From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id EB5F84638F
	for <public@inbox.dpdk.org>; Thu, 13 Mar 2025 00:17:31 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 2BA8A40E1D;
	Thu, 13 Mar 2025 00:17:31 +0100 (CET)
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
 by mails.dpdk.org (Postfix) with ESMTP id 4AD1940E15
 for <stable@dpdk.org>; Thu, 13 Mar 2025 00:17:29 +0100 (CET)
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-225477548e1so7347325ad.0
 for <stable@dpdk.org>; Wed, 12 Mar 2025 16:17:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1741821448;
 x=1742426248; darn=dpdk.org; 
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=SIymjlf9IFwgNDgb7kCJ/Em22h1cXz+zQcmRaHaRicg=;
 b=ObHa480YgqaG1MOkbiUbPvcQMxylFE3ssTrfKKKc5ICKPrYBYGcyJVn5u2oSO6q4fe
 y5/j1Q6G7vEmtfoZujIVyLMumhO9b2Qofqag0xTX4wEpIf9wQA75AJSCYYdb96kmGjJt
 rXkycSaFDsKWom+Ju08aC70rPEOF/pf2BefsABaT2MWauRz94QQQ9LvSEdJ7/Af7pQ21
 8WJv4BaI01/bKdvieINmQVJs9HIK8xeNic7rRSW45hGI3cwNnVxPT2cP9J5M7/zjwbyK
 ShhYgBtW9kPw/LEjxNHDlC8/JjLmHVo4+Rifo6BE9loYIHVct0BU/xVj1o3hfOUU0zya
 8Mbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1741821448; x=1742426248;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=SIymjlf9IFwgNDgb7kCJ/Em22h1cXz+zQcmRaHaRicg=;
 b=jXCmJubrRVu4SagpLbaU+ESxwl0RXy51Q0TEGPULIGsW+9KSVx/jS3UJlef3lnLoNq
 w45KOGS0Qhgpjkb7cWsS9Dv7vbR4hDlxilOGDwba8Crg1Cj/ITO7PpOgLdJJYFX4mrWP
 vF1eRVTx0An2xEy0Q3O/emOdIjYNEKcWBM3Dn1XktEGJYjAfqZGIxk1osekCdJNcWuwt
 fnSLEff64/a8zmPKAPvLCIcBt7QVq7Ahv9YFxfCAZEVgSIHkT8RZpqWDOAxwx3ahlUOB
 YgGuJ9KbnX62+xWjIB5QJcLcOWrEUU2gQMkUUvDkhtjehWBOYuylgiHO4oSShf45/qvV
 0RIQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWr1n/rZLKD0K5HMmlFNBCO/fC/5MCFvPvPkB3uCDvCiezV3h/MeLESu1ZnT1xpnaSlJm2tl9o=@dpdk.org
X-Gm-Message-State: AOJu0Yw3wa3cSWbrwdLVGSMAxT8aRZHVeLoewRmstg9x34/PvmFQvUx1
 YbEVdwNaJgHcT8Ha8KNHxB8wHBV7CghdvnBLivlnruyvzEykBKwOgDaC1jB1cF8=
X-Gm-Gg: ASbGnctz8Ij94aDwGNyCI/zFszCYgg9dY+/aKsVIyXT3kGpc6BytTKdUOEdSRJNVcut
 GcooEHnjJ1SaWMb6u7LdNsa6yw6ypVma1eDNp2ymPD6BH0yDTAE8g+7HuV0+dT48QF9hpiOt/WI
 90rq5B9WDJksFDTA8C88GBSIkdnNQbztS16PfuF3sQ/gggbAilLHI4waiYRkZxCdzmf9gOTENUU
 9v41d9w5HitE1nfxHpCtFdXLs1PHPXdE12CxvX1m5QJfBWePNn4ZQnNqRlpMwHUzStV8mPXl6Ib
 aLKXElSpND23FhQp9ZeiybnnJoPpZLu2oK9dQXm7vmZL/dHglan4BmQ9lZKlmMUNlzKhMfg9MEq
 k8pFTloWATxUDPMZgB9B5RQ==
X-Google-Smtp-Source: AGHT+IE4xRMBm3h1ps/otqGhpUmIOt33XWhMyFWHytZB6pBJGOSOKv1by2rhvSVMwp1bWlQlI2NN9w==
X-Received: by 2002:a17:902:ce0a:b0:220:cb1a:da5 with SMTP id
 d9443c01a7336-22428c075e3mr404038405ad.40.1741821448441; 
 Wed, 12 Mar 2025 16:17:28 -0700 (PDT)
Received: from hermes.local (204-195-96-226.wavecable.com. [204.195.96.226])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-225c6ba6f38sm1028305ad.129.2025.03.12.16.17.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 12 Mar 2025 16:17:28 -0700 (PDT)
From: Stephen Hemminger <stephen@networkplumber.org>
To: dev@dpdk.org
Cc: Stephen Hemminger <stephen@networkplumber.org>, shreyansh.jain@nxp.com,
 stable@dpdk.org, Hemant Agrawal <hemant.agrawal@nxp.com>,
 Sachin Saxena <sachin.saxena@nxp.com>
Subject: [PATCH v3 3/9] bus/fslmc: fix use after free
Date: Wed, 12 Mar 2025 16:15:32 -0700
Message-ID: <20250312231715.222149-4-stephen@networkplumber.org>
X-Mailer: git-send-email 2.47.2
In-Reply-To: <20250312231715.222149-1-stephen@networkplumber.org>
References: <20250127180842.97907-1-stephen@networkplumber.org>
 <20250312231715.222149-1-stephen@networkplumber.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org

The cleanup loop would deference the dpio_dev after freeing.
Use TAILQ_FOREACH_SAFE to fix that.
Found by building with sanitizer undefined flag.

Fixes: e55d0494ab98 ("bus/fslmc: support secondary process")
Cc: shreyansh.jain@nxp.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/bus/fslmc/portal/dpaa2_hw_dpio.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c b/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
index 2dfcf7a498..6ae15c2054 100644
--- a/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
+++ b/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
@@ -15,7 +15,6 @@
 #include <signal.h>
 #include <pthread.h>
 #include <sys/types.h>
-#include <sys/queue.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/mman.h>
@@ -27,6 +26,7 @@
 #include <ethdev_driver.h>
 #include <rte_malloc.h>
 #include <rte_memcpy.h>
+#include <rte_queue.h>
 #include <rte_string_fns.h>
 #include <rte_cycles.h>
 #include <rte_kvargs.h>
@@ -403,6 +403,7 @@ dpaa2_create_dpio_device(int vdev_fd,
 	struct rte_dpaa2_device *obj)
 {
 	struct dpaa2_dpio_dev *dpio_dev = NULL;
+	struct dpaa2_dpio_dev *dpio_tmp;
 	struct vfio_region_info reg_info = { .argsz = sizeof(reg_info)};
 	struct qbman_swp_desc p_des;
 	struct dpio_attr attr;
@@ -588,7 +589,7 @@ dpaa2_create_dpio_device(int vdev_fd,
 	rte_free(dpio_dev);
 
 	/* For each element in the list, cleanup */
-	TAILQ_FOREACH(dpio_dev, &dpio_dev_list, next) {
+	TAILQ_FOREACH_SAFE(dpio_dev, &dpio_dev_list, next, dpio_tmp) {
 		if (dpio_dev->dpio) {
 			dpio_disable(dpio_dev->dpio, CMD_PRI_LOW,
 				dpio_dev->token);
-- 
2.47.2