net/bnxt: fix double free in port start failure
Checks
Commit Message
From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
During port start when bnxt_start_nic() fails, it tries to free
"intr_handle->intr_vec" but the variable is not set to NULL after that.
If port start fails, driver invokes bnxt_dev_stop() which will lead
to a double free of "intr_handle->intr_vec".
Fix it by removing the call to free "intr_handle->intr_vec" in the
bnxt_start_nic() failure path as it is anyway doing in bnxt_dev_stop().
Fixes: 9d276b439aaf ("net/bnxt: fix error handling in device start")
Cc: stable@dpdk.org
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
Reviewed-by: Ajit Kumar Khaparde <ajit.khaparde@broadcom.com>
---
drivers/net/bnxt/bnxt_ethdev.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
Comments
On Wed, Mar 31, 2021 at 7:31 PM Kalesh A P <
kalesh-anakkur.purayil@broadcom.com> wrote:
> From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
>
> During port start when bnxt_start_nic() fails, it tries to free
> "intr_handle->intr_vec" but the variable is not set to NULL after that.
> If port start fails, driver invokes bnxt_dev_stop() which will lead
> to a double free of "intr_handle->intr_vec".
>
> Fix it by removing the call to free "intr_handle->intr_vec" in the
> bnxt_start_nic() failure path as it is anyway doing in bnxt_dev_stop().
>
> Fixes: 9d276b439aaf ("net/bnxt: fix error handling in device start")
> Cc: stable@dpdk.org
>
> Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
> Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
> Reviewed-by: Ajit Kumar Khaparde <ajit.khaparde@broadcom.com>
>
Patch applied to dpdk-next-net-brcm.
> ---
> drivers/net/bnxt/bnxt_ethdev.c | 10 +++-------
> 1 file changed, 3 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/bnxt/bnxt_ethdev.c
> b/drivers/net/bnxt/bnxt_ethdev.c
> index ed2ae45..0042d8a 100644
> --- a/drivers/net/bnxt/bnxt_ethdev.c
> +++ b/drivers/net/bnxt/bnxt_ethdev.c
> @@ -793,7 +793,7 @@ static int bnxt_start_nic(struct bnxt *bp)
> PMD_DRV_LOG(ERR, "Failed to allocate %d rx_queues"
> " intr_vec",
> bp->eth_dev->data->nb_rx_queues);
> rc = -ENOMEM;
> - goto err_disable;
> + goto err_out;
> }
> PMD_DRV_LOG(DEBUG, "intr_handle->intr_vec = %p "
> "intr_handle->nb_efd = %d intr_handle->max_intr =
> %d\n",
> @@ -813,12 +813,12 @@ static int bnxt_start_nic(struct bnxt *bp)
> #ifndef RTE_EXEC_ENV_FREEBSD
> /* In FreeBSD OS, nic_uio driver does not support interrupts */
> if (rc)
> - goto err_free;
> + goto err_out;
> #endif
>
> rc = bnxt_update_phy_setting(bp);
> if (rc)
> - goto err_free;
> + goto err_out;
>
> bp->mark_table = rte_zmalloc("bnxt_mark_table",
> BNXT_MARK_TABLE_SZ, 0);
> if (!bp->mark_table)
> @@ -826,10 +826,6 @@ static int bnxt_start_nic(struct bnxt *bp)
>
> return 0;
>
> -err_free:
> - rte_free(intr_handle->intr_vec);
> -err_disable:
> - rte_intr_efd_disable(intr_handle);
> err_out:
> /* Some of the error status returned by FW may not be from errno.h
> */
> if (rc > 0)
> --
> 2.10.1
>
>
@@ -793,7 +793,7 @@ static int bnxt_start_nic(struct bnxt *bp)
PMD_DRV_LOG(ERR, "Failed to allocate %d rx_queues"
" intr_vec", bp->eth_dev->data->nb_rx_queues);
rc = -ENOMEM;
- goto err_disable;
+ goto err_out;
}
PMD_DRV_LOG(DEBUG, "intr_handle->intr_vec = %p "
"intr_handle->nb_efd = %d intr_handle->max_intr = %d\n",
@@ -813,12 +813,12 @@ static int bnxt_start_nic(struct bnxt *bp)
#ifndef RTE_EXEC_ENV_FREEBSD
/* In FreeBSD OS, nic_uio driver does not support interrupts */
if (rc)
- goto err_free;
+ goto err_out;
#endif
rc = bnxt_update_phy_setting(bp);
if (rc)
- goto err_free;
+ goto err_out;
bp->mark_table = rte_zmalloc("bnxt_mark_table", BNXT_MARK_TABLE_SZ, 0);
if (!bp->mark_table)
@@ -826,10 +826,6 @@ static int bnxt_start_nic(struct bnxt *bp)
return 0;
-err_free:
- rte_free(intr_handle->intr_vec);
-err_disable:
- rte_intr_efd_disable(intr_handle);
err_out:
/* Some of the error status returned by FW may not be from errno.h */
if (rc > 0)