From: Martin Spinler <[email protected]>
The driver code has dereferenced the dev->data->rx_queues pointer
without checking for its validity.
Pointer invalidation can occur when the eth_dev_rx_queue_config
is called with set to 0, for example.
Moreover, an array of pointers (to a structure) was used like array
of structures (which worked with early dereference just for one queue).
Fixes: 6435f9a0ac22 ("net/nfb: add new netcope driver")
Cc: [email protected]
Signed-off-by: Martin Spinler <[email protected]>
---
drivers/net/nfb/nfb_stats.c | 46 ++++++++++++++++++-------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/drivers/net/nfb/nfb_stats.c b/drivers/net/nfb/nfb_stats.c
index 4ea6b7be21..27a01c3160 100644
--- a/drivers/net/nfb/nfb_stats.c
+++ b/drivers/net/nfb/nfb_stats.c
@@ -20,28 +20,28 @@ nfb_eth_stats_get(struct rte_eth_dev *dev, struct
rte_eth_stats *stats,
uint64_t rx_total_bytes = 0;
uint64_t tx_total_bytes = 0;
- struct ndp_rx_queue *rx_queue = *((struct ndp_rx_queue **)
- dev->data->rx_queues);
- struct ndp_tx_queue *tx_queue = *((struct ndp_tx_queue **)
- dev->data->tx_queues);
+ struct ndp_rx_queue *rx_queue;
+ struct ndp_tx_queue *tx_queue;
for (i = 0; i < nb_rx; i++) {
+ rx_queue = dev->data->rx_queues[i];
if (qstats && i < RTE_ETHDEV_QUEUE_STAT_CNTRS) {
- qstats->q_ipackets[i] = rx_queue[i].rx_pkts;
- qstats->q_ibytes[i] = rx_queue[i].rx_bytes;
+ qstats->q_ipackets[i] = rx_queue->rx_pkts;
+ qstats->q_ibytes[i] = rx_queue->rx_bytes;
}
- rx_total += rx_queue[i].rx_pkts;
- rx_total_bytes += rx_queue[i].rx_bytes;
+ rx_total += rx_queue->rx_pkts;
+ rx_total_bytes += rx_queue->rx_bytes;
}
for (i = 0; i < nb_tx; i++) {
+ tx_queue = dev->data->tx_queues[i];
if (qstats && i < RTE_ETHDEV_QUEUE_STAT_CNTRS) {
- qstats->q_opackets[i] = tx_queue[i].tx_pkts;
- qstats->q_obytes[i] = tx_queue[i].tx_bytes;
+ qstats->q_opackets[i] = tx_queue->tx_pkts;
+ qstats->q_obytes[i] = tx_queue->tx_bytes;
}
- tx_total += tx_queue[i].tx_pkts;
- tx_total_bytes += tx_queue[i].tx_bytes;
- tx_err_total += tx_queue[i].err_pkts;
+ tx_total += tx_queue->tx_pkts;
+ tx_total_bytes += tx_queue->tx_bytes;
+ tx_err_total += tx_queue->err_pkts;
}
stats->ipackets = rx_total;
@@ -59,20 +59,20 @@ nfb_eth_stats_reset(struct rte_eth_dev *dev)
uint16_t nb_rx = dev->data->nb_rx_queues;
uint16_t nb_tx = dev->data->nb_tx_queues;
- struct ndp_rx_queue *rx_queue = *((struct ndp_rx_queue **)
- dev->data->rx_queues);
- struct ndp_tx_queue *tx_queue = *((struct ndp_tx_queue **)
- dev->data->tx_queues);
+ struct ndp_rx_queue *rx_queue;
+ struct ndp_tx_queue *tx_queue;
for (i = 0; i < nb_rx; i++) {
- rx_queue[i].rx_pkts = 0;
- rx_queue[i].rx_bytes = 0;
- rx_queue[i].err_pkts = 0;
+ rx_queue = dev->data->rx_queues[i];
+ rx_queue->rx_pkts = 0;
+ rx_queue->rx_bytes = 0;
+ rx_queue->err_pkts = 0;
}
for (i = 0; i < nb_tx; i++) {
- tx_queue[i].tx_pkts = 0;
- tx_queue[i].tx_bytes = 0;
- tx_queue[i].err_pkts = 0;
+ tx_queue = dev->data->tx_queues[i];
+ tx_queue->tx_pkts = 0;
+ tx_queue->tx_bytes = 0;
+ tx_queue->err_pkts = 0;
}
return 0;
--
2.52.0
