* [dpdk-dev] [PATCH] net/bnxt: fix double free in port start failure
@ 2021-04-01  2:53 Kalesh A P
  2021-04-07  3:03 ` Ajit Khaparde
  0 siblings, 1 reply; 2+ messages in thread
From: Kalesh A P @ 2021-04-01  2:53 UTC (permalink / raw)
  To: dev; +Cc: ferruh.yigit, ajit.khaparde
From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
During port start when bnxt_start_nic() fails, it tries to free
"intr_handle->intr_vec" but the variable is not set to NULL after that.
If port start fails, driver invokes bnxt_dev_stop() which will lead
to a double free of "intr_handle->intr_vec".
Fix it by removing the call to free "intr_handle->intr_vec" in the
bnxt_start_nic() failure path as it is anyway doing in bnxt_dev_stop().
Fixes: 9d276b439aaf ("net/bnxt: fix error handling in device start")
Cc: stable@dpdk.org
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
Reviewed-by: Ajit Kumar Khaparde <ajit.khaparde@broadcom.com>
---
 drivers/net/bnxt/bnxt_ethdev.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/drivers/net/bnxt/bnxt_ethdev.c b/drivers/net/bnxt/bnxt_ethdev.c
index ed2ae45..0042d8a 100644
--- a/drivers/net/bnxt/bnxt_ethdev.c
+++ b/drivers/net/bnxt/bnxt_ethdev.c
@@ -793,7 +793,7 @@ static int bnxt_start_nic(struct bnxt *bp)
 			PMD_DRV_LOG(ERR, "Failed to allocate %d rx_queues"
 				" intr_vec", bp->eth_dev->data->nb_rx_queues);
 			rc = -ENOMEM;
-			goto err_disable;
+			goto err_out;
 		}
 		PMD_DRV_LOG(DEBUG, "intr_handle->intr_vec = %p "
 			"intr_handle->nb_efd = %d intr_handle->max_intr = %d\n",
@@ -813,12 +813,12 @@ static int bnxt_start_nic(struct bnxt *bp)
 #ifndef RTE_EXEC_ENV_FREEBSD
 	/* In FreeBSD OS, nic_uio driver does not support interrupts */
 	if (rc)
-		goto err_free;
+		goto err_out;
 #endif
 
 	rc = bnxt_update_phy_setting(bp);
 	if (rc)
-		goto err_free;
+		goto err_out;
 
 	bp->mark_table = rte_zmalloc("bnxt_mark_table", BNXT_MARK_TABLE_SZ, 0);
 	if (!bp->mark_table)
@@ -826,10 +826,6 @@ static int bnxt_start_nic(struct bnxt *bp)
 
 	return 0;
 
-err_free:
-	rte_free(intr_handle->intr_vec);
-err_disable:
-	rte_intr_efd_disable(intr_handle);
 err_out:
 	/* Some of the error status returned by FW may not be from errno.h */
 	if (rc > 0)
-- 
2.10.1
^ permalink raw reply	[flat|nested] 2+ messages in thread- * Re: [dpdk-dev] [PATCH] net/bnxt: fix double free in port start failure
  2021-04-01  2:53 [dpdk-dev] [PATCH] net/bnxt: fix double free in port start failure Kalesh A P
@ 2021-04-07  3:03 ` Ajit Khaparde
  0 siblings, 0 replies; 2+ messages in thread
From: Ajit Khaparde @ 2021-04-07  3:03 UTC (permalink / raw)
  To: Kalesh A P; +Cc: dpdk-dev, Ferruh Yigit
[-- Attachment #1: Type: text/plain, Size: 2549 bytes --]
On Wed, Mar 31, 2021 at 7:31 PM Kalesh A P <
kalesh-anakkur.purayil@broadcom.com> wrote:
> From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
>
> During port start when bnxt_start_nic() fails, it tries to free
> "intr_handle->intr_vec" but the variable is not set to NULL after that.
> If port start fails, driver invokes bnxt_dev_stop() which will lead
> to a double free of "intr_handle->intr_vec".
>
> Fix it by removing the call to free "intr_handle->intr_vec" in the
> bnxt_start_nic() failure path as it is anyway doing in bnxt_dev_stop().
>
> Fixes: 9d276b439aaf ("net/bnxt: fix error handling in device start")
> Cc: stable@dpdk.org
>
> Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
> Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
> Reviewed-by: Ajit Kumar Khaparde <ajit.khaparde@broadcom.com>
>
Patch applied to dpdk-next-net-brcm.
> ---
>  drivers/net/bnxt/bnxt_ethdev.c | 10 +++-------
>  1 file changed, 3 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/bnxt/bnxt_ethdev.c
> b/drivers/net/bnxt/bnxt_ethdev.c
> index ed2ae45..0042d8a 100644
> --- a/drivers/net/bnxt/bnxt_ethdev.c
> +++ b/drivers/net/bnxt/bnxt_ethdev.c
> @@ -793,7 +793,7 @@ static int bnxt_start_nic(struct bnxt *bp)
>                         PMD_DRV_LOG(ERR, "Failed to allocate %d rx_queues"
>                                 " intr_vec",
> bp->eth_dev->data->nb_rx_queues);
>                         rc = -ENOMEM;
> -                       goto err_disable;
> +                       goto err_out;
>                 }
>                 PMD_DRV_LOG(DEBUG, "intr_handle->intr_vec = %p "
>                         "intr_handle->nb_efd = %d intr_handle->max_intr =
> %d\n",
> @@ -813,12 +813,12 @@ static int bnxt_start_nic(struct bnxt *bp)
>  #ifndef RTE_EXEC_ENV_FREEBSD
>         /* In FreeBSD OS, nic_uio driver does not support interrupts */
>         if (rc)
> -               goto err_free;
> +               goto err_out;
>  #endif
>
>         rc = bnxt_update_phy_setting(bp);
>         if (rc)
> -               goto err_free;
> +               goto err_out;
>
>         bp->mark_table = rte_zmalloc("bnxt_mark_table",
> BNXT_MARK_TABLE_SZ, 0);
>         if (!bp->mark_table)
> @@ -826,10 +826,6 @@ static int bnxt_start_nic(struct bnxt *bp)
>
>         return 0;
>
> -err_free:
> -       rte_free(intr_handle->intr_vec);
> -err_disable:
> -       rte_intr_efd_disable(intr_handle);
>  err_out:
>         /* Some of the error status returned by FW may not be from errno.h
> */
>         if (rc > 0)
> --
> 2.10.1
>
>
^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-07  3:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-01  2:53 [dpdk-dev] [PATCH] net/bnxt: fix double free in port start failure Kalesh A P
2021-04-07  3:03 ` Ajit Khaparde
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).