From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <nelio.laranjeiro@6wind.com>
Received: from mail-wm0-f50.google.com (mail-wm0-f50.google.com [74.125.82.50])
 by dpdk.org (Postfix) with ESMTP id 5BC5FFFA
 for <stable@dpdk.org>; Tue,  8 Nov 2016 11:37:42 +0100 (CET)
Received: by mail-wm0-f50.google.com with SMTP id f82so171760887wmf.1
 for <stable@dpdk.org>; Tue, 08 Nov 2016 02:37:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=6wind-com.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :in-reply-to:references;
 bh=h/eOsxlCXbXFavfsgyexp6EP4SumO0kAEPHcQY7ZpLY=;
 b=dGivZKzOxZXaEopUkJMy7cF+V+la8ONW/AW0Oq0DC//5+4tsHhTVef6KNs20PcBCrb
 WiHdb4JcWkbp0rDMCPGq/XUBrt96aLckqucFDmfbUE1rlQqc5IDI6Df6xCLxUOx5Z2hf
 Lk2WqDs2cFGhDiEFAbZMfaYCdSHh4bCoKo+HEOimlte9xTgdxy0L5xyyPJLfyycZzGSN
 o/vwVt7EoUqbeDl2JVlEWlBh3fSi5I5OcmXL995YEk0Rydnfzxm6X1ujwPwamrKer8rL
 RV8n9FsY9vE9DlB7te18ev/812kTiZy6wOON04eva8khIBAx71Q9y1VlRabkPkC8pEdl
 wfPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:in-reply-to:references;
 bh=h/eOsxlCXbXFavfsgyexp6EP4SumO0kAEPHcQY7ZpLY=;
 b=PJB+NnbvExPtNAj+VsjLtu6fPdPBc0ckVVJGaXsG4oPxXau6QRkBgtDYzF+BoUWALW
 CVdgUpA8CBYt5dp0kvKI8KETB7OiAXxIVg/ObXiJXSGr/vVGpkypKgh9GbKDMM5Gdh93
 Y3QaBLbxG3YlKg9tKIQ3D+DHhfng/CuSU0Tpwuy0sG3eO9/eeEmsr4JKH7/JaeHIAJKn
 qyd5Wt+T3A4ZqCqk1IZaNjtvILiH8KRTpPpgjK1t4iOvCsCkYJVvsGQFjotQrjujMnXX
 Ff0F7LTWSLz4grnsaUEq5Balmt5Zo/9DGoWIIwf1caBFEQfnnF/KBOckPzKMvKmWfsE6
 lyXQ==
X-Gm-Message-State: ABUngvdcD3aL5bTHEIJF8djIpLDh2+9cTixTZ+XRaEB+PfOzrpfHzN/Osy1JVjjwT1WKnMUa
X-Received: by 10.28.11.208 with SMTP id 199mr11167317wml.97.1478601462114;
 Tue, 08 Nov 2016 02:37:42 -0800 (PST)
Received: from ping.vm.6wind.com (guy78-3-82-239-227-177.fbx.proxad.net.
 [82.239.227.177])
 by smtp.gmail.com with ESMTPSA id k74sm18837414wmd.18.2016.11.08.02.37.41
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Tue, 08 Nov 2016 02:37:41 -0800 (PST)
From: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
To: stable@dpdk.org,
	Yuanhan Liu <yuanhan.liu@linux.intel.com>
Cc: Sagi Grimberg <sagi@grimberg.me>,
 Adrien Mazarguil <adrien.mazarguil@6wind.com>
Date: Tue,  8 Nov 2016 11:36:43 +0100
Message-Id: <b82f32cd1c3902af1b05d1ab3b3bfcc8babdf84a.1478600855.git.nelio.laranjeiro@6wind.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <cover.1478600855.git.nelio.laranjeiro@6wind.com>
References: <cover.1478600855.git.nelio.laranjeiro@6wind.com>
In-Reply-To: <cover.1478600855.git.nelio.laranjeiro@6wind.com>
References: <cover.1478600855.git.nelio.laranjeiro@6wind.com>
Subject: [dpdk-stable] [PATCH 02/14] net/mlx5: fix possible NULL dereference
	in Rx path
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for stable branches <stable.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 10:37:42 -0000

From: Sagi Grimberg <sagi@grimberg.me>

The user is allowed to call ->rx_pkt_burst() even without free
mbufs in the pool. In this scenario we'll fail allocating a rep mbuf
on the first iteration (where pkt is still NULL). This would cause us
to deref a NULL pkt (reset refcount and free).

Fix this by checking the pkt before freeing it.

Fixes: a1bdb71a32da ("net/mlx5: fix crash in Rx")

Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Acked-by: Adrien Mazarguil <adrien.mazarguil@6wind.com>
---
 drivers/net/mlx5/mlx5_rxtx.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/net/mlx5/mlx5_rxtx.c b/drivers/net/mlx5/mlx5_rxtx.c
index cc62e78..59e8183 100644
--- a/drivers/net/mlx5/mlx5_rxtx.c
+++ b/drivers/net/mlx5/mlx5_rxtx.c
@@ -1572,6 +1572,14 @@ mlx5_rx_burst(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
 		rte_prefetch0(wqe);
 		rep = rte_mbuf_raw_alloc(rxq->mp);
 		if (unlikely(rep == NULL)) {
+			++rxq->stats.rx_nombuf;
+			if (!pkt) {
+				/*
+				 * no buffers before we even started,
+				 * bail out silently.
+				 */
+				break;
+			}
 			while (pkt != seg) {
 				assert(pkt != (*rxq->elts)[idx]);
 				seg = NEXT(pkt);
@@ -1579,7 +1587,6 @@ mlx5_rx_burst(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n)
 				__rte_mbuf_raw_free(pkt);
 				pkt = seg;
 			}
-			++rxq->stats.rx_nombuf;
 			break;
 		}
 		if (!pkt) {
-- 
2.1.4