From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) by dpdk.org (Postfix) with ESMTP id 5EEF53005 for ; Wed, 9 Nov 2016 10:58:18 +0100 (CET) Received: by mail-wm0-f45.google.com with SMTP id p190so297307192wmp.1 for ; Wed, 09 Nov 2016 01:58:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :in-reply-to:references; bh=3Km89DAw2WmA+X1+f4wrGWjRPWQAxfPqBEKmb1tuJTI=; b=edaNbnu2/LwPnanzbVVxJEa9Lt6Z5DKLLbTD8s3aJfsp/6nwsEJC+5Yhbh96SCkma+ 2BYEr9m/UGQKdC3DoDHWM9AOeP/UoBLrfiGJar9GrEii8WJUaWRkpER15KGHtKdyRI8T B7plvPbupxHyo3FFEpsCCCq3q3jeiMVYRWA2fQkH2YenkPz4QKhfZmp4XDdndV93IZWu hSpoWPh+2NIXssms2uhDx7sE3H27cBy6HTEb/rOZto/h6eVlqymp7mIk0EG+ZZa5pCzf cFYcAEU5P/6DPDC8VLP7EUSzfdprPrY0wJSdRpnx1nyfvIypeJACD7cfDmBTthDia2PN Obdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:in-reply-to:references; bh=3Km89DAw2WmA+X1+f4wrGWjRPWQAxfPqBEKmb1tuJTI=; b=Su4ylZQYS+XpA7Ux+xw6jDbPtyBlTMnZBUeW2tKm/swYUhl7hFUCFin3fy2VNsYbSA wiHoNjrYhgoQWzBHkNaSXNQcR8t2qZs/vMMTnuGDeCOGH8ZP14rWOqBI8GA+zyUFuiX5 ybrxZuwUF/hW0l8ojnnZ4/sbecescoddrD1vSXzGbQdA/KXnEJxYyqtDzuNhkPAKFzxt eiWB5pXC+W3e6fO2QjsfsDsQltwPuAMiMFQ0yMEv28dR6NE3vWb6nKIbhxkKDP6IlF1T cQlEDWuOd4aUDwnDleK5nwPkSQTeaWbTD16UnsMq3nAQ9T6khBtmJM6V7PDosE90vaFv dWUg== X-Gm-Message-State: ABUngvcgor/3xhJIBMp/+TEhb3a1FIbVHVQ60HBMiXjIfsE2qMs/OWuzhuyfLVygA8C3Wgvt X-Received: by 10.194.157.41 with SMTP id wj9mr10787459wjb.160.1478685498145; Wed, 09 Nov 2016 01:58:18 -0800 (PST) Received: from ping.vm.6wind.com (guy78-3-82-239-227-177.fbx.proxad.net. [82.239.227.177]) by smtp.gmail.com with ESMTPSA id c133sm13926057wme.12.2016.11.09.01.58.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 09 Nov 2016 01:58:17 -0800 (PST) From: Nelio Laranjeiro To: stable@dpdk.org, Yuanhan Liu Cc: Sagi Grimberg , Adrien Mazarguil Date: Wed, 9 Nov 2016 10:57:41 +0100 Message-Id: X-Mailer: git-send-email 2.1.4 In-Reply-To: References: In-Reply-To: References: Subject: [dpdk-stable] [PATCH v2 02/12] net/mlx5: fix possible NULL dereference in Rx path X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2016 09:58:18 -0000 From: Sagi Grimberg [ upstream commit 15a756b63734c1d95e3f8d922e67d11fb32b025b ] The user is allowed to call ->rx_pkt_burst() even without free mbufs in the pool. In this scenario we'll fail allocating a rep mbuf on the first iteration (where pkt is still NULL). This would cause us to deref a NULL pkt (reset refcount and free). Fix this by checking the pkt before freeing it. Fixes: a1bdb71a32da ("net/mlx5: fix crash in Rx") Signed-off-by: Sagi Grimberg Acked-by: Adrien Mazarguil --- drivers/net/mlx5/mlx5_rxtx.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/mlx5/mlx5_rxtx.c b/drivers/net/mlx5/mlx5_rxtx.c index cc62e78..59e8183 100644 --- a/drivers/net/mlx5/mlx5_rxtx.c +++ b/drivers/net/mlx5/mlx5_rxtx.c @@ -1572,6 +1572,14 @@ mlx5_rx_burst(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n) rte_prefetch0(wqe); rep = rte_mbuf_raw_alloc(rxq->mp); if (unlikely(rep == NULL)) { + ++rxq->stats.rx_nombuf; + if (!pkt) { + /* + * no buffers before we even started, + * bail out silently. + */ + break; + } while (pkt != seg) { assert(pkt != (*rxq->elts)[idx]); seg = NEXT(pkt); @@ -1579,7 +1587,6 @@ mlx5_rx_burst(void *dpdk_rxq, struct rte_mbuf **pkts, uint16_t pkts_n) __rte_mbuf_raw_free(pkt); pkt = seg; } - ++rxq->stats.rx_nombuf; break; } if (!pkt) { -- 2.1.4