If the counter pool was not added to list,
and an error state was reached,
on attempt to destroy the counter pool,
segmentation fault was received during list remove action.
Added a check to verify the list is not empty before trying to
remove the cpool from the list.
Invalid state, leading to segfault,
can also be reached in the following scenario:
1. mlx5_hws_cnt_pool_init() does a zmalloc and initializes most
of the fields of cpool, but does not initialize the next field.
2. mlx5_hws_cnt_pool_dcs_alloc() attempts to bulk allocate flow counters.
If this fails, we skip straight to 4.
In HW, this can fail simply if FW doesn't support bulk flow
counter allocation.
3. Right before the goto error, we insert the cpool to the hws_cpool_list.
This is where the next field is initialized.
4. mlx5_hws_cnt_pool_destroy() assumes the cpool's next field
is initialized and SEGVs if not.
So, added a guard against cases where the entry was uninitialized
(checking le_prev field is not NULL).
Fixes: 6ac2104ac125 ("net/mlx5: fix counter query during port close")
Cc: sta...@dpdk.org
Signed-off-by: Maayan Kashani <mkash...@nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnow...@nvidia.com>
---
drivers/net/mlx5/mlx5_hws_cnt.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/mlx5/mlx5_hws_cnt.c b/drivers/net/mlx5/mlx5_hws_cnt.c
index 36d422bdfa5..a46a4bd94e8 100644
--- a/drivers/net/mlx5/mlx5_hws_cnt.c
+++ b/drivers/net/mlx5/mlx5_hws_cnt.c
@@ -718,7 +718,9 @@ mlx5_hws_cnt_pool_destroy(struct mlx5_dev_ctx_shared *sh,
* Maybe blocked for at most 200ms here.
*/
rte_spinlock_lock(&sh->cpool_lock);
- LIST_REMOVE(cpool, next);
+ /* Try to remove cpool before it was added to list caused segfault. */
+ if (!LIST_EMPTY(&sh->hws_cpool_list) && cpool->next.le_prev)
+ LIST_REMOVE(cpool, next);
rte_spinlock_unlock(&sh->cpool_lock);
if (cpool->cfg.host_cpool == NULL) {
if (--sh->cnt_svc->refcnt == 0)
--
2.21.0
