From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bruce Richardson <bruce.richardson@intel.com>
Subject: Re: [PATCH] net/softnic: fix memory illegal access
Date: Fri, 20 Jul 2018 11:29:35 +0100
Message-ID: <20180720102935.GA8660@bricha3-MOBL.ger.corp.intel.com>
References: <20180720094439.100562-1-jasvinder.singh@intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: dev@dpdk.org, cristian.dumitrescu@intel.com
To: Jasvinder Singh <jasvinder.singh@intel.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20])
 by dpdk.org (Postfix) with ESMTP id 190A3160
 for <dev@dpdk.org>; Fri, 20 Jul 2018 12:29:39 +0200 (CEST)
Content-Disposition: inline
In-Reply-To: <20180720094439.100562-1-jasvinder.singh@intel.com>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Fri, Jul 20, 2018 at 10:44:39AM +0100, Jasvinder Singh wrote:
> While deleting the elements from the linked list, TAILQ_FOREACH causes
> read from the freed pointer. Fixes the issue by using for loop instead
> of TAILQ_FOREACH.
> 
> Coverity issue: 302867
> Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
> 
> Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
> Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
> ---
>  drivers/net/softnic/rte_eth_softnic_swq.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c b/drivers/net/softnic/rte_eth_softnic_swq.c
> index 1944fbb..a1f1899 100644
> --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> @@ -36,9 +36,11 @@ softnic_swq_free(struct pmd_internals *p)
>  void
>  softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
>  {
> -	struct softnic_swq *swq;
> +	struct softnic_swq *swq, *swq_next;
> +
> +	for (swq = TAILQ_FIRST(&p->swq_list); swq != NULL; swq = swq_next) {
> +		swq_next = TAILQ_NEXT(swq, node);
>  
> -	TAILQ_FOREACH(swq, &p->swq_list, node) {
>  		if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
>  			(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))

TAILQ_FOREACH_SAFE is probably what you want to use here.

>>From man page:

     The macros TAILQ_FOREACH, TAILQ_FOREACH_REVERSE, TAILQ_FOREACH_SAFE, and
     TAILQ_FOREACH_REVERSE_SAFE traverse the tail queue referenced by head in
     the forward or reverse direction direction, assigning each element in
     turn to var.

     The SAFE versions use tmp to hold the next element, so var may be freed
     or removed from the list.