From: Maayan Kashani <mkashani@nvidia.com>
To: <dev@dpdk.org>
Cc: <mkashani@nvidia.com>, <dsosnowski@nvidia.com>,
<rasland@nvidia.com>, <stable@dpdk.org>,
Viacheslav Ovsiienko <viacheslavo@nvidia.com>,
Ori Kam <orika@nvidia.com>, Suanming Mou <suanmingm@nvidia.com>,
Matan Azrad <matan@nvidia.com>
Subject: [PATCH v7 06/11] net/mlx5: fix segfault on counter pool destroy
Date: Sun, 9 Jun 2024 14:01:02 +0300 [thread overview]
Message-ID: <20240609110107.92009-6-mkashani@nvidia.com> (raw)
In-Reply-To: <20240609110107.92009-1-mkashani@nvidia.com>
If the counter pool was not added to list,
and an error state was reached,
on attempt to destroy the counter pool,
segmentation fault was received during list remove action.
Added a check to verify the list is not empty before trying to
remove the cpool from the list.
Invalid state, leading to segfault,
can also be reached in the following scenario:
1. mlx5_hws_cnt_pool_init() does a zmalloc and initializes most
of the fields of cpool, but does not initialize the next field.
2. mlx5_hws_cnt_pool_dcs_alloc() attempts to bulk allocate flow counters.
If this fails, we skip straight to 4.
In HW, this can fail simply if FW doesn't support bulk flow
counter allocation.
3. Right before the goto error, we insert the cpool to the hws_cpool_list.
This is where the next field is initialized.
4. mlx5_hws_cnt_pool_destroy() assumes the cpool's next field
is initialized and SEGVs if not.
So, added a guard against cases where the entry was uninitialized
(checking le_prev field is not NULL).
Fixes: 6ac2104ac125 ("net/mlx5: fix counter query during port close")
Cc: stable@dpdk.org
Signed-off-by: Maayan Kashani <mkashani@nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
---
drivers/net/mlx5/mlx5_hws_cnt.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/mlx5/mlx5_hws_cnt.c b/drivers/net/mlx5/mlx5_hws_cnt.c
index 36d422bdfa5..a46a4bd94e8 100644
--- a/drivers/net/mlx5/mlx5_hws_cnt.c
+++ b/drivers/net/mlx5/mlx5_hws_cnt.c
@@ -718,7 +718,9 @@ mlx5_hws_cnt_pool_destroy(struct mlx5_dev_ctx_shared *sh,
* Maybe blocked for at most 200ms here.
*/
rte_spinlock_lock(&sh->cpool_lock);
- LIST_REMOVE(cpool, next);
+ /* Try to remove cpool before it was added to list caused segfault. */
+ if (!LIST_EMPTY(&sh->hws_cpool_list) && cpool->next.le_prev)
+ LIST_REMOVE(cpool, next);
rte_spinlock_unlock(&sh->cpool_lock);
if (cpool->cfg.host_cpool == NULL) {
if (--sh->cnt_svc->refcnt == 0)
--
2.21.0
prev parent reply other threads:[~2024-06-09 11:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-02 10:28 [PATCH 01/11] net/mlx5: initial design of non template to hws Maayan Kashani
[not found] ` <20240603080505.2641-1-mkashani@nvidia.com>
2024-06-03 8:04 ` [PATCH v2 10/34] net/mlx5: fix segfault on counter pool destroy Maayan Kashani
[not found] ` <20240603104850.9935-1-mkashani@nvidia.com>
2024-06-03 10:48 ` [PATCH v3 06/11] " Maayan Kashani
[not found] ` <20240606102317.172553-1-mkashani@nvidia.com>
2024-06-06 10:23 ` [PATCH v4 " Maayan Kashani
[not found] ` <20240606123256.177947-1-mkashani@nvidia.com>
2024-06-06 12:32 ` [PATCH v5 " Maayan Kashani
[not found] ` <20240609085600.87274-1-mkashani@nvidia.com>
2024-06-09 8:55 ` [PATCH v6 " Maayan Kashani
[not found] ` <20240609110107.92009-1-mkashani@nvidia.com>
2024-06-09 11:01 ` Maayan Kashani [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240609110107.92009-6-mkashani@nvidia.com \
--to=mkashani@nvidia.com \
--cc=dev@dpdk.org \
--cc=dsosnowski@nvidia.com \
--cc=matan@nvidia.com \
--cc=orika@nvidia.com \
--cc=rasland@nvidia.com \
--cc=stable@dpdk.org \
--cc=suanmingm@nvidia.com \
--cc=viacheslavo@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).