mlx5_flow_aso_age_mng_init() and mlx5_flow_aso_ct_mng_init() each
allocate a management structure, then call mlx5_aso_queue_init().
If the queue init fails, the structure is freed but the pointer in
the shared context (sh->aso_age_mng / sh->ct_mng) is not set to
NULL.
A subsequent call to the same init function sees the non-NULL
pointer, skips re-allocation, and returns success, leaving the
caller operating on freed memory.
Set the pointer to NULL after freeing in both error paths.
Fixes: f935ed4b645a ("net/mlx5: support flow hit action for aging")
Cc: [email protected]
Signed-off-by: Stephen Hemminger <[email protected]>
---
drivers/net/mlx5/mlx5.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/mlx5/mlx5.c b/drivers/net/mlx5/mlx5.c
index d533ce41e1..71383f2ac7 100644
--- a/drivers/net/mlx5/mlx5.c
+++ b/drivers/net/mlx5/mlx5.c
@@ -459,6 +459,7 @@ mlx5_flow_aso_age_mng_init(struct mlx5_dev_ctx_shared *sh)
err = mlx5_aso_queue_init(sh, ASO_OPC_MOD_FLOW_HIT, 1);
if (err) {
mlx5_free(sh->aso_age_mng);
+ sh->aso_age_mng = NULL;
return -1;
}
rte_rwlock_init(&sh->aso_age_mng->resize_rwl);
@@ -823,6 +824,7 @@ mlx5_flow_aso_ct_mng_init(struct mlx5_dev_ctx_shared *sh)
err = mlx5_aso_queue_init(sh, ASO_OPC_MOD_CONNECTION_TRACKING,
MLX5_ASO_CT_SQ_NUM);
if (err) {
mlx5_free(sh->ct_mng);
+ sh->ct_mng = NULL;
/* rte_errno should be extracted from the failure. */
rte_errno = EINVAL;
return -rte_errno;
--
2.51.0
