From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 666CD432E9; Thu, 9 Nov 2023 18:59:03 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2E0104026B; Thu, 9 Nov 2023 18:59:03 +0100 (CET) Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2080.outbound.protection.outlook.com [40.107.100.80]) by mails.dpdk.org (Postfix) with ESMTP id F05B04021E; Thu, 9 Nov 2023 18:59:01 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EVR+wjGPh9vWbDuBoVq40Mpe+AjezosxTSFqBIyb0f+moSPAblytmC1/yVbeYxBdUAktXBjvgy2RLXoGLWgS88rcq6FX0evI6ww6JcUMxxsThG1Bb7iivyvJs7agk+wqc7M6BrHr3Emvv1zjlI+Wg1iv9ZXSTzrfsKLHdNVw6Mn/NwG94GSR7S+Vy1Ej8PB9cpE1o8w2DYkGLOc1qzIqtzS3XfBiSBX6+xDuj2WX2kz2u7YIPoW7nbTROaAjP9eU6pG7DiWoqySmvXSdQ/QfL4JkBlHbmZD8pSnC9t6KX7x07H1dItUKK55WgmyWpTFIccEt4bogENWQCJqcVEw+LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZNmF+EIFgmGY5U5Ue2K/s8dScnseBcLgKe/2IbGb2zg=; b=PxGp4SMMExbFWsUGTl9lLxQk4k6lSacrN91OgESWM6VB2IHapTymrRfKzNXiDSK820dWPKcxusermevFf9+aPSOg2ORws9O2yNewjrJJjjpD/ojRmIzm9QnxHWnVhkvi4wmEvMMfQNp2zbhibLpFhu8xmxe+2B8wSrAJkqnhJaN98PLbImlv7KI4tubZ4lRHE2idPWg+moEt6h5mk+2T5difgfJhIkcem7VzVbOVy3fsLLJnCRWCHv3VAxEpav9ZmnsC4yjv5IUrcK8HFEBelxe5xPO01SgUp+r7++I8TN5gp3CDTuATsZadJ7CkVm6bv03syMoXMsk1fy5RzWPB3g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=dpdk.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZNmF+EIFgmGY5U5Ue2K/s8dScnseBcLgKe/2IbGb2zg=; b=U6wrwYsfduDid9nZOnKz+DNH/bSHKr/R10hkLtbA9lqCx77aOYRNxoJBvwIMiu3J7+xCcY+fJ7NEVmIHYHend3z5OxvWtcfO0TplpjUu4BQawhRvgSiKhmoEa72+JdT8UwH4hxyCgmECAEdi85wU7DHAJHhGIiUwWjrRWwQQw+xSyctUEpZeSlAj7pGDdNFwZxLp9dpDCNSLeV5i75fedspRAQgRN6kD6XkehS2GfBFyOZ9cbPyJd9YPOV7iivWg0m7MUAdzeNCqzfygC7/zND//csRTfIku4UFl3cQSY2PLUVIsCRW06+m36+N8i5whtEsr88GY90lNLJoGMUB4Yw== Received: from MN2PR19CA0071.namprd19.prod.outlook.com (2603:10b6:208:19b::48) by CH3PR12MB8851.namprd12.prod.outlook.com (2603:10b6:610:180::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.19; Thu, 9 Nov 2023 17:58:59 +0000 Received: from MN1PEPF0000F0E3.namprd04.prod.outlook.com (2603:10b6:208:19b:cafe::c7) by MN2PR19CA0071.outlook.office365.com (2603:10b6:208:19b::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.18 via Frontend Transport; Thu, 9 Nov 2023 17:58:58 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by MN1PEPF0000F0E3.mail.protection.outlook.com (10.167.242.41) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.16 via Frontend Transport; Thu, 9 Nov 2023 17:58:58 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Thu, 9 Nov 2023 09:58:40 -0800 Received: from nvidia.com (10.126.231.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Thu, 9 Nov 2023 09:58:37 -0800 From: Dariusz Sosnowski To: Matan Azrad , Viacheslav Ovsiienko , Ori Kam , Suanming Mou , Xueming Li CC: , Raslan Darawsheh , Subject: [PATCH] net/mlx5: fix use after free on Rx queue start Date: Thu, 9 Nov 2023 19:58:19 +0200 Message-ID: <20231109175820.3182924-1-dsosnowski@nvidia.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.231.35] X-ClientProxiedBy: rnnvmail202.nvidia.com (10.129.68.7) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E3:EE_|CH3PR12MB8851:EE_ X-MS-Office365-Filtering-Correlation-Id: 274c760d-1614-4f0b-8413-08dbe14d8c51 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 2VpLtcGjdNcSWJ3RLLTQgFOuCg76agstxBfu4s1Fdbj0c/5DTDDmYd5tF7NdXOoxKSgPG8IKCNMxM6VwSX+mj6VZG1E30TtTxVgnXMZmzFyxxiJdrVY4JIdunlLuNM4yClEJQ79DMtIDjoVov1OWhStKwysiwPBUKcHYI0zwZ1J501bUkNIYNdmk9jzd0w4ULBZn1a5yYtZRZyn++LobKgO7SIaWMmG21SPFpT1YSwh6A1Jzq9ppxuDdE9MBDOrMY9GlcBc6g2Z/wnfHht34DEsnxpG5vO6ralB/TrvAFQwdP+i5SE9S5kh6rKtCXAykDCK8heIfRgtJo45LyRaiv4g6rkksiXCqXySGxqK+aw1ISbrs/NvQotuw08mM88Yek1LTI8qYFk2F3TIvhII81rNuXl2+TUbeVbO03OOI63YQp471XrZX+TZ3dPmBR0PvrQLSH47hG6kVMt9coyWIaIGmMbFiD22kiTxYbBT5XXFD6jNVtCnXny4c//fPjqU5jWEPQElRopVJ1npuoqOgZcUu6Q4F9ynN504SVRhkSspvK1LApivgfrxe6U0OLOu3UnJAILoWs/YuXaTKoS0O8RI5MnNuKpM5rvpvQ7yTU74EL8hIuQ7kAJcMTl41mBkRBVQwv6oC3KFfHesJAr9mEdfg5nE7/9bus60DjVQJQX3joRPztdPRFD07qQMxkXwyNe/EahbYAJ4SPdOWQMfAkTC0gy1KLdodja9sud7Qd5S5YNPCk+NdWgPK3aGrsmva X-Forefront-Antispam-Report: CIP:216.228.117.160; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge1.nvidia.com; CAT:NONE; SFS:(13230031)(4636009)(396003)(136003)(346002)(376002)(39860400002)(230922051799003)(451199024)(82310400011)(1800799009)(64100799003)(186009)(36840700001)(40470700004)(46966006)(7636003)(356005)(41300700001)(66899024)(5660300002)(36860700001)(40460700003)(86362001)(36756003)(2906002)(82740400003)(426003)(8676002)(83380400001)(8936002)(4326008)(450100002)(7696005)(55016003)(2616005)(54906003)(316002)(6636002)(336012)(70206006)(1076003)(16526019)(70586007)(110136005)(478600001)(26005)(40480700001)(6286002)(47076005)(6666004); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Nov 2023 17:58:58.3909 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 274c760d-1614-4f0b-8413-08dbe14d8c51 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.160]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000F0E3.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR12MB8851 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org If RX queue is not started yet, then a mlx5_rxq_obj struct used for storing HW queue objects will be allocated and added to the list held in port's private data structure. After that allocation, Rx queue HW object configuration is done. If that configuration failed, then mlx5_rxq_obj struct is freed, but not removed from the list. This causes an use after free bug, during error handling in mlx5_rxq_start(), where this deallocated struct was accessed during list cleanup. This patch fixes that by inserting mlx5_rxq_obj struct to the list only after HW queue object configuration succeeded. Fixes: 09c2555303be ("net/mlx5: support shared Rx queue") Cc: xuemingl@nvidia.com Cc: stable@dpdk.org Signed-off-by: Dariusz Sosnowski Acked-by: Viacheslav Ovsiienko --- drivers/net/mlx5/mlx5_trigger.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/mlx5/mlx5_trigger.c b/drivers/net/mlx5/mlx5_trigger.c index 7bdb897612..88dc271a21 100644 --- a/drivers/net/mlx5/mlx5_trigger.c +++ b/drivers/net/mlx5/mlx5_trigger.c @@ -226,17 +226,17 @@ mlx5_rxq_start(struct rte_eth_dev *dev) if (rxq == NULL) continue; rxq_ctrl = rxq->ctrl; - if (!rxq_ctrl->started) { + if (!rxq_ctrl->started) if (mlx5_rxq_ctrl_prepare(dev, rxq_ctrl, i) < 0) goto error; - LIST_INSERT_HEAD(&priv->rxqsobj, rxq_ctrl->obj, next); - } ret = priv->obj_ops.rxq_obj_new(rxq); if (ret) { mlx5_free(rxq_ctrl->obj); rxq_ctrl->obj = NULL; goto error; } + if (!rxq_ctrl->started) + LIST_INSERT_HEAD(&priv->rxqsobj, rxq_ctrl->obj, next); rxq_ctrl->started = true; } return 0; -- 2.25.1