patch 'net/mlx5: fix use after free when releasing Tx queues' has been queued to stable release 21.11.7

[Kevin Traynor <ktraynor@redhat.com>]

Hi,

FYI, your patch has been queued to stable release 21.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/13/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/411422bb04e1bb1c9d718c51f95cb833864cb45e

Thanks.

Kevin

---
From 411422bb04e1bb1c9d718c51f95cb833864cb45e Mon Sep 17 00:00:00 2001
From: Pengfei Sun <sunpengfei16@huawei.com>
Date: Tue, 20 Feb 2024 17:31:39 +0800
Subject: [PATCH] net/mlx5: fix use after free when releasing Tx queues

[ upstream commit b805b7c451f1ee5bafa5628ee67f3a495f6a8682 ]

In function mlx5_dev_configure, dev->data->tx_queues is assigned
to priv->txqs. When a member is removed from a bond, the function
eth_dev_tx_queue_config is called to release dev->data->tx_queues.
However, function mlx5_dev_close will access priv->txqs again and
cause the use after free problem.

In function mlx5_dev_close, before free priv->txqs, we add a check
that dev->data->tx_queues is not NULL.

build/app/dpdk-testpmd -c7 -a 0000:08:00.2 --  -i --nb-cores=2
--total-num-mbufs=2048

testpmd> port stop 0
testpmd> create bonding device 4 0
testpmd> add bonding member 0 1
testpmd> remove bonding member 0 1
testpmd> quit

ASan reports:
==2571911==ERROR: AddressSanitizer: heap-use-after-free on address
0x000174529880 at pc 0x0000113c8440 bp 0xffffefae0ea0 sp 0xffffefae0eb0
READ of size 8 at 0x000174529880 thread T0
    #0 0x113c843c in mlx5_txq_release ../drivers/net/mlx5/mlx5_txq.c:
1203
    #1 0xffdb53c in mlx5_dev_close ../drivers/net/mlx5/mlx5.c:2286
    #2 0xe12dc0 in rte_eth_dev_close ../lib/ethdev/rte_ethdev.c:1877
    #3 0x6bac1c in close_port ../app/test-pmd/testpmd.c:3540
    #4 0x6bc320 in pmd_test_exit ../app/test-pmd/testpmd.c:3808
    #5 0x6c1a94 in main ../app/test-pmd/testpmd.c:4759
    #6 0xffff9328f038  (/usr/lib64/libc.so.6+0x2b038)
    #7 0xffff9328f110 in __libc_start_main (/usr/lib64/libc.so.6+
0x2b110)

Fixes: 6e78005a9b30 ("net/mlx5: add reference counter on DPDK Tx queues")

Reported-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Pengfei Sun <sunpengfei16@huawei.com>
Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
---
 drivers/net/mlx5/mlx5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/mlx5/mlx5.c b/drivers/net/mlx5/mlx5.c
index 5645e8656c..9fc34f05e2 100644
--- a/drivers/net/mlx5/mlx5.c
+++ b/drivers/net/mlx5/mlx5.c
@@ -1597,5 +1597,5 @@ mlx5_dev_close(struct rte_eth_dev *dev)
 		priv->rxq_privs = NULL;
 	}
-	if (priv->txqs != NULL) {
+	if (priv->txqs != NULL && dev->data->tx_queues != NULL) {
 		/* XXX race condition if mlx5_tx_burst() is still running. */
 		rte_delay_us_sleep(1000);
-- 
2.43.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-03-08 13:47:49.739767597 +0000
+++ 0024-net-mlx5-fix-use-after-free-when-releasing-Tx-queues.patch	2024-03-08 13:47:49.023686678 +0000
@@ -1 +1 @@
-From b805b7c451f1ee5bafa5628ee67f3a495f6a8682 Mon Sep 17 00:00:00 2001
+From 411422bb04e1bb1c9d718c51f95cb833864cb45e Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit b805b7c451f1ee5bafa5628ee67f3a495f6a8682 ]
+
@@ -40 +41,0 @@
-Cc: stable@dpdk.org
@@ -50 +51 @@
-index 881c42a97a..f2ca0ae4c2 100644
+index 5645e8656c..9fc34f05e2 100644
@@ -53 +54 @@
-@@ -2363,5 +2363,5 @@ mlx5_dev_close(struct rte_eth_dev *dev)
+@@ -1597,5 +1597,5 @@ mlx5_dev_close(struct rte_eth_dev *dev)