hn_ethdev.c b/drivers/net/netvsc/hn_ethdev.c
index dc765e88f7..6584819f4f 100644
--- a/drivers/net/netvsc/hn_ethdev.c
+++ b/drivers/net/netvsc/hn_ethdev.c
@@ -41,6 +41,13 @@
#include "hn_nvs.h"
#include "ndis.h"
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#define HN_TX_OFFLOAD_CAPS (RTE_ETH_TX_OFFLOAD_IPV4_CKSUM | \
RTE_ETH_TX_OFFLOAD_TCP_CKSUM | \
RTE_ETH_TX_OFFLOAD_UDP_CKSUM | \
@@ -1479,14 +1486,14 @@ static int populate_cache_list(void)
static void remove_cache_list(void)
{
- struct da_cache *cache;
+ struct da_cache *cache, *tmp;
rte_spinlock_lock(&netvsc_lock);
da_cache_usage--;
if (da_cache_usage)
goto out;
- LIST_FOREACH(cache, &da_cache_list, list) {
+ LIST_FOREACH_SAFE(cache, &da_cache_list, list, tmp) {
LIST_REMOVE(cache, list);
free(cache);
}
--
2.51.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-11-03 16:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-03 16:37 [PATCH] net/netvsc: fix use after free in cache list cleanup Stephen Hemminger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).