From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Rybchenko <arybchenko@solarflare.com>
Subject: [PATCH] net/failsafe: fix crash on slave queue release
Date: Fri, 31 Aug 2018 17:16:32 +0100
Message-ID: <1535732192-3058-1-git-send-email-arybchenko@solarflare.com>
Mime-Version: 1.0
Content-Type: text/plain
Cc: <dev@dpdk.org>, Igor Romanov <igor.romanov@oktetlabs.ru>, <stable@dpdk.org>
To: Gaetan Rivet <gaetan.rivet@6wind.com>
Return-path: <dev-bounces@dpdk.org>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: Igor Romanov <igor.romanov@oktetlabs.ru>

Releasing a queue that is already released by slave may cause a
segmentation fault. For example, after a successfull device
configuration a queue is set up. Afterwards the device is reconfigured
with an invalid argument, forcing slaves to release the queues
(e.g. rte_eth_dev.data.tx_queues). Finally the failsafe's queues
are released. The queue release functions also try to release slaves'
queues using ETH(sdev)->data->tx_queues which is NULL at the time.

Add checks for NULL slaves' Tx and Rx queues before releasing them.

Fixes: a46f8d584eb8 ("net/failsafe: add fail-safe PMD")
Cc: stable@dpdk.org

Signed-off-by: Igor Romanov <igor.romanov@oktetlabs.ru>
Signed-off-by: Andrew Rybchenko <arybchenko@solarflare.com>
---
 drivers/net/failsafe/failsafe_ops.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/drivers/net/failsafe/failsafe_ops.c b/drivers/net/failsafe/failsafe_ops.c
index 24e91c931..94b9769e7 100644
--- a/drivers/net/failsafe/failsafe_ops.c
+++ b/drivers/net/failsafe/failsafe_ops.c
@@ -309,9 +309,13 @@ fs_rx_queue_release(void *queue)
 	fs_lock(dev, 0);
 	if (rxq->event_fd > 0)
 		close(rxq->event_fd);
-	FOREACH_SUBDEV_STATE(sdev, i, dev, DEV_ACTIVE)
-		SUBOPS(sdev, rx_queue_release)
-			(ETH(sdev)->data->rx_queues[rxq->qid]);
+	FOREACH_SUBDEV_STATE(sdev, i, dev, DEV_ACTIVE) {
+		if (ETH(sdev)->data->rx_queues != NULL &&
+		    ETH(sdev)->data->rx_queues[rxq->qid] != NULL) {
+			SUBOPS(sdev, rx_queue_release)
+				(ETH(sdev)->data->rx_queues[rxq->qid]);
+		}
+	}
 	dev->data->rx_queues[rxq->qid] = NULL;
 	rte_free(rxq);
 	fs_unlock(dev, 0);
@@ -477,9 +481,13 @@ fs_tx_queue_release(void *queue)
 	txq = queue;
 	dev = txq->priv->dev;
 	fs_lock(dev, 0);
-	FOREACH_SUBDEV_STATE(sdev, i, dev, DEV_ACTIVE)
-		SUBOPS(sdev, tx_queue_release)
-			(ETH(sdev)->data->tx_queues[txq->qid]);
+	FOREACH_SUBDEV_STATE(sdev, i, dev, DEV_ACTIVE) {
+		if (ETH(sdev)->data->tx_queues != NULL &&
+		    ETH(sdev)->data->tx_queues[txq->qid] != NULL) {
+			SUBOPS(sdev, tx_queue_release)
+				(ETH(sdev)->data->tx_queues[txq->qid]);
+		}
+	}
 	dev->data->tx_queues[txq->qid] = NULL;
 	rte_free(txq);
 	fs_unlock(dev, 0);
-- 
2.17.1