diff mbox series

[2/2] bus/fslmc: fix use after free

Message ID	20250313172307.274109-3-stephen@networkplumber.org (mailing list archive)
State	Awaiting Upstream
Delegated to:	Stephen Hemminger
Headers	From: Stephen Hemminger <stephen@networkplumber.org> To: dev@dpdk.org Cc: Stephen Hemminger <stephen@networkplumber.org>, shreyansh.jain@nxp.com, stable@dpdk.org, Hemant Agrawal <hemant.agrawal@nxp.com>, Sachin Saxena <sachin.saxena@nxp.com> Subject: [PATCH 2/2] bus/fslmc: fix use after free Date: Thu, 13 Mar 2025 10:22:04 -0700 Message-ID: <20250313172307.274109-3-stephen@networkplumber.org> In-Reply-To: <20250313172307.274109-1-stephen@networkplumber.org> References: <20250313172307.274109-1-stephen@networkplumber.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: dev-bounces@dpdk.org
Series	fix use after free \| [0/2] fix use after free [1/2] net/qede: fix use after free [2/2] bus/fslmc: fix use after free

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/loongarch-compilation	success	Compilation OK
ci/loongarch-unit-testing	success	Unit Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/intel-Functional	success	Functional PASS
ci/github-robot: build	success	github build: passed
ci/iol-marvell-Functional	success	Functional Testing PASS
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS
ci/iol-sample-apps-testing	success	Testing PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/iol-unit-amd64-testing	success	Testing PASS
ci/iol-unit-arm64-testing	success	Testing PASS
ci/iol-abi-testing	success	Testing PASS
ci/iol-compile-amd64-testing	success	Testing PASS
ci/iol-compile-arm64-testing	success	Testing PASS

Commit Message

Stephen Hemminger March 13, 2025, 5:22 p.m. UTC

The cleanup loop would deference the dpio_dev after freeing.
Use TAILQ_FOREACH_SAFE to fix that.
Found by building with sanitizer undefined flag.

Fixes: e55d0494ab98 ("bus/fslmc: support secondary process")
Cc: shreyansh.jain@nxp.com
Cc: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/bus/fslmc/portal/dpaa2_hw_dpio.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comments

Markus Elfring March 16, 2025, 3 p.m. UTC | #1

> The cleanup loop would deference the dpio_dev after freeing.
…
                         dereference?

Regards,
Markus

diff mbox series

Patch

diff --git a/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c b/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
index 2dfcf7a498..bc03b4dd05 100644
--- a/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
+++ b/drivers/bus/fslmc/portal/dpaa2_hw_dpio.c
@@ -38,6 +38,13 @@ 
 #include "dpaa2_hw_dpio.h"
 #include <mc/fsl_dpmng.h>
 
+#ifndef TAILQ_FOREACH_SAFE
+#define	TAILQ_FOREACH_SAFE(var, head, field, tvar)			\
+	for ((var) = TAILQ_FIRST((head));				\
+	    (var) && ((tvar) = TAILQ_NEXT((var), field), 1);		\
+	    (var) = (tvar))
+#endif
+
 #define NUM_HOST_CPUS RTE_MAX_LCORE
 
 struct dpaa2_io_portal_t dpaa2_io_portal[RTE_MAX_LCORE];
@@ -403,6 +410,7 @@  dpaa2_create_dpio_device(int vdev_fd,
 	struct rte_dpaa2_device *obj)
 {
 	struct dpaa2_dpio_dev *dpio_dev = NULL;
+	struct dpaa2_dpio_dev *dpio_tmp;
 	struct vfio_region_info reg_info = { .argsz = sizeof(reg_info)};
 	struct qbman_swp_desc p_des;
 	struct dpio_attr attr;
@@ -588,7 +596,7 @@  dpaa2_create_dpio_device(int vdev_fd,
 	rte_free(dpio_dev);
 
 	/* For each element in the list, cleanup */
-	TAILQ_FOREACH(dpio_dev, &dpio_dev_list, next) {
+	TAILQ_FOREACH_SAFE(dpio_dev, &dpio_dev_list, next, dpio_tmp) {
 		if (dpio_dev->dpio) {
 			dpio_disable(dpio_dev->dpio, CMD_PRI_LOW,
 				dpio_dev->token);