From: Stephen Hemminger <stephen@networkplumber.org>
To: dev@dpdk.org
Cc: Stephen Hemminger <stephen@networkplumber.org>,
longli@microsoft.com, stable@dpdk.org, Wei Hu <weh@microsoft.com>
Subject: [PATCH] net/netvsc: fix use after free in cache list cleanup
Date: Mon, 3 Nov 2025 08:37:03 -0800 [thread overview]
Message-ID: <20251103163703.100238-1-stephen@networkplumber.org> (raw)
The variable cache is referred to by LIST_FOREACH macro
after was freed. Replace by the standard LIST_FOREACH_SAFE
from BSD (and other drivers).
Fixes: 9a9d038c782e ("net/netvsc: cache device parameters for hotplug events")
Cc: longli@microsoft.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/netvsc/hn_ethdev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/netvsc/hn_ethdev.c b/drivers/net/netvsc/hn_ethdev.c
index dc765e88f7..6584819f4f 100644
--- a/drivers/net/netvsc/hn_ethdev.c
+++ b/drivers/net/netvsc/hn_ethdev.c
@@ -41,6 +41,13 @@
#include "hn_nvs.h"
#include "ndis.h"
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#define HN_TX_OFFLOAD_CAPS (RTE_ETH_TX_OFFLOAD_IPV4_CKSUM | \
RTE_ETH_TX_OFFLOAD_TCP_CKSUM | \
RTE_ETH_TX_OFFLOAD_UDP_CKSUM | \
@@ -1479,14 +1486,14 @@ static int populate_cache_list(void)
static void remove_cache_list(void)
{
- struct da_cache *cache;
+ struct da_cache *cache, *tmp;
rte_spinlock_lock(&netvsc_lock);
da_cache_usage--;
if (da_cache_usage)
goto out;
- LIST_FOREACH(cache, &da_cache_list, list) {
+ LIST_FOREACH_SAFE(cache, &da_cache_list, list, tmp) {
LIST_REMOVE(cache, list);
free(cache);
}
--
2.51.0
next reply other threads:[~2025-11-03 16:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-03 16:37 Stephen Hemminger [this message]
2025-11-04 14:45 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251103163703.100238-1-stephen@networkplumber.org \
--to=stephen@networkplumber.org \
--cc=dev@dpdk.org \
--cc=longli@microsoft.com \
--cc=stable@dpdk.org \
--cc=weh@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).