patch 'net/mlx5: fix use after free on Rx queue start' has been queued to stable release 22.11.4

[Xueming Li]

Hi,

FYI, your patch has been queued to stable release 22.11.4

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/13/23. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=22.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=22.11-staging&id=480df9f41ec2ecca534a6783d95fdd10769830e3

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From 480df9f41ec2ecca534a6783d95fdd10769830e3 Mon Sep 17 00:00:00 2001
From: Dariusz Sosnowski <dsosnowski at nvidia.com>
Date: Thu, 9 Nov 2023 19:58:19 +0200
Subject: [PATCH] net/mlx5: fix use after free on Rx queue start
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit c93943c575b495132c4b7456caecde7d268334e3 ]

If RX queue is not started yet, then a mlx5_rxq_obj struct used for
storing HW queue objects will be allocated and added to the list held
in port's private data structure.
After that allocation, Rx queue HW object configuration is done.
If that configuration failed, then mlx5_rxq_obj struct is freed, but
not removed from the list. This causes an use after free bug, during
error handling in mlx5_rxq_start(), where this deallocated struct
was accessed during list cleanup.

This patch fixes that by inserting mlx5_rxq_obj struct to the list only
after HW queue object configuration succeeded.

Fixes: 09c2555303be ("net/mlx5: support shared Rx queue")

Signed-off-by: Dariusz Sosnowski <dsosnowski at nvidia.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo at nvidia.com>
---
 drivers/net/mlx5/mlx5_trigger.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_trigger.c b/drivers/net/mlx5/mlx5_trigger.c
index 2f95b8fe77..5bf637a0cd 100644
--- a/drivers/net/mlx5/mlx5_trigger.c
+++ b/drivers/net/mlx5/mlx5_trigger.c
@@ -226,17 +226,17 @@ mlx5_rxq_start(struct rte_eth_dev *dev)
 		if (rxq == NULL)
 			continue;
 		rxq_ctrl = rxq->ctrl;
-		if (!rxq_ctrl->started) {
+		if (!rxq_ctrl->started)
 			if (mlx5_rxq_ctrl_prepare(dev, rxq_ctrl, i) < 0)
 				goto error;
-			LIST_INSERT_HEAD(&priv->rxqsobj, rxq_ctrl->obj, next);
-		}
 		ret = priv->obj_ops.rxq_obj_new(rxq);
 		if (ret) {
 			mlx5_free(rxq_ctrl->obj);
 			rxq_ctrl->obj = NULL;
 			goto error;
 		}
+		if (!rxq_ctrl->started)
+			LIST_INSERT_HEAD(&priv->rxqsobj, rxq_ctrl->obj, next);
 		rxq_ctrl->started = true;
 	}
 	return 0;
-- 
2.25.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2023-12-11 17:56:25.985251700 +0800
+++ 0089-net-mlx5-fix-use-after-free-on-Rx-queue-start.patch	2023-12-11 17:56:23.187652300 +0800
@@ -1 +1 @@
-From c93943c575b495132c4b7456caecde7d268334e3 Mon Sep 17 00:00:00 2001
+From 480df9f41ec2ecca534a6783d95fdd10769830e3 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit c93943c575b495132c4b7456caecde7d268334e3 ]
@@ -19 +21,0 @@
-Cc: stable at dpdk.org
@@ -28 +30 @@
-index d7ecb149fa..7694140537 100644
+index 2f95b8fe77..5bf637a0cd 100644