From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id 1828B160 for ; Fri, 20 Jul 2018 12:31:57 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Jul 2018 03:31:57 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,378,1526367600"; d="scan'208";a="76392247" Received: from irsmsx108.ger.corp.intel.com ([163.33.3.3]) by orsmga002.jf.intel.com with ESMTP; 20 Jul 2018 03:31:46 -0700 Received: from irsmsx112.ger.corp.intel.com (10.108.20.5) by IRSMSX108.ger.corp.intel.com (163.33.3.3) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 20 Jul 2018 11:31:45 +0100 Received: from irsmsx102.ger.corp.intel.com ([169.254.2.110]) by irsmsx112.ger.corp.intel.com ([169.254.1.22]) with mapi id 14.03.0319.002; Fri, 20 Jul 2018 11:31:45 +0100 From: "Van Haaren, Harry" To: "Singh, Jasvinder" , "dev@dpdk.org" CC: "Dumitrescu, Cristian" Thread-Topic: [dpdk-dev] [PATCH] net/softnic: fix memory illegal access Thread-Index: AQHUIA5VUmwoZfej1U2tZ+QyvCyO8aSX6M1Q Date: Fri, 20 Jul 2018 10:31:44 +0000 Message-ID: References: <20180720094439.100562-1-jasvinder.singh@intel.com> In-Reply-To: <20180720094439.100562-1-jasvinder.singh@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZDM2ODFlYzYtMGIyMi00YTI1LWJjY2QtOTFiM2Q5ZGQ5OTQ3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiMmFEZjRGcW5ndzlTREJIUlJjZjVPOVpYTDhqMGhzTEJsTDJNb0RVZWdxakdqanVxeDU0ZTFcL2wzM0V1Mll6dnMifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.200.100 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH] net/softnic: fix memory illegal access X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2018 10:31:58 -0000 > -----Original Message----- > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Jasvinder Singh > Sent: Friday, July 20, 2018 10:45 AM > To: dev@dpdk.org > Cc: Dumitrescu, Cristian > Subject: [dpdk-dev] [PATCH] net/softnic: fix memory illegal access >=20 > While deleting the elements from the linked list, TAILQ_FOREACH causes > read from the freed pointer. Fixes the issue by using for loop instead > of TAILQ_FOREACH. >=20 > Coverity issue: 302867 > Fixes: bef50bcb1c47 ("net/softnic: implement start and stop") >=20 > Signed-off-by: Jasvinder Singh > Acked-by: Cristian Dumitrescu > --- > drivers/net/softnic/rte_eth_softnic_swq.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) >=20 > diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c > b/drivers/net/softnic/rte_eth_softnic_swq.c > index 1944fbb..a1f1899 100644 > --- a/drivers/net/softnic/rte_eth_softnic_swq.c > +++ b/drivers/net/softnic/rte_eth_softnic_swq.c > @@ -36,9 +36,11 @@ softnic_swq_free(struct pmd_internals *p) > void > softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p) > { > - struct softnic_swq *swq; > + struct softnic_swq *swq, *swq_next; > + > + for (swq =3D TAILQ_FIRST(&p->swq_list); swq !=3D NULL; swq =3D swq_next= ) { > + swq_next =3D TAILQ_NEXT(swq, node); >=20 > - TAILQ_FOREACH(swq, &p->swq_list, node) { > if ((strncmp(swq->name, "RXQ", strlen("RXQ")) =3D=3D 0) || > (strncmp(swq->name, "TXQ", strlen("TXQ")) =3D=3D 0)) > continue; The TAILQ_FOREACH_SAFE() macro handles exactly this case. Although it is no= t in the linux TAILQ header, DPDK provides it in rte_tailq.h: http://git.dpdk.org/dpdk/tree/lib/librte_eal/common/include/rte_tailq.h#n13= 0 I think it is cleaner to use the MACRO instead of manually doing the loop, linked-list iter + delete is error prone enough already :)