[dpdk-dev] [PATCH] net/softnic: fix memory illegal access

[Bruce Richardson]

On Fri, Jul 20, 2018 at 10:44:39AM +0100, Jasvinder Singh wrote:
> While deleting the elements from the linked list, TAILQ_FOREACH causes
> read from the freed pointer. Fixes the issue by using for loop instead
> of TAILQ_FOREACH.
> 
> Coverity issue: 302867
> Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
> 
> Signed-off-by: Jasvinder Singh <jasvinder.singh at intel.com>
> Acked-by: Cristian Dumitrescu <cristian.dumitrescu at intel.com>
> ---
>  drivers/net/softnic/rte_eth_softnic_swq.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c b/drivers/net/softnic/rte_eth_softnic_swq.c
> index 1944fbb..a1f1899 100644
> --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> @@ -36,9 +36,11 @@ softnic_swq_free(struct pmd_internals *p)
>  void
>  softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
>  {
> -	struct softnic_swq *swq;
> +	struct softnic_swq *swq, *swq_next;
> +
> +	for (swq = TAILQ_FIRST(&p->swq_list); swq != NULL; swq = swq_next) {
> +		swq_next = TAILQ_NEXT(swq, node);
>  
> -	TAILQ_FOREACH(swq, &p->swq_list, node) {
>  		if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
>  			(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))

TAILQ_FOREACH_SAFE is probably what you want to use here.

>From man page:

     The macros TAILQ_FOREACH, TAILQ_FOREACH_REVERSE, TAILQ_FOREACH_SAFE, and
     TAILQ_FOREACH_REVERSE_SAFE traverse the tail queue referenced by head in
     the forward or reverse direction direction, assigning each element in
     turn to var.

     The SAFE versions use tmp to hold the next element, so var may be freed
     or removed from the list.