[dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing tx queues

[wangyunjian]

Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Tuesday, August 23, 2022 2:46 PM
> To: dev at dpdk.org
> Cc: matan at nvidia.com; rasland at nvidia.com; viacheslavo at nvidia.com;
> dkozlyuk at nvidia.com; Huangshaozhang <huangshaozhang at huawei.com>;
> wangyunjian <wangyunjian at huawei.com>; stable at dpdk.org
> Subject: [dpdk-dev] [PATCH v2 1/2] net/mlx5: fix use after free when releasing
> tx queues
> 
> The bonding slave remove function was calling the eth_dev_tx_queue_config
> function, which frees dev->data->tx_queues, and then tries to free
> priv->txqs[idx] in mlx5_txq_release function, which causes the heap use
> after free issue. Add checks whether dev->data->tx_queues is not NULL.
> 
> Fixes: 94e257ec8ca ("net/mlx5: fix Rx/Tx queue checks")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
> ---
>  drivers/net/mlx5/mlx5_txq.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/mlx5_txq.c b/drivers/net/mlx5/mlx5_txq.c index
> 0140f8b3b2..cb2c33a060 100644
> --- a/drivers/net/mlx5/mlx5_txq.c
> +++ b/drivers/net/mlx5/mlx5_txq.c
> @@ -1198,7 +1198,8 @@ mlx5_txq_release(struct rte_eth_dev *dev, uint16_t
> idx)
>  	struct mlx5_priv *priv = dev->data->dev_private;
>  	struct mlx5_txq_ctrl *txq_ctrl;
> 
> -	if (priv->txqs == NULL || (*priv->txqs)[idx] == NULL)
> +	if (dev->data->tx_queues == NULL || priv->txqs == NULL ||
> +		(*priv->txqs)[idx] == NULL)
>  		return 0;
>  	txq_ctrl = container_of((*priv->txqs)[idx], struct mlx5_txq_ctrl, txq);
>  	if (__atomic_sub_fetch(&txq_ctrl->refcnt, 1, __ATOMIC_RELAXED) > 1)
> --
> 2.27.0