patch 'net/mlx5: fix use after free on Rx queue start' has been queued to stable release 21.11.6

[Kevin Traynor]

Hi,

FYI, your patch has been queued to stable release 21.11.6

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/21/23. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/8ccbb4b6727fb0862446f137b10ccdd97eb66464

Thanks.

Kevin

---
>From 8ccbb4b6727fb0862446f137b10ccdd97eb66464 Mon Sep 17 00:00:00 2001
From: Dariusz Sosnowski <dsosnowski at nvidia.com>
Date: Thu, 9 Nov 2023 19:58:19 +0200
Subject: [PATCH] net/mlx5: fix use after free on Rx queue start

[ upstream commit c93943c575b495132c4b7456caecde7d268334e3 ]

If RX queue is not started yet, then a mlx5_rxq_obj struct used for
storing HW queue objects will be allocated and added to the list held
in port's private data structure.
After that allocation, Rx queue HW object configuration is done.
If that configuration failed, then mlx5_rxq_obj struct is freed, but
not removed from the list. This causes an use after free bug, during
error handling in mlx5_rxq_start(), where this deallocated struct
was accessed during list cleanup.

This patch fixes that by inserting mlx5_rxq_obj struct to the list only
after HW queue object configuration succeeded.

Fixes: 09c2555303be ("net/mlx5: support shared Rx queue")

Signed-off-by: Dariusz Sosnowski <dsosnowski at nvidia.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo at nvidia.com>
---
 drivers/net/mlx5/mlx5_trigger.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_trigger.c b/drivers/net/mlx5/mlx5_trigger.c
index feffcc4ce0..05143b8411 100644
--- a/drivers/net/mlx5/mlx5_trigger.c
+++ b/drivers/net/mlx5/mlx5_trigger.c
@@ -227,9 +227,7 @@ mlx5_rxq_start(struct rte_eth_dev *dev)
 			continue;
 		rxq_ctrl = rxq->ctrl;
-		if (!rxq_ctrl->started) {
+		if (!rxq_ctrl->started)
 			if (mlx5_rxq_ctrl_prepare(dev, rxq_ctrl, i) < 0)
 				goto error;
-			LIST_INSERT_HEAD(&priv->rxqsobj, rxq_ctrl->obj, next);
-		}
 		ret = priv->obj_ops.rxq_obj_new(rxq);
 		if (ret) {
@@ -238,4 +236,6 @@ mlx5_rxq_start(struct rte_eth_dev *dev)
 			goto error;
 		}
+		if (!rxq_ctrl->started)
+			LIST_INSERT_HEAD(&priv->rxqsobj, rxq_ctrl->obj, next);
 		rxq_ctrl->started = true;
 	}
-- 
2.41.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2023-11-16 13:21:53.990826356 +0000
+++ 0060-net-mlx5-fix-use-after-free-on-Rx-queue-start.patch	2023-11-16 13:21:52.584946765 +0000
@@ -1 +1 @@
-From c93943c575b495132c4b7456caecde7d268334e3 Mon Sep 17 00:00:00 2001
+From 8ccbb4b6727fb0862446f137b10ccdd97eb66464 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit c93943c575b495132c4b7456caecde7d268334e3 ]
+
@@ -19 +20,0 @@
-Cc: stable at dpdk.org
@@ -28 +29 @@
-index d7ecb149fa..7694140537 100644
+index feffcc4ce0..05143b8411 100644