On Wed, Mar 31, 2021 at 7:31 PM Kalesh A P <
kalesh-anakkur.purayil@broadcom.com> wrote:

> From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
>
> During port start when bnxt_start_nic() fails, it tries to free
> "intr_handle->intr_vec" but the variable is not set to NULL after that.
> If port start fails, driver invokes bnxt_dev_stop() which will lead
> to a double free of "intr_handle->intr_vec".
>
> Fix it by removing the call to free "intr_handle->intr_vec" in the
> bnxt_start_nic() failure path as it is anyway doing in bnxt_dev_stop().
>
> Fixes: 9d276b439aaf ("net/bnxt: fix error handling in device start")
> Cc: stable@dpdk.org
>
> Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
> Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
> Reviewed-by: Ajit Kumar Khaparde <ajit.khaparde@broadcom.com>
>
Patch applied to dpdk-next-net-brcm.


> ---
>  drivers/net/bnxt/bnxt_ethdev.c | 10 +++-------
>  1 file changed, 3 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/bnxt/bnxt_ethdev.c
> b/drivers/net/bnxt/bnxt_ethdev.c
> index ed2ae45..0042d8a 100644
> --- a/drivers/net/bnxt/bnxt_ethdev.c
> +++ b/drivers/net/bnxt/bnxt_ethdev.c
> @@ -793,7 +793,7 @@ static int bnxt_start_nic(struct bnxt *bp)
>                         PMD_DRV_LOG(ERR, "Failed to allocate %d rx_queues"
>                                 " intr_vec",
> bp->eth_dev->data->nb_rx_queues);
>                         rc = -ENOMEM;
> -                       goto err_disable;
> +                       goto err_out;
>                 }
>                 PMD_DRV_LOG(DEBUG, "intr_handle->intr_vec = %p "
>                         "intr_handle->nb_efd = %d intr_handle->max_intr =
> %d\n",
> @@ -813,12 +813,12 @@ static int bnxt_start_nic(struct bnxt *bp)
>  #ifndef RTE_EXEC_ENV_FREEBSD
>         /* In FreeBSD OS, nic_uio driver does not support interrupts */
>         if (rc)
> -               goto err_free;
> +               goto err_out;
>  #endif
>
>         rc = bnxt_update_phy_setting(bp);
>         if (rc)
> -               goto err_free;
> +               goto err_out;
>
>         bp->mark_table = rte_zmalloc("bnxt_mark_table",
> BNXT_MARK_TABLE_SZ, 0);
>         if (!bp->mark_table)
> @@ -826,10 +826,6 @@ static int bnxt_start_nic(struct bnxt *bp)
>
>         return 0;
>
> -err_free:
> -       rte_free(intr_handle->intr_vec);
> -err_disable:
> -       rte_intr_efd_disable(intr_handle);
>  err_out:
>         /* Some of the error status returned by FW may not be from errno.h
> */
>         if (rc > 0)
> --
> 2.10.1
>
>