[08/10] regex/mlx5: fix uninitialized QP destroy
Checks
Commit Message
From: Ady Agbarih <adypodoman@gmail.com>
The number of QPs for a device are setup during the
configuration phase, when the user calls
rte_regexdev_configure(). The mlx5 regex driver then
pre-allocates QPs, however those QPs are not
setup/ready for sending jobs. The user has to configure
each QP using rte_regexdev_queue_pair_setup(). When
stopping the device the driver destroys all QPs that
were preallocated assuming that they are all setup. This
results in an attempt to destroy an uninitialized QP,
leading to a NULL dereference error.
In order to solve this issue we first check that the
QP jobs array has been initialized before attempting
to destroy the QP.
Fixes: 35f8f6c8dbee ("regex/mlx5: add cleanup code")
Cc: orika@nvidia.com
Signed-off-by: Ady Agbarih <adypodoman@gmail.com>
---
drivers/regex/mlx5/mlx5_regex_control.c | 3 +++
drivers/regex/mlx5/mlx5_regex_fastpath.c | 7 ++++---
2 files changed, 7 insertions(+), 3 deletions(-)
Comments
Hi Francis,
> -----Original Message-----
> From: Francis Kelly <fkelly@nvidia.com>
> Sent: Friday, October 22, 2021 6:46 PM
> Subject: [PATCH 08/10] regex/mlx5: fix uninitialized QP destroy
>
> From: Ady Agbarih <adypodoman@gmail.com>
>
> The number of QPs for a device are setup during the
> configuration phase, when the user calls
> rte_regexdev_configure(). The mlx5 regex driver then
> pre-allocates QPs, however those QPs are not
> setup/ready for sending jobs. The user has to configure
> each QP using rte_regexdev_queue_pair_setup(). When
> stopping the device the driver destroys all QPs that
> were preallocated assuming that they are all setup. This
> results in an attempt to destroy an uninitialized QP,
> leading to a NULL dereference error.
>
> In order to solve this issue we first check that the
> QP jobs array has been initialized before attempting
> to destroy the QP.
>
> Fixes: 35f8f6c8dbee ("regex/mlx5: add cleanup code")
> Cc: orika@nvidia.com
>
> Signed-off-by: Ady Agbarih <adypodoman@gmail.com>
> ---
Acked-by: Ori Kam <orika@nvidia.com>
Best,
Ori
@@ -283,6 +283,9 @@ mlx5_regex_clean_ctrl(struct rte_regexdev *dev)
return;
for (qp_ind = 0; qp_ind < priv->nb_queues; qp_ind++) {
qp = &priv->qps[qp_ind];
+ /* Check if mlx5_regex_qp_setup() was called for this QP */
+ if (!qp->jobs)
+ continue;
mlx5_regexdev_teardown_fastpath(priv, qp_ind);
mlx5_mr_btree_free(&qp->mr_ctrl.cache_bh);
for (i = 0; i < qp->nb_obj; i++)
@@ -739,6 +739,7 @@ mlx5_regexdev_setup_fastpath(struct mlx5_regex_priv *priv, uint32_t qp_id)
err = setup_buffers(priv, qp);
if (err) {
rte_free(qp->jobs);
+ qp->jobs = NULL;
return err;
}
@@ -791,14 +792,14 @@ mlx5_regexdev_teardown_fastpath(struct mlx5_regex_priv *priv, uint32_t qp_id)
struct mlx5_regex_qp *qp = &priv->qps[qp_id];
uint32_t i;
- if (qp) {
+ if (qp->jobs) {
for (i = 0; i < qp->nb_desc; i++) {
if (qp->jobs[i].imkey)
claim_zero(mlx5_devx_cmd_destroy
(qp->jobs[i].imkey));
}
free_buffers(qp);
- if (qp->jobs)
- rte_free(qp->jobs);
+ rte_free(qp->jobs);
+ qp->jobs = NULL;
}
}