From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6AF5043345 for ; Thu, 16 Nov 2023 14:25:22 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 646C940ED2; Thu, 16 Nov 2023 14:25:22 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mails.dpdk.org (Postfix) with ESMTP id 75F5A40DF5 for ; Thu, 16 Nov 2023 14:25:20 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1700141120; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sOs+LhT+fAI4V7ujUKI32CqoqgSvxxSWkjhaeZU23aw=; b=avCmbYgSoGjNq/WO6JwUtLeGSd0AmuiImRJcqAHmvsl+dSpl2FlQh/pxC7uYHEziuFVV0A W8oaVePOh9kMf9UrhLh+WUJSxOYl+56V1/I3nO/hW9d4sPkC8A9ki5ICtAimXpwql0xKAG 6R0RLPkRhvWWH8WcNPuw7Nyk/+kX520= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-354-yNhJkaNbPwKtyn-_aQvb1Q-1; Thu, 16 Nov 2023 08:25:17 -0500 X-MC-Unique: yNhJkaNbPwKtyn-_aQvb1Q-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4E65D1C03154; Thu, 16 Nov 2023 13:25:17 +0000 (UTC) Received: from rh.Home (unknown [10.39.194.169]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4BA5E2166B27; Thu, 16 Nov 2023 13:25:16 +0000 (UTC) From: Kevin Traynor To: Dariusz Sosnowski Cc: Viacheslav Ovsiienko , dpdk stable Subject: patch 'net/mlx5: fix use after free on Rx queue start' has been queued to stable release 21.11.6 Date: Thu, 16 Nov 2023 13:23:42 +0000 Message-ID: <20231116132348.557257-60-ktraynor@redhat.com> In-Reply-To: <20231116132348.557257-1-ktraynor@redhat.com> References: <20231116132348.557257-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 21.11.6 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 11/21/23. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/8ccbb4b6727fb0862446f137b10ccdd97eb66464 Thanks. Kevin --- >From 8ccbb4b6727fb0862446f137b10ccdd97eb66464 Mon Sep 17 00:00:00 2001 From: Dariusz Sosnowski Date: Thu, 9 Nov 2023 19:58:19 +0200 Subject: [PATCH] net/mlx5: fix use after free on Rx queue start [ upstream commit c93943c575b495132c4b7456caecde7d268334e3 ] If RX queue is not started yet, then a mlx5_rxq_obj struct used for storing HW queue objects will be allocated and added to the list held in port's private data structure. After that allocation, Rx queue HW object configuration is done. If that configuration failed, then mlx5_rxq_obj struct is freed, but not removed from the list. This causes an use after free bug, during error handling in mlx5_rxq_start(), where this deallocated struct was accessed during list cleanup. This patch fixes that by inserting mlx5_rxq_obj struct to the list only after HW queue object configuration succeeded. Fixes: 09c2555303be ("net/mlx5: support shared Rx queue") Signed-off-by: Dariusz Sosnowski Acked-by: Viacheslav Ovsiienko --- drivers/net/mlx5/mlx5_trigger.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/mlx5/mlx5_trigger.c b/drivers/net/mlx5/mlx5_trigger.c index feffcc4ce0..05143b8411 100644 --- a/drivers/net/mlx5/mlx5_trigger.c +++ b/drivers/net/mlx5/mlx5_trigger.c @@ -227,9 +227,7 @@ mlx5_rxq_start(struct rte_eth_dev *dev) continue; rxq_ctrl = rxq->ctrl; - if (!rxq_ctrl->started) { + if (!rxq_ctrl->started) if (mlx5_rxq_ctrl_prepare(dev, rxq_ctrl, i) < 0) goto error; - LIST_INSERT_HEAD(&priv->rxqsobj, rxq_ctrl->obj, next); - } ret = priv->obj_ops.rxq_obj_new(rxq); if (ret) { @@ -238,4 +236,6 @@ mlx5_rxq_start(struct rte_eth_dev *dev) goto error; } + if (!rxq_ctrl->started) + LIST_INSERT_HEAD(&priv->rxqsobj, rxq_ctrl->obj, next); rxq_ctrl->started = true; } -- 2.41.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2023-11-16 13:21:53.990826356 +0000 +++ 0060-net-mlx5-fix-use-after-free-on-Rx-queue-start.patch 2023-11-16 13:21:52.584946765 +0000 @@ -1 +1 @@ -From c93943c575b495132c4b7456caecde7d268334e3 Mon Sep 17 00:00:00 2001 +From 8ccbb4b6727fb0862446f137b10ccdd97eb66464 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit c93943c575b495132c4b7456caecde7d268334e3 ] + @@ -19 +20,0 @@ -Cc: stable@dpdk.org @@ -28 +29 @@ -index d7ecb149fa..7694140537 100644 +index feffcc4ce0..05143b8411 100644