[dpdk-dev] [PATCH 1/2] net/mlx5: fix use after free when releasing tx queues

Yunjian Wang wangyunjian at huawei.com
Wed Aug 3 15:16:04 CEST 2022

Previous message (by thread): [PATCH 19.11] eal/freebsd: fix use of newer cpuset macros
Next message (by thread): [dpdk-dev] [PATCH 2/2] net/mlx5: fix resource leak when releasing a drop action
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The bonding slave remove function was calling the eth_dev_tx_queue_config
function, which frees dev->data->tx_queues, and then tries to free
priv->txqs[idx] in mlx5_txq_release function, which causes the heap use
after free issue. Add checks whether dev->data->tx_queues is not NULL.

Fixes: 94e257ec8ca ("net/mlx5: fix Rx/Tx queue checks")
Cc: stable at dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
---
 drivers/net/mlx5/mlx5_txq.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/mlx5/mlx5_txq.c b/drivers/net/mlx5/mlx5_txq.c
index 0140f8b3b2..cb2c33a060 100644
--- a/drivers/net/mlx5/mlx5_txq.c
+++ b/drivers/net/mlx5/mlx5_txq.c
@@ -1198,7 +1198,8 @@ mlx5_txq_release(struct rte_eth_dev *dev, uint16_t idx)
 	struct mlx5_priv *priv = dev->data->dev_private;
 	struct mlx5_txq_ctrl *txq_ctrl;
 
-	if (priv->txqs == NULL || (*priv->txqs)[idx] == NULL)
+	if (dev->data->tx_queues == NULL || priv->txqs == NULL ||
+		(*priv->txqs)[idx] == NULL)
 		return 0;
 	txq_ctrl = container_of((*priv->txqs)[idx], struct mlx5_txq_ctrl, txq);
 	if (__atomic_sub_fetch(&txq_ctrl->refcnt, 1, __ATOMIC_RELAXED) > 1)
-- 
2.27.0

Previous message (by thread): [PATCH 19.11] eal/freebsd: fix use of newer cpuset macros
Next message (by thread): [dpdk-dev] [PATCH 2/2] net/mlx5: fix resource leak when releasing a drop action
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list