From: Dapeng Yu <dapengx.yu@intel.com> The original code use a heap pointer after it is freed. This patch fix it. Fixes: a14de8b498d1 ("net/ixgbe: destroy consistent filter") Cc: stable@dpdk.org Signed-off-by: Dapeng Yu <dapengx.yu@intel.com> --- drivers/net/ixgbe/ixgbe_flow.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ixgbe/ixgbe_flow.c b/drivers/net/ixgbe/ixgbe_flow.c index 0b10e91a9b..4db5ef4b2b 100644 --- a/drivers/net/ixgbe/ixgbe_flow.c +++ b/drivers/net/ixgbe/ixgbe_flow.c @@ -32,6 +32,7 @@ #include <rte_hash_crc.h> #include <rte_flow.h> #include <rte_flow_driver.h> +#include <rte_tailq.h> #include "ixgbe_logs.h" #include "base/ixgbe_api.h" @@ -3339,6 +3340,7 @@ ixgbe_flow_destroy(struct rte_eth_dev *dev, struct ixgbe_hw_fdir_info *fdir_info = IXGBE_DEV_PRIVATE_TO_FDIR_INFO(dev->data->dev_private); struct ixgbe_rss_conf_ele *rss_filter_ptr; + void *tmp; switch (filter_type) { case RTE_ETH_FILTER_NTUPLE: @@ -3432,7 +3434,7 @@ ixgbe_flow_destroy(struct rte_eth_dev *dev, return ret; } - TAILQ_FOREACH(ixgbe_flow_mem_ptr, &ixgbe_flow_list, entries) { + TAILQ_FOREACH_SAFE(ixgbe_flow_mem_ptr, &ixgbe_flow_list, entries, tmp) { if (ixgbe_flow_mem_ptr->flow == pmd_flow) { TAILQ_REMOVE(&ixgbe_flow_list, ixgbe_flow_mem_ptr, entries); -- 2.27.0
> -----Original Message----- > From: Yu, DapengX <dapengx.yu@intel.com> > Sent: Friday, July 9, 2021 10:30 > To: Wang, Haiyue <haiyue.wang@intel.com> > Cc: dev@dpdk.org; Yu, DapengX <dapengx.yu@intel.com>; stable@dpdk.org > Subject: [PATCH] net/ixgbe: fix using heap pointer after free > > From: Dapeng Yu <dapengx.yu@intel.com> > > The original code use a heap pointer after it is freed. > This patch fix it. > > Fixes: a14de8b498d1 ("net/ixgbe: destroy consistent filter") > Cc: stable@dpdk.org > > Signed-off-by: Dapeng Yu <dapengx.yu@intel.com> > --- > drivers/net/ixgbe/ixgbe_flow.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ixgbe/ixgbe_flow.c b/drivers/net/ixgbe/ixgbe_flow.c > index 0b10e91a9b..4db5ef4b2b 100644 > --- a/drivers/net/ixgbe/ixgbe_flow.c > +++ b/drivers/net/ixgbe/ixgbe_flow.c > @@ -32,6 +32,7 @@ > #include <rte_hash_crc.h> > #include <rte_flow.h> > #include <rte_flow_driver.h> > +#include <rte_tailq.h> > > #include "ixgbe_logs.h" > #include "base/ixgbe_api.h" > @@ -3339,6 +3340,7 @@ ixgbe_flow_destroy(struct rte_eth_dev *dev, > struct ixgbe_hw_fdir_info *fdir_info = > IXGBE_DEV_PRIVATE_TO_FDIR_INFO(dev->data->dev_private); > struct ixgbe_rss_conf_ele *rss_filter_ptr; > + void *tmp; > > switch (filter_type) { > case RTE_ETH_FILTER_NTUPLE: > @@ -3432,7 +3434,7 @@ ixgbe_flow_destroy(struct rte_eth_dev *dev, > return ret; > } > > - TAILQ_FOREACH(ixgbe_flow_mem_ptr, &ixgbe_flow_list, entries) { > + TAILQ_FOREACH_SAFE(ixgbe_flow_mem_ptr, &ixgbe_flow_list, entries, tmp) { > if (ixgbe_flow_mem_ptr->flow == pmd_flow) { > TAILQ_REMOVE(&ixgbe_flow_list, > ixgbe_flow_mem_ptr, entries); This is "find - free" process, and only one 'pmd_flow' in the list, so just "break;" is fine. TAILQ_FOREACH(ixgbe_flow_mem_ptr, &ixgbe_flow_list, entries) { if (ixgbe_flow_mem_ptr->flow == pmd_flow) { TAILQ_REMOVE(&ixgbe_flow_list, ixgbe_flow_mem_ptr, entries); rte_free(ixgbe_flow_mem_ptr); break; <------ } } > -- > 2.27.0
From: Dapeng Yu <dapengx.yu@intel.com> The original code use a heap pointer after it is freed. This patch fix it. Fixes: a14de8b498d1 ("net/ixgbe: destroy consistent filter") Cc: stable@dpdk.org Signed-off-by: Dapeng Yu <dapengx.yu@intel.com> --- V2: * Simplify the patch according to maintainer's comment: only one "pmd_flow" in the list, so just "break;" is fine. --- drivers/net/ixgbe/ixgbe_flow.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ixgbe/ixgbe_flow.c b/drivers/net/ixgbe/ixgbe_flow.c index 0b10e91a9b..511b612f7f 100644 --- a/drivers/net/ixgbe/ixgbe_flow.c +++ b/drivers/net/ixgbe/ixgbe_flow.c @@ -3437,6 +3437,7 @@ ixgbe_flow_destroy(struct rte_eth_dev *dev, TAILQ_REMOVE(&ixgbe_flow_list, ixgbe_flow_mem_ptr, entries); rte_free(ixgbe_flow_mem_ptr); + break; } } rte_free(flow); -- 2.27.0
> -----Original Message----- > From: Yu, DapengX <dapengx.yu@intel.com> > Sent: Friday, July 9, 2021 11:15 > To: Wang, Haiyue <haiyue.wang@intel.com> > Cc: dev@dpdk.org; Yu, DapengX <dapengx.yu@intel.com>; stable@dpdk.org > Subject: [PATCH v2] net/ixgbe: fix using heap pointer after free > > From: Dapeng Yu <dapengx.yu@intel.com> > > The original code use a heap pointer after it is freed. > This patch fix it. > > Fixes: a14de8b498d1 ("net/ixgbe: destroy consistent filter") > Cc: stable@dpdk.org > > Signed-off-by: Dapeng Yu <dapengx.yu@intel.com> > --- > V2: > * Simplify the patch according to maintainer's comment: > only one "pmd_flow" in the list, so just "break;" is fine. > --- > drivers/net/ixgbe/ixgbe_flow.c | 1 + > 1 file changed, 1 insertion(+) > Good catch, thanks! Reviewed-by: Haiyue Wang <haiyue.wang@intel.com> > -- > 2.27.0
> -----Original Message----- > From: dev <dev-bounces@dpdk.org> On Behalf Of Wang, Haiyue > Sent: Friday, July 9, 2021 12:35 PM > To: Yu, DapengX <dapengx.yu@intel.com> > Cc: dev@dpdk.org; stable@dpdk.org > Subject: Re: [dpdk-dev] [PATCH v2] net/ixgbe: fix using heap pointer after free > > > -----Original Message----- > > From: Yu, DapengX <dapengx.yu@intel.com> > > Sent: Friday, July 9, 2021 11:15 > > To: Wang, Haiyue <haiyue.wang@intel.com> > > Cc: dev@dpdk.org; Yu, DapengX <dapengx.yu@intel.com>; stable@dpdk.org > > Subject: [PATCH v2] net/ixgbe: fix using heap pointer after free > > > > From: Dapeng Yu <dapengx.yu@intel.com> > > > > The original code use a heap pointer after it is freed. > > This patch fix it. > > > > Fixes: a14de8b498d1 ("net/ixgbe: destroy consistent filter") > > Cc: stable@dpdk.org > > > > Signed-off-by: Dapeng Yu <dapengx.yu@intel.com> > > --- > > V2: > > * Simplify the patch according to maintainer's comment: > > only one "pmd_flow" in the list, so just "break;" is fine. > > --- > > drivers/net/ixgbe/ixgbe_flow.c | 1 + > > 1 file changed, 1 insertion(+) > > > > Good catch, thanks! > > Reviewed-by: Haiyue Wang <haiyue.wang@intel.com> Applied to dpdk-next-net-intel. Thanks Qi > > > > -- > > 2.27.0