[dpdk-dev] [PATCH 08/10] regex/mlx5: fix uninitialized QP destroy

Fri, 22 Oct 2021 12:49:25 -0700 

From: Ady Agbarih <adypodo...@gmail.com>

The number of QPs for a device are setup during the
 configuration phase, when the user calls
 rte_regexdev_configure(). The mlx5 regex driver then
 pre-allocates QPs, however those QPs are not
 setup/ready for sending jobs. The user has to configure
 each QP using rte_regexdev_queue_pair_setup(). When
 stopping the device the driver destroys all QPs that
 were preallocated assuming that they are all setup. This
 results in an attempt to destroy an uninitialized QP,
 leading to a NULL dereference error.

In order to solve this issue we first check that the
 QP jobs array has been initialized before attempting
 to destroy the QP.

Fixes: 35f8f6c8dbee ("regex/mlx5: add cleanup code")
Cc: or...@nvidia.com

Signed-off-by: Ady Agbarih <adypodo...@gmail.com>
---
 drivers/regex/mlx5/mlx5_regex_control.c  | 3 +++
 drivers/regex/mlx5/mlx5_regex_fastpath.c | 7 ++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/regex/mlx5/mlx5_regex_control.c 
b/drivers/regex/mlx5/mlx5_regex_control.c
index 3e0a0cdd71..52f66ecce8 100644
--- a/drivers/regex/mlx5/mlx5_regex_control.c
+++ b/drivers/regex/mlx5/mlx5_regex_control.c
@@ -283,6 +283,9 @@ mlx5_regex_clean_ctrl(struct rte_regexdev *dev)
                return;
        for (qp_ind = 0; qp_ind < priv->nb_queues; qp_ind++) {
                qp = &priv->qps[qp_ind];
+               /* Check if mlx5_regex_qp_setup() was called for this QP */
+               if (!qp->jobs)
+                       continue;
                mlx5_regexdev_teardown_fastpath(priv, qp_ind);
                mlx5_mr_btree_free(&qp->mr_ctrl.cache_bh);
                for (i = 0; i < qp->nb_obj; i++)
diff --git a/drivers/regex/mlx5/mlx5_regex_fastpath.c 
b/drivers/regex/mlx5/mlx5_regex_fastpath.c
index 0833b2817e..26b4cc5c82 100644
--- a/drivers/regex/mlx5/mlx5_regex_fastpath.c
+++ b/drivers/regex/mlx5/mlx5_regex_fastpath.c
@@ -739,6 +739,7 @@ mlx5_regexdev_setup_fastpath(struct mlx5_regex_priv *priv, 
uint32_t qp_id)
        err = setup_buffers(priv, qp);
        if (err) {
                rte_free(qp->jobs);
+               qp->jobs = NULL;
                return err;
        }
 
@@ -791,14 +792,14 @@ mlx5_regexdev_teardown_fastpath(struct mlx5_regex_priv 
*priv, uint32_t qp_id)
        struct mlx5_regex_qp *qp = &priv->qps[qp_id];
        uint32_t i;
 
-       if (qp) {
+       if (qp->jobs) {
                for (i = 0; i < qp->nb_desc; i++) {
                        if (qp->jobs[i].imkey)
                                claim_zero(mlx5_devx_cmd_destroy
                                                        (qp->jobs[i].imkey));
                }
                free_buffers(qp);
-               if (qp->jobs)
-                       rte_free(qp->jobs);
+               rte_free(qp->jobs);
+               qp->jobs = NULL;
        }
 }
-- 
2.25.1

Reply via email to