diff mbox series

[08/10] regex/mlx5: fix uninitialized QP destroy

Message ID 20211022154600.2180938-8-fkelly@nvidia.com (mailing list archive)
State Accepted, archived
Delegated to: Thomas Monjalon
Headers
Series [01/10] common/mlx5: update PRM definitions for regex availability |

Checks

Context Check Description
ci/checkpatch success coding style OK

Commit Message

Francis Kelly Oct. 22, 2021, 3:45 p.m. UTC 
  From: Ady Agbarih <adypodoman@gmail.com>

The number of QPs for a device are setup during the
 configuration phase, when the user calls
 rte_regexdev_configure(). The mlx5 regex driver then
 pre-allocates QPs, however those QPs are not
 setup/ready for sending jobs. The user has to configure
 each QP using rte_regexdev_queue_pair_setup(). When
 stopping the device the driver destroys all QPs that
 were preallocated assuming that they are all setup. This
 results in an attempt to destroy an uninitialized QP,
 leading to a NULL dereference error.

In order to solve this issue we first check that the
 QP jobs array has been initialized before attempting
 to destroy the QP.

Fixes: 35f8f6c8dbee ("regex/mlx5: add cleanup code")
Cc: orika@nvidia.com

Signed-off-by: Ady Agbarih <adypodoman@gmail.com>
---
 drivers/regex/mlx5/mlx5_regex_control.c  | 3 +++
 drivers/regex/mlx5/mlx5_regex_fastpath.c | 7 ++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

Comments

Ori Kam Oct. 24, 2021, 1:42 p.m. UTC | #1 
Hi Francis,

> -----Original Message-----
> From: Francis Kelly <fkelly@nvidia.com>
> Sent: Friday, October 22, 2021 6:46 PM
> Subject: [PATCH 08/10] regex/mlx5: fix uninitialized QP destroy
> 
> From: Ady Agbarih <adypodoman@gmail.com>
> 
> The number of QPs for a device are setup during the
>  configuration phase, when the user calls
>  rte_regexdev_configure(). The mlx5 regex driver then
>  pre-allocates QPs, however those QPs are not
>  setup/ready for sending jobs. The user has to configure
>  each QP using rte_regexdev_queue_pair_setup(). When
>  stopping the device the driver destroys all QPs that
>  were preallocated assuming that they are all setup. This
>  results in an attempt to destroy an uninitialized QP,
>  leading to a NULL dereference error.
> 
> In order to solve this issue we first check that the
>  QP jobs array has been initialized before attempting
>  to destroy the QP.
> 
> Fixes: 35f8f6c8dbee ("regex/mlx5: add cleanup code")
> Cc: orika@nvidia.com
> 
> Signed-off-by: Ady Agbarih <adypodoman@gmail.com>
> ---

Acked-by: Ori Kam <orika@nvidia.com>
Best,
Ori
diff mbox series

Patch

diff --git a/drivers/regex/mlx5/mlx5_regex_control.c b/drivers/regex/mlx5/mlx5_regex_control.c
index 3e0a0cdd71..52f66ecce8 100644
--- a/drivers/regex/mlx5/mlx5_regex_control.c
+++ b/drivers/regex/mlx5/mlx5_regex_control.c
@@ -283,6 +283,9 @@  mlx5_regex_clean_ctrl(struct rte_regexdev *dev)
 		return;
 	for (qp_ind = 0; qp_ind < priv->nb_queues; qp_ind++) {
 		qp = &priv->qps[qp_ind];
+		/* Check if mlx5_regex_qp_setup() was called for this QP */
+		if (!qp->jobs)
+			continue;
 		mlx5_regexdev_teardown_fastpath(priv, qp_ind);
 		mlx5_mr_btree_free(&qp->mr_ctrl.cache_bh);
 		for (i = 0; i < qp->nb_obj; i++)
diff --git a/drivers/regex/mlx5/mlx5_regex_fastpath.c b/drivers/regex/mlx5/mlx5_regex_fastpath.c
index 0833b2817e..26b4cc5c82 100644
--- a/drivers/regex/mlx5/mlx5_regex_fastpath.c
+++ b/drivers/regex/mlx5/mlx5_regex_fastpath.c
@@ -739,6 +739,7 @@  mlx5_regexdev_setup_fastpath(struct mlx5_regex_priv *priv, uint32_t qp_id)
 	err = setup_buffers(priv, qp);
 	if (err) {
 		rte_free(qp->jobs);
+		qp->jobs = NULL;
 		return err;
 	}
 
@@ -791,14 +792,14 @@  mlx5_regexdev_teardown_fastpath(struct mlx5_regex_priv *priv, uint32_t qp_id)
 	struct mlx5_regex_qp *qp = &priv->qps[qp_id];
 	uint32_t i;
 
-	if (qp) {
+	if (qp->jobs) {
 		for (i = 0; i < qp->nb_desc; i++) {
 			if (qp->jobs[i].imkey)
 				claim_zero(mlx5_devx_cmd_destroy
 							(qp->jobs[i].imkey));
 		}
 		free_buffers(qp);
-		if (qp->jobs)
-			rte_free(qp->jobs);
+		rte_free(qp->jobs);
+		qp->jobs = NULL;
 	}
 }