[PATCH] net/netvsc: fix use after free in cache list cleanup
Stephen Hemminger
stephen at networkplumber.org
Mon Nov 3 17:37:03 CET 2025
The variable cache is referred to by LIST_FOREACH macro
after was freed. Replace by the standard LIST_FOREACH_SAFE
from BSD (and other drivers).
Fixes: 9a9d038c782e ("net/netvsc: cache device parameters for hotplug events")
Cc: longli at microsoft.com
Cc: stable at dpdk.org
Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
---
drivers/net/netvsc/hn_ethdev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/netvsc/hn_ethdev.c b/drivers/net/netvsc/hn_ethdev.c
index dc765e88f7..6584819f4f 100644
--- a/drivers/net/netvsc/hn_ethdev.c
+++ b/drivers/net/netvsc/hn_ethdev.c
@@ -41,6 +41,13 @@
#include "hn_nvs.h"
#include "ndis.h"
+#ifndef LIST_FOREACH_SAFE
+#define LIST_FOREACH_SAFE(var, head, field, tvar) \
+ for ((var) = LIST_FIRST((head)); \
+ (var) && ((tvar) = LIST_NEXT((var), field), 1); \
+ (var) = (tvar))
+#endif
+
#define HN_TX_OFFLOAD_CAPS (RTE_ETH_TX_OFFLOAD_IPV4_CKSUM | \
RTE_ETH_TX_OFFLOAD_TCP_CKSUM | \
RTE_ETH_TX_OFFLOAD_UDP_CKSUM | \
@@ -1479,14 +1486,14 @@ static int populate_cache_list(void)
static void remove_cache_list(void)
{
- struct da_cache *cache;
+ struct da_cache *cache, *tmp;
rte_spinlock_lock(&netvsc_lock);
da_cache_usage--;
if (da_cache_usage)
goto out;
- LIST_FOREACH(cache, &da_cache_list, list) {
+ LIST_FOREACH_SAFE(cache, &da_cache_list, list, tmp) {
LIST_REMOVE(cache, list);
free(cache);
}
--
2.51.0
More information about the stable
mailing list