[PATCH 22.11] common/idpf: fix use after free in mailbox init

[PATCH 22.11] common/idpf: fix use after free in mailbox init

[Stephen Hemminger]

[ upstream commit 4baf54ed9dc87b89ea2150578c51120bc0157bb0 ]

The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
as a simple LIST_FOR_EACH macro.
But they are not the same the _SAFE variant guarantees that
there will not be use after free.

Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
Cc: stable@dpdk.org

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Morten Brørup <mb@smartsharesystems.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
Acked-by: Wathsala Vithanage <wathsala.vithanage@arm.com>
---
 drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
 drivers/net/idpf/idpf_ethdev.c        |  3 +--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/common/idpf/base/idpf_osdep.h b/drivers/common/idpf/base/idpf_osdep.h
index 99ae9cf60a..b6124ab083 100644
--- a/drivers/common/idpf/base/idpf_osdep.h
+++ b/drivers/common/idpf/base/idpf_osdep.h
@@ -349,10 +349,16 @@ idpf_hweight32(u32 num)
 #define LIST_ENTRY_TYPE(type)	   LIST_ENTRY(type)
 #endif
 
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar)			\
+	for ((var) = LIST_FIRST((head));				\
+	    (var) && ((tvar) = LIST_NEXT((var), field), 1);		\
+	    (var) = (tvar))
+#endif
+
 #ifndef LIST_FOR_EACH_ENTRY_SAFE
 #define LIST_FOR_EACH_ENTRY_SAFE(pos, temp, head, entry_type, list)	\
-	LIST_FOREACH(pos, head, list)
-
+	LIST_FOREACH_SAFE(pos, head, list, temp)
 #endif
 
 #ifndef LIST_FOR_EACH_ENTRY
diff --git a/drivers/net/idpf/idpf_ethdev.c b/drivers/net/idpf/idpf_ethdev.c
index b31cb47e90..65b970d36d 100644
--- a/drivers/net/idpf/idpf_ethdev.c
+++ b/drivers/net/idpf/idpf_ethdev.c
@@ -895,8 +895,7 @@ idpf_init_mbx(struct idpf_hw *hw)
 	if (ret != 0)
 		return ret;
 
-	LIST_FOR_EACH_ENTRY_SAFE(ctlq, NULL, &hw->cq_list_head,
-				 struct idpf_ctlq_info, cq_list) {
+	LIST_FOR_EACH_ENTRY(ctlq, &hw->cq_list_head, struct idpf_ctlq_info, cq_list) {
 		if (ctlq->q_id == IDPF_CTLQ_ID &&
 		    ctlq->cq_type == IDPF_CTLQ_TYPE_MAILBOX_TX)
 			hw->asq = ctlq;
-- 
2.45.2

Re: [PATCH 22.11] common/idpf: fix use after free in mailbox init

[Luca Boccassi]

On Fri, 25 Oct 2024 at 01:14, Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> [ upstream commit 4baf54ed9dc87b89ea2150578c51120bc0157bb0 ]
>
> The macro in this driver was redefining LIST_FOR_EACH_ENTRY_SAFE
> as a simple LIST_FOR_EACH macro.
> But they are not the same the _SAFE variant guarantees that
> there will not be use after free.
>
> Fixes: fb4ac04e9bfa ("common/idpf: introduce common library")
> Cc: stable@dpdk.org
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Morten Brørup <mb@smartsharesystems.com>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
> Acked-by: Wathsala Vithanage <wathsala.vithanage@arm.com>
> ---
>  drivers/common/idpf/base/idpf_osdep.h | 10 ++++++++--
>  drivers/net/idpf/idpf_ethdev.c        |  3 +--
>  2 files changed, 9 insertions(+), 4 deletions(-)

Thanks, applied