On Mon, Jan 27, 2025 at 10:08 AM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> The filter cleanup loop was using STAILQ_FOREACH and rte_free
> and would dereference the filter after free.
>
> Found by build with -Dbsanitize=address,undefined
>
> Fixes: e8fe0e067b68 ("net/bnxt: fix allocation of PF info struct")
> Cc: ajit.khaparde@broadcom.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
> ---
>  drivers/net/bnxt/bnxt_filter.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/bnxt/bnxt_filter.c b/drivers/net/bnxt/bnxt_filter.c
> index 7b90ba651f..f083f3aa94 100644
> --- a/drivers/net/bnxt/bnxt_filter.c
> +++ b/drivers/net/bnxt/bnxt_filter.c
> @@ -3,14 +3,12 @@
>   * All rights reserved.
>   */
>
> -#include <sys/queue.h>
> -
>  #include <rte_byteorder.h>
>  #include <rte_log.h>
>  #include <rte_malloc.h>
>  #include <rte_flow.h>
>  #include <rte_flow_driver.h>
> -#include <rte_tailq.h>
> +#include <rte_queue.h>
>
>  #include "bnxt.h"
>  #include "bnxt_filter.h"
> @@ -151,7 +149,9 @@ void bnxt_free_filter_mem(struct bnxt *bp)
>         bp->filter_info = NULL;
>
>         for (i = 0; i < bp->pf->max_vfs; i++) {
> -               STAILQ_FOREACH(filter, &bp->pf->vf_info[i].filter, next) {
> +               struct bnxt_filter_info *tmp;
> +
> +               STAILQ_FOREACH_SAFE(filter, &bp->pf->vf_info[i].filter, next, tmp) {
>                         rte_free(filter);
>                         STAILQ_REMOVE(&bp->pf->vf_info[i].filter, filter,
>                                       bnxt_filter_info, next);
> --
> 2.45.2
>