From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 1E72448A8D for ; Mon, 3 Nov 2025 17:37:09 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 05F234029C; Mon, 3 Nov 2025 17:37:09 +0100 (CET) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mails.dpdk.org (Postfix) with ESMTP id 68EF44029C for ; Mon, 3 Nov 2025 17:37:08 +0100 (CET) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-7a9c64dfa6eso1316460b3a.3 for ; Mon, 03 Nov 2025 08:37:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1762187827; x=1762792627; darn=dpdk.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=TJug752yRk+a+DsC79ySgX2kPUXsXbsiZHrJPsi0dNQ=; b=Dwsx+egPu1cDY0W9ybGvcSGFtoiV12qvlRCwt0p4yew+37+gnZhcCJ1L+mvtqaC8AR WQzE4GyBnp0DoOUalNT4dKgjvkg+vjcrDOLs1jkr9W7jvrg+f0aPJg3OhPZCmEypTwIM DC6x1BAwfx+WXEUXgPI6Bo2Kkc75vQyqIw3Ov1YivaJMwjP9f6Nk+afdKvCJCScvGj42 8UAOJ76+YsgxJh/IK04uSguDtEzmpdcVVaJ/SXtD1MchuaxK9ylGP9s+ChGchDWeCfdS Uxn8unom/o3hbHZcUsBm1FrZoegVfE4rS2/5qvdPWmGYS0KK4P2K1Wf+i3l+HToFOiSX mK4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762187827; x=1762792627; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TJug752yRk+a+DsC79ySgX2kPUXsXbsiZHrJPsi0dNQ=; b=NNWBooLJbPrbZhuqKkHPNULIrc09qp8Mlzm/RQ1qNjbOhMjg/nXAGXHfhULQvtFWzw EPe1FWFqGQh+I3aLhiemj4zS1fhADGO8BWHjXnDvf3ck9j6ZFFrJufTll8/abYp4DEiJ My32MRgkl8i4CGIqaQGydtWXLmg0zREHLEtgk1L+0ZWDlGaUOiIpoljkxm/XIfiz+RYf NQDAInSuYc3Q/lABAeHdbCezCaSrWYK3keRf4MdHfsBUbkc6tY/nOVfc1v1ppQUXjPpb W5f1cOTh6Q28X/Jvk3b/vZIs0K2DQGU45M9uv/3dBVt6bZOJAMZTrITcXENhwj/exbBJ nZIg== X-Forwarded-Encrypted: i=1; AJvYcCUP2/+knUG6kNR5PwQxEy/4jURI4lEnIjL9UA/6MaARZ2cz6Qs5TIb81coCXuMebcnJjsadSiY=@dpdk.org X-Gm-Message-State: AOJu0YxALmkYZ4BltIzTS2iKDEek8NJLsHQEKyq3HFQnNALYEuFxaCbV I0tZT2sMJt6zUWD6eKl2RVJ1xm8KS92EIY0fbSSXTGlp/vTJeIdiX0TW65uDQ1gMMnA= X-Gm-Gg: ASbGncthIRaVIUmCZtolG3v8P85XJXasRg64A7ml4tX42s5tEkE8DyGoRmoHKLweqWi K00FkHQCfH1SbLoFLWG/lr0s5pcX8kV0u0/pJBY9HJPfereotr+ZY9+JS0ugJLwidI7WbodwGrR /po0RFd0b8XauKb0z8tHX0+g5bfuLXbNNYF9apVEX9Fzjm6n36uavuTb2fRNbe5iCHJhsEHeTn9 sAPB5s/THktrbSCV7NacoN0ZmytP9gzQX889moOJeAPEBQoNB2V02FOt5fQ0dZkWlpJFDIfs3MO TpDmLG5whyqExCX0UXkG5qKCbqZE7w/a87Gexjpuc5/7xSeRShduyZRs4M2LlSM0nmNBjYF21uE ZRUtJ38Vip6+r/woZudiPAQQR1XE94aay+Ehm0Y1pR6NtnetM53bCu+pkt0i/iYRE9YpaGkQf+T UmS/hjROBCQfUuKAdnOtZ1pp4c77QehTCwvfwds4ga2MxtEreegA== X-Google-Smtp-Source: AGHT+IG3bDcf2h56zAhZcC4iErdoGJKFp+xM9JH/FG9BDOYGjguD2p2F0utxng+T5ks1FNCGJvL8kQ== X-Received: by 2002:a05:6a20:3d07:b0:342:9487:7dee with SMTP id adf61e73a8af0-348c9f6791fmr17103801637.12.1762187827182; Mon, 03 Nov 2025 08:37:07 -0800 (PST) Received: from phoenix.lan (204-195-96-226.wavecable.com. [204.195.96.226]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b93b8c8cdc0sm11019722a12.13.2025.11.03.08.37.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Nov 2025 08:37:06 -0800 (PST) From: Stephen Hemminger To: dev@dpdk.org Cc: Stephen Hemminger , longli@microsoft.com, stable@dpdk.org, Wei Hu Subject: [PATCH] net/netvsc: fix use after free in cache list cleanup Date: Mon, 3 Nov 2025 08:37:03 -0800 Message-ID: <20251103163703.100238-1-stephen@networkplumber.org> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org The variable cache is referred to by LIST_FOREACH macro after was freed. Replace by the standard LIST_FOREACH_SAFE from BSD (and other drivers). Fixes: 9a9d038c782e ("net/netvsc: cache device parameters for hotplug events") Cc: longli@microsoft.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger --- drivers/net/netvsc/hn_ethdev.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/net/netvsc/hn_ethdev.c b/drivers/net/netvsc/hn_ethdev.c index dc765e88f7..6584819f4f 100644 --- a/drivers/net/netvsc/hn_ethdev.c +++ b/drivers/net/netvsc/hn_ethdev.c @@ -41,6 +41,13 @@ #include "hn_nvs.h" #include "ndis.h" +#ifndef LIST_FOREACH_SAFE +#define LIST_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = LIST_FIRST((head)); \ + (var) && ((tvar) = LIST_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + #define HN_TX_OFFLOAD_CAPS (RTE_ETH_TX_OFFLOAD_IPV4_CKSUM | \ RTE_ETH_TX_OFFLOAD_TCP_CKSUM | \ RTE_ETH_TX_OFFLOAD_UDP_CKSUM | \ @@ -1479,14 +1486,14 @@ static int populate_cache_list(void) static void remove_cache_list(void) { - struct da_cache *cache; + struct da_cache *cache, *tmp; rte_spinlock_lock(&netvsc_lock); da_cache_usage--; if (da_cache_usage) goto out; - LIST_FOREACH(cache, &da_cache_list, list) { + LIST_FOREACH_SAFE(cache, &da_cache_list, list, tmp) { LIST_REMOVE(cache, list); free(cache); } -- 2.51.0