From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id ED56E48A8E for ; Mon, 3 Nov 2025 17:49:21 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D95294064C; Mon, 3 Nov 2025 17:49:21 +0100 (CET) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mails.dpdk.org (Postfix) with ESMTP id 8F2994029C for ; Mon, 3 Nov 2025 17:49:20 +0100 (CET) Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-b98e6ff90cbso1472964a12.0 for ; Mon, 03 Nov 2025 08:49:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1762188560; x=1762793360; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+0xGKvb4s3y76CRxUEFcf/y9Rl/0w7aHHiEz7NmqzZY=; b=EMGqTgzEd/JeB3JCJwFL0GeuYTrmtC3k5ckJQrZPFfzAvLiPcGIqtbVW2s+9qq35Qa MRY7vOiQiOnCxdPO0hRP78ikv1Y3dM4gzwDBqWh+zTubxXaY0upDQgOcQEauas/k1Tjo Wa99OzoELToV0mSFwJqu/8hg7oGnXkpIXEzZmgpac12BHltGW+tukXAvG94gbhRnWGOf /BrcGug0OAQV3dOQg614B6AtmD7AFS/iOEu6+Bv6W4ncGIosvqRlXBj+M+CGvAPte4qe UkB5jIkRiZvKG4vtIkdA8IdGGsihplC6NfWu7XyHLuDfoiIgVG8hrsdyi3K+LAxtf3/W v30A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762188560; x=1762793360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+0xGKvb4s3y76CRxUEFcf/y9Rl/0w7aHHiEz7NmqzZY=; b=Vn/b71vC9HOI56BrxzWgajKtZ90LwPFFwUw4tjw+ibxMZRuU2qXTycBfwPttoLabI3 McWw0Ns+yaDcZH67pvvqBsw7l7thajZFDwE5t2COrt9YSpJFitV2sXgvl6fo0ArO9B33 G+bGmpWNDhjQvppmBf4zml0kj+4nRZspNXPh8kgRl/5FxZvldLmY+apC1xfw7BbaaHDU VSiOe9Rk7GXq3Rw/umQJPTXaDrtYxRN98O4f6Af0vHw/TjbF3qVKAKTpxrHiuSQe+EA4 tHdfOBcXC+jharMQQ9+0N9wDpSrbwZ93tP8N8Tc0dUenb9tu+x4pyg1BXCKQGtOz0JpA QPpw== X-Forwarded-Encrypted: i=1; AJvYcCVQkaX8JiG3JkPZdWZQju79xstc+jxyteIhmYqIJlOZ6DmiMnmD4XB+sNCWqUb9mdfmqbwkQyU=@dpdk.org X-Gm-Message-State: AOJu0YzNJhpzjBWFFrAj3Y+lyr8NkHCxaKBl+ptaAq/yZKOaVkaEq5xR cGMpFo7Vo6ihophp4VxhwjhaIqLZ6emFwuNsGSiB0xYFQOToneKJy7FL2+Qn4kNBkds= X-Gm-Gg: ASbGncuN0NFNkQU0zHkuNKSaUBgJpodwffo6N5JyS+ECeX8zLjYcqhV4u/iuVcH+zuD 1ej+2ydezPCijdtSySPK6kwg9643KkvJ0YJ8gU0BqdcpnfuOXFvB8rROPfyfrB5XfIpUzQyUbUV P4V+uO1765gdjRf9wPpfdW1Tsm5ZsBvq/kAbaHuLi9fLwaPfc+zfhcAlZX4YaXlWlFu+eSuBYJN 6ukRJDw+vBLm4j4ZpcK9JzG7McUtQNBGlGbdxhNPe0VoeBo6wrAS0HBHwjrDpfNZjqpIFkcVV6z 0B3GgD3P6ovnxH3XZq8jOjfqRHr7fE+l5eVf3hk9YpOLr/HxXFuVMjtNgnMNl39It2EXks1flfy monAapX74OxIqsk76gqdXVnh01sDtdR6h9iAjlUabDxjxi+nZzwuno+Exu6ECHFzP3BoAGUjSir 5i5A/IpJ6cdJoDZhhzPmcDhw/G0XKeK98T62SaF5dTSK14cjPHQQ== X-Google-Smtp-Source: AGHT+IFl2HWe8xTdOwm3H70AXonxYzFEJbeUASvnLj8m42UiftD/v1DPZbw8kikTWkq2GPqomuHp6Q== X-Received: by 2002:a17:902:ea0d:b0:295:7bbd:52fa with SMTP id d9443c01a7336-2957bbd5b0dmr84510955ad.56.1762188559470; Mon, 03 Nov 2025 08:49:19 -0800 (PST) Received: from phoenix.lan (204-195-96-226.wavecable.com. [204.195.96.226]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3407f26e0a6sm6779040a91.5.2025.11.03.08.49.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Nov 2025 08:49:19 -0800 (PST) From: Stephen Hemminger To: dev@dpdk.org Cc: Stephen Hemminger , jin.liu@corigine.com, stable@dpdk.org, Chaoyong He , =?UTF-8?q?Niklas=20S=C3=B6derlund?= , Peng Zhang Subject: [PATCH v3 01/44] net/nfp: fix use after free Date: Mon, 3 Nov 2025 08:47:06 -0800 Message-ID: <20251103164915.101713-2-stephen@networkplumber.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251103164915.101713-1-stephen@networkplumber.org> References: <20250818233102.180207-1-stephen@networkplumber.org> <20251103164915.101713-1-stephen@networkplumber.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org The code to cleanup metering was using the objects after calling rte_free(). Fix by using LISTFOREACH_SAFE Fixes: 2caf84a71cfd ("net/nfp: add meter options") Cc: jin.liu@corigine.com Cc: stable@dpdk.org Signed-off-by: Stephen Hemminger --- drivers/net/nfp/nfp_mtr.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/drivers/net/nfp/nfp_mtr.c b/drivers/net/nfp/nfp_mtr.c index d4f2c4f2f0..4833ebd881 100644 --- a/drivers/net/nfp/nfp_mtr.c +++ b/drivers/net/nfp/nfp_mtr.c @@ -12,6 +12,13 @@ #include "flower/nfp_flower_representor.h" #include "nfp_logs.h" +#ifndef LIST_FOREACH_SAFE +#define LIST_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = LIST_FIRST((head)); \ + (var) && ((tvar) = LIST_NEXT((var), field), 1); \ + (var) = (tvar)) +#endif + #define NFP_MAX_POLICY_CNT NFP_MAX_MTR_CNT #define NFP_MAX_PROFILE_CNT NFP_MAX_MTR_CNT @@ -1124,10 +1131,10 @@ nfp_mtr_priv_init(struct nfp_pf_dev *pf_dev) void nfp_mtr_priv_uninit(struct nfp_pf_dev *pf_dev) { - struct nfp_mtr *mtr; + struct nfp_mtr *mtr, *tmp_mtr; struct nfp_mtr_priv *priv; - struct nfp_mtr_policy *mtr_policy; - struct nfp_mtr_profile *mtr_profile; + struct nfp_mtr_policy *mtr_policy, *tmp_policy; + struct nfp_mtr_profile *mtr_profile, *tmp_profile; struct nfp_app_fw_flower *app_fw_flower; app_fw_flower = NFP_PRIV_TO_APP_FW_FLOWER(pf_dev->app_fw_priv); @@ -1135,17 +1142,17 @@ nfp_mtr_priv_uninit(struct nfp_pf_dev *pf_dev) rte_eal_alarm_cancel(nfp_mtr_stats_request, (void *)app_fw_flower); - LIST_FOREACH(mtr, &priv->mtrs, next) { + LIST_FOREACH_SAFE(mtr, &priv->mtrs, next, tmp_mtr) { LIST_REMOVE(mtr, next); rte_free(mtr); } - LIST_FOREACH(mtr_profile, &priv->profiles, next) { + LIST_FOREACH_SAFE(mtr_profile, &priv->profiles, next, tmp_profile) { LIST_REMOVE(mtr_profile, next); rte_free(mtr_profile); } - LIST_FOREACH(mtr_policy, &priv->policies, next) { + LIST_FOREACH_SAFE(mtr_policy, &priv->policies, next, tmp_policy) { LIST_REMOVE(mtr_policy, next); rte_free(mtr_policy); } -- 2.51.0