> -----Original Message-----
> From: Yu, DapengX <dapengx...@intel.com>
> Sent: Friday, July 9, 2021 10:30
> To: Wang, Haiyue <haiyue.w...@intel.com>
> Cc: dev@dpdk.org; Yu, DapengX <dapengx...@intel.com>; sta...@dpdk.org
> Subject: [PATCH] net/ixgbe: fix using heap pointer after free
>
> From: Dapeng Yu <dapengx...@intel.com>
>
> The original code use a heap pointer after it is freed.
> This patch fix it.
>
> Fixes: a14de8b498d1 ("net/ixgbe: destroy consistent filter")
> Cc: sta...@dpdk.org
>
> Signed-off-by: Dapeng Yu <dapengx...@intel.com>
> ---
> drivers/net/ixgbe/ixgbe_flow.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ixgbe/ixgbe_flow.c b/drivers/net/ixgbe/ixgbe_flow.c
> index 0b10e91a9b..4db5ef4b2b 100644
> --- a/drivers/net/ixgbe/ixgbe_flow.c
> +++ b/drivers/net/ixgbe/ixgbe_flow.c
> @@ -32,6 +32,7 @@
> #include <rte_hash_crc.h>
> #include <rte_flow.h>
> #include <rte_flow_driver.h>
> +#include <rte_tailq.h>
>
> #include "ixgbe_logs.h"
> #include "base/ixgbe_api.h"
> @@ -3339,6 +3340,7 @@ ixgbe_flow_destroy(struct rte_eth_dev *dev,
> struct ixgbe_hw_fdir_info *fdir_info =
> IXGBE_DEV_PRIVATE_TO_FDIR_INFO(dev->data->dev_private);
> struct ixgbe_rss_conf_ele *rss_filter_ptr;
> + void *tmp;
>
> switch (filter_type) {
> case RTE_ETH_FILTER_NTUPLE:
> @@ -3432,7 +3434,7 @@ ixgbe_flow_destroy(struct rte_eth_dev *dev,
> return ret;
> }
>
> - TAILQ_FOREACH(ixgbe_flow_mem_ptr, &ixgbe_flow_list, entries) {
> + TAILQ_FOREACH_SAFE(ixgbe_flow_mem_ptr, &ixgbe_flow_list, entries, tmp) {
> if (ixgbe_flow_mem_ptr->flow == pmd_flow) {
> TAILQ_REMOVE(&ixgbe_flow_list,
> ixgbe_flow_mem_ptr, entries);
This is "find - free" process, and only one 'pmd_flow' in the list,
so just "break;" is fine.
TAILQ_FOREACH(ixgbe_flow_mem_ptr, &ixgbe_flow_list, entries) {
if (ixgbe_flow_mem_ptr->flow == pmd_flow) {
TAILQ_REMOVE(&ixgbe_flow_list,
ixgbe_flow_mem_ptr, entries);
rte_free(ixgbe_flow_mem_ptr);
break; <------
}
}
> --
> 2.27.0
