From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id E2FC6A04FD for ; Tue, 23 Aug 2022 08:45:56 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id DCAAD4114B; Tue, 23 Aug 2022 08:45:56 +0200 (CEST) Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by mails.dpdk.org (Postfix) with ESMTP id 24066400D6; Tue, 23 Aug 2022 08:45:55 +0200 (CEST) Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.56]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4MBfpQ3h2NzGpnl; Tue, 23 Aug 2022 14:44:14 +0800 (CST) Received: from dggpemm500008.china.huawei.com (7.185.36.136) by dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug 2022 14:45:53 +0800 Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com (7.185.36.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug 2022 14:45:52 +0800 From: Yunjian Wang To: CC: , , , , , Yunjian Wang , Subject: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing tx queues Date: Tue, 23 Aug 2022 14:45:51 +0800 Message-ID: <952a177cf4cc074101bb13773326b7107f496290.1661223500.git.wangyunjian@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.174.242.157] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpemm500008.china.huawei.com (7.185.36.136) X-CFilter-Loop: Reflected X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org The bonding slave remove function was calling the eth_dev_tx_queue_config function, which frees dev->data->tx_queues, and then tries to free priv->txqs[idx] in mlx5_txq_release function, which causes the heap use after free issue. Add checks whether dev->data->tx_queues is not NULL. Fixes: 94e257ec8ca ("net/mlx5: fix Rx/Tx queue checks") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang --- drivers/net/mlx5/mlx5_txq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/mlx5/mlx5_txq.c b/drivers/net/mlx5/mlx5_txq.c index 0140f8b3b2..cb2c33a060 100644 --- a/drivers/net/mlx5/mlx5_txq.c +++ b/drivers/net/mlx5/mlx5_txq.c @@ -1198,7 +1198,8 @@ mlx5_txq_release(struct rte_eth_dev *dev, uint16_t idx) struct mlx5_priv *priv = dev->data->dev_private; struct mlx5_txq_ctrl *txq_ctrl; - if (priv->txqs == NULL || (*priv->txqs)[idx] == NULL) + if (dev->data->tx_queues == NULL || priv->txqs == NULL || + (*priv->txqs)[idx] == NULL) return 0; txq_ctrl = container_of((*priv->txqs)[idx], struct mlx5_txq_ctrl, txq); if (__atomic_sub_fetch(&txq_ctrl->refcnt, 1, __ATOMIC_RELAXED) > 1) -- 2.27.0