On Fri, Jul 20, 2018 at 10:44:39AM +0100, Jasvinder Singh wrote:
> While deleting the elements from the linked list, TAILQ_FOREACH causes
> read from the freed pointer. Fixes the issue by using for loop instead
> of TAILQ_FOREACH.
>
> Coverity issue: 302867
> Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
>
> Signed-off-by: Jasvinder Singh <jasvinder.si...@intel.com>
> Acked-by: Cristian Dumitrescu <cristian.dumitre...@intel.com>
> ---
> drivers/net/softnic/rte_eth_softnic_swq.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c
> b/drivers/net/softnic/rte_eth_softnic_swq.c
> index 1944fbb..a1f1899 100644
> --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> @@ -36,9 +36,11 @@ softnic_swq_free(struct pmd_internals *p)
> void
> softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
> {
> - struct softnic_swq *swq;
> + struct softnic_swq *swq, *swq_next;
> +
> + for (swq = TAILQ_FIRST(&p->swq_list); swq != NULL; swq = swq_next) {
> + swq_next = TAILQ_NEXT(swq, node);
>
> - TAILQ_FOREACH(swq, &p->swq_list, node) {
> if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
> (strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
TAILQ_FOREACH_SAFE is probably what you want to use here.
>From man page:
The macros TAILQ_FOREACH, TAILQ_FOREACH_REVERSE, TAILQ_FOREACH_SAFE, and
TAILQ_FOREACH_REVERSE_SAFE traverse the tail queue referenced by head in
the forward or reverse direction direction, assigning each element in
turn to var.
The SAFE versions use tmp to hold the next element, so var may be freed
or removed from the list.
