[PATCH 1/2] ip_frag: fix unsafe TAILQ usage

Konstantin Ananyev konstantin.ananyev at huawei.com
Mon Apr 13 14:24:00 CEST 2026

Previous message (by thread): [PATCH 1/2] ip_frag: fix unsafe TAILQ usage
Next message (by thread): [PATCH 2/2] ip_frag: randomize hash seed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


> 
> The frag table next pointer was being access after TAILQ_REMOVE().
> This is not safe since it depends on TAILQ_REMOVE() not changing
> next pointer. Fix by using RTE_TAILQ_FOREACH_SAFE().
> 
> Fixes: 95908f52393d ("ip_frag: free mbufs on reassembly table destroy")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
> ---
>  lib/ip_frag/ip_frag_common.h     |  1 +
>  lib/ip_frag/rte_ip_frag_common.c | 20 ++++++++++----------
>  2 files changed, 11 insertions(+), 10 deletions(-)
> 
> diff --git a/lib/ip_frag/ip_frag_common.h b/lib/ip_frag/ip_frag_common.h
> index 51fc9d47fb..34be5bb6ab 100644
> --- a/lib/ip_frag/ip_frag_common.h
> +++ b/lib/ip_frag/ip_frag_common.h
> @@ -8,6 +8,7 @@
>  #include <sys/queue.h>
> 
>  #include <rte_common.h>
> +#include <rte_tailq.h>
> 
>  #if defined(RTE_ARCH_ARM64)
>  #include <rte_cmp_arm64.h>
> diff --git a/lib/ip_frag/rte_ip_frag_common.c
> b/lib/ip_frag/rte_ip_frag_common.c
> index ee9aa93027..79ac45289b 100644
> --- a/lib/ip_frag/rte_ip_frag_common.c
> +++ b/lib/ip_frag/rte_ip_frag_common.c
> @@ -135,18 +135,18 @@ rte_ip_frag_table_del_expired_entries(struct
> rte_ip_frag_tbl *tbl,
>  	struct rte_ip_frag_death_row *dr, uint64_t tms)
>  {
>  	uint64_t max_cycles;
> -	struct ip_frag_pkt *fp;
> +	struct ip_frag_pkt *fp, *tmp;
> 
>  	max_cycles = tbl->max_cycles;
> 
> -	TAILQ_FOREACH(fp, &tbl->lru, lru)
> -		if (max_cycles + fp->start < tms) {
> -			/* check that death row has enough space */
> -			if (RTE_IP_FRAG_DEATH_ROW_MBUF_LEN - dr->cnt >=
> -					fp->last_idx)
> -				ip_frag_tbl_del(tbl, dr, fp);
> -			else
> -				return;
> -		} else
> +	RTE_TAILQ_FOREACH_SAFE(fp, &tbl->lru, lru, tmp) {
> +		if (max_cycles + fp->start >= tms)
> +			return;
> +
> +		/* check that death row has enough space */
> +		if (RTE_IP_FRAG_DEATH_ROW_MBUF_LEN - dr->cnt < fp-
> >last_idx)
>  			return;
> +
> +		ip_frag_tbl_del(tbl, dr, fp);
> +	}
>  }
> --

Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>

> 2.53.0

Previous message (by thread): [PATCH 1/2] ip_frag: fix unsafe TAILQ usage
Next message (by thread): [PATCH 2/2] ip_frag: randomize hash seed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list