[PATCH v3 06/11] net/mlx5: fix segfault on counter pool destroy

[Maayan Kashani]

If the counter pool was not added to list,
and an error state was reached,
on attempt to destroy the counter pool,
segmentation fault was received during list remove action.

Added a check to verify the list is not empty before trying to
remove the cpool from the list.

Invalid state, leading to segfault,
can also be reached in the following scenario:
1.	mlx5_hws_cnt_pool_init() does a zmalloc and initializes most
        of the fields of cpool, but does not initialize the next field.
2.	mlx5_hws_cnt_pool_dcs_alloc() attempts to bulk allocate flow counters.
	If this fails, we skip straight to 4.
	In HW, this can fail simply if FW doesn't support bulk flow
	counter allocation.
3.	Right before the goto error, we insert the cpool to the hws_cpool_list.
	This is where the next field is initialized.
4.	mlx5_hws_cnt_pool_destroy() assumes the cpool's next field
	is initialized and SEGVs if not.

So, added a guard against cases where the entry was uninitialized
(checking le_prev field is not NULL).

Fixes: 6ac2104ac125 ("net/mlx5: fix counter query during port close")
Cc: stable at dpdk.org
Signed-off-by: Maayan Kashani <mkashani at nvidia.com>
---
 drivers/net/mlx5/mlx5_hws_cnt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/mlx5/mlx5_hws_cnt.c b/drivers/net/mlx5/mlx5_hws_cnt.c
index 36d422bdfa..a46a4bd94e 100644
--- a/drivers/net/mlx5/mlx5_hws_cnt.c
+++ b/drivers/net/mlx5/mlx5_hws_cnt.c
@@ -718,7 +718,9 @@ mlx5_hws_cnt_pool_destroy(struct mlx5_dev_ctx_shared *sh,
 	 * Maybe blocked for at most 200ms here.
 	 */
 	rte_spinlock_lock(&sh->cpool_lock);
-	LIST_REMOVE(cpool, next);
+	/* Try to remove cpool before it was added to list caused segfault. */
+	if (!LIST_EMPTY(&sh->hws_cpool_list) && cpool->next.le_prev)
+		LIST_REMOVE(cpool, next);
 	rte_spinlock_unlock(&sh->cpool_lock);
 	if (cpool->cfg.host_cpool == NULL) {
 		if (--sh->cnt_svc->refcnt == 0)
-- 
2.25.1