From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 484D3454E9 for ; Tue, 25 Jun 2024 02:03:23 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3428842799; Tue, 25 Jun 2024 02:03:23 +0200 (CEST) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mails.dpdk.org (Postfix) with ESMTP id 6883F42799 for ; Tue, 25 Jun 2024 02:03:22 +0200 (CEST) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-366e70d0330so1702576f8f.1 for ; Mon, 24 Jun 2024 17:03:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719273802; x=1719878602; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=awhj3F8cdK6nRVUImgVVzp6EA59UgArsZIaR7VRPssk=; b=ZCPImJMqjagnp5gSR7qRlwZ3CEroMoKHW2B1cZgBtu6kIxjG/3/aDDC3gD9MVdkf3k 8srPwEUVTZ9qlnvfiYv9DOBki8jECeANP9qAFSZjRBaMTLmQxPp49BQ6A0MYdL1Ls1J8 5+UdS3RAg6RZWjLklYiP+kQBWVE596Vy3u43iwXaMzAfEA5gzeGwZ8t5rwiAMZzQ/Fd1 GAYrjWYebd3UUWOpjfIYC1lqepC/yKwBaO8KLnP9kwYm0alOy9cIYEChKW+8gLqn1hwZ 0iQWUxIdKZdaTOpGQ07uekPUsYWbI6lgnbLkNaZWZnj/hsn5UvXmwvrF1LK5zOiMJ5l9 1ehw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719273802; x=1719878602; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=awhj3F8cdK6nRVUImgVVzp6EA59UgArsZIaR7VRPssk=; b=kD6xcRE4A1n9g0Ypjh+WKD3QXUqbm8LQZ13LZyjSs7D+Ljf4X346YwRrqfG8+YF340 Z0mBePpc+h+PedmA6gmrq7PtVbNk3X13CnqwYVds1gru2S6jFlRt5tn7ZEBfDI0UbcZC Zmgue9WvCUEKVmUtJ/gh7IVB24QH2iGCJhmrQkdKIbP+kRtwE8+XcelnuaNwIYJUu/rC NW4j4k3r7Tgem6ZrnErnd6GWQQyQN1viGmQFVBnz3l5ZA+mzFmCZEk2Qi753CQj/2UTG G2xzkZU3sJU61u8gtnT+vf1ULGFbO4loSv7+RLc4iF3F84Clw7rbHsxQUKlrXcaWxuzy vhXw== X-Forwarded-Encrypted: i=1; AJvYcCXZ9jdMTwgir6/99jAYs4i4krlBoiH20V7Qi0cjY8M3Z1VGSom+YudZENrOVHA6Swvebghy4UhAsNZdCCSrAes= X-Gm-Message-State: AOJu0Yw+aNBTS9uBifyCOo4d5DY1eXOdQ1WWf3zhYQLJ0M72HwcGfvwa 44IHYLqHAhTo+87somIbABl5YZvF1xb6AkObzF8OABgXU42Kp3O/ X-Google-Smtp-Source: AGHT+IF8/sEadRLAnbpJ546iA78yDn5n/Bx2/mY43tkpfKvXrJW5Ulfajn/v3h6nmVq5DL0GF5PNcA== X-Received: by 2002:adf:f20e:0:b0:366:ecc4:aa6e with SMTP id ffacd0b85a97d-366ecc4aac1mr3450002f8f.4.1719273802023; Mon, 24 Jun 2024 17:03:22 -0700 (PDT) Received: from localhost ([137.220.120.171]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3663a8cb6d2sm11292065f8f.111.2024.06.24.17.03.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jun 2024 17:03:21 -0700 (PDT) From: luca.boccassi@gmail.com To: Maayan Kashani Cc: Dariusz Sosnowski , dpdk stable Subject: patch 'net/mlx5: fix crash on counter pool destroy' has been queued to stable release 22.11.6 Date: Tue, 25 Jun 2024 00:59:03 +0100 Message-Id: <20240624235907.885628-77-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240624235907.885628-1-luca.boccassi@gmail.com> References: <20240624235907.885628-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 22.11.6 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 06/27/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/bluca/dpdk-stable This queued commit can be viewed at: https://github.com/bluca/dpdk-stable/commit/e12b4a47badb24b5b69c60fad22653aee3ee8869 Thanks. Luca Boccassi --- >From e12b4a47badb24b5b69c60fad22653aee3ee8869 Mon Sep 17 00:00:00 2001 From: Maayan Kashani Date: Sun, 9 Jun 2024 14:01:02 +0300 Subject: [PATCH] net/mlx5: fix crash on counter pool destroy [ upstream commit 3331d59551cdecd2db3a2064a7d6e4bf9396b849 ] If the counter pool was not added to list, and an error state was reached, on attempt to destroy the counter pool, segmentation fault was received during list remove action. Added a check to verify the list is not empty before trying to remove the cpool from the list. Invalid state, leading to segfault, can also be reached in the following scenario: 1. mlx5_hws_cnt_pool_init() does a zmalloc and initializes most of the fields of cpool, but does not initialize the next field. 2. mlx5_hws_cnt_pool_dcs_alloc() attempts to bulk allocate flow counters. If this fails, we skip straight to 4. In HW, this can fail simply if FW doesn't support bulk flow counter allocation. 3. Right before the goto error, we insert the cpool to the hws_cpool_list. This is where the next field is initialized. 4. mlx5_hws_cnt_pool_destroy() assumes the cpool's next field is initialized and SEGVs if not. So, added a guard against cases where the entry was uninitialized (checking le_prev field is not NULL). Fixes: 6ac2104ac125 ("net/mlx5: fix counter query during port close") Signed-off-by: Maayan Kashani Acked-by: Dariusz Sosnowski --- drivers/net/mlx5/mlx5_hws_cnt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/mlx5/mlx5_hws_cnt.c b/drivers/net/mlx5/mlx5_hws_cnt.c index d4ef44d1a3..8415aa411f 100644 --- a/drivers/net/mlx5/mlx5_hws_cnt.c +++ b/drivers/net/mlx5/mlx5_hws_cnt.c @@ -717,7 +717,9 @@ mlx5_hws_cnt_pool_destroy(struct mlx5_dev_ctx_shared *sh, * Maybe blocked for at most 200ms here. */ rte_spinlock_lock(&sh->cpool_lock); - LIST_REMOVE(cpool, next); + /* Try to remove cpool before it was added to list caused segfault. */ + if (!LIST_EMPTY(&sh->hws_cpool_list) && cpool->next.le_prev) + LIST_REMOVE(cpool, next); rte_spinlock_unlock(&sh->cpool_lock); if (--sh->cnt_svc->refcnt == 0) mlx5_hws_cnt_svc_deinit(sh); -- 2.39.2 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-06-25 00:22:17.493745565 +0100 +++ 0077-net-mlx5-fix-crash-on-counter-pool-destroy.patch 2024-06-25 00:22:13.297187932 +0100 @@ -1 +1 @@ -From 3331d59551cdecd2db3a2064a7d6e4bf9396b849 Mon Sep 17 00:00:00 2001 +From e12b4a47badb24b5b69c60fad22653aee3ee8869 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 3331d59551cdecd2db3a2064a7d6e4bf9396b849 ] + @@ -31 +32,0 @@ -Cc: stable@dpdk.org @@ -40 +41 @@ -index 36d422bdfa..a46a4bd94e 100644 +index d4ef44d1a3..8415aa411f 100644 @@ -43 +44 @@ -@@ -718,7 +718,9 @@ mlx5_hws_cnt_pool_destroy(struct mlx5_dev_ctx_shared *sh, +@@ -717,7 +717,9 @@ mlx5_hws_cnt_pool_destroy(struct mlx5_dev_ctx_shared *sh, @@ -52,2 +53,2 @@ - if (cpool->cfg.host_cpool == NULL) { - if (--sh->cnt_svc->refcnt == 0) + if (--sh->cnt_svc->refcnt == 0) + mlx5_hws_cnt_svc_deinit(sh);