patch 'net/ionic: fix mbuf double-free when emptying array' has been queued to stable release 23.11.2

[Xueming Li]

Hi,

FYI, your patch has been queued to stable release 23.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/14/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=c22c079e1c293d0fc1b8273e0ec47d2f0d577e87

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From c22c079e1c293d0fc1b8273e0ec47d2f0d577e87 Mon Sep 17 00:00:00 2001
From: Andrew Boyer <andrew.boyer at amd.com>
Date: Mon, 1 Jul 2024 08:19:43 -0700
Subject: [PATCH] net/ionic: fix mbuf double-free when emptying array
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 ]

The bulk-allocation array is used back to front, so we need to free
everything before the marker, not after it. Flip ionic_empty_array()
so that it frees from 0 to the provided index. Adjust the callers
as needed.

Fixes: 218afd825bca ("net/ionic: do bulk allocations of Rx mbufs")

Signed-off-by: Andrew Boyer <andrew.boyer at amd.com>
---
 drivers/net/ionic/ionic_rxtx.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/drivers/net/ionic/ionic_rxtx.c b/drivers/net/ionic/ionic_rxtx.c
index 2f1ca986b3..170d3b0802 100644
--- a/drivers/net/ionic/ionic_rxtx.c
+++ b/drivers/net/ionic/ionic_rxtx.c
@@ -26,38 +26,40 @@
 #include "ionic_logs.h"
 
 static void
-ionic_empty_array(void **array, uint32_t cnt, uint16_t idx)
+ionic_empty_array(void **array, uint32_t free_idx, uint32_t zero_idx)
 {
 	uint32_t i;
 
-	for (i = idx; i < cnt; i++)
+	for (i = 0; i < free_idx; i++)
 		if (array[i])
 			rte_pktmbuf_free_seg(array[i]);
 
-	memset(array, 0, sizeof(void *) * cnt);
+	memset(array, 0, sizeof(void *) * zero_idx);
 }
 
 static void __rte_cold
 ionic_tx_empty(struct ionic_tx_qcq *txq)
 {
 	struct ionic_queue *q = &txq->qcq.q;
+	uint32_t info_len = q->num_descs * q->num_segs;
 
-	ionic_empty_array(q->info, q->num_descs * q->num_segs, 0);
+	ionic_empty_array(q->info, info_len, info_len);
 }
 
 static void __rte_cold
 ionic_rx_empty(struct ionic_rx_qcq *rxq)
 {
 	struct ionic_queue *q = &rxq->qcq.q;
+	uint32_t info_len = q->num_descs * q->num_segs;
 
 	/*
 	 * Walk the full info array so that the clean up includes any
 	 * fragments that were left dangling for later reuse
 	 */
-	ionic_empty_array(q->info, q->num_descs * q->num_segs, 0);
+	ionic_empty_array(q->info, info_len, info_len);
 
-	ionic_empty_array((void **)rxq->mbs,
-			IONIC_MBUF_BULK_ALLOC, rxq->mb_idx);
+	ionic_empty_array((void **)rxq->mbs, rxq->mb_idx,
+			IONIC_MBUF_BULK_ALLOC);
 	rxq->mb_idx = 0;
 }
 
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-08-12 20:44:05.453436265 +0800
+++ 0090-net-ionic-fix-mbuf-double-free-when-emptying-array.patch	2024-08-12 20:44:02.355069346 +0800
@@ -1 +1 @@
-From d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 Mon Sep 17 00:00:00 2001
+From c22c079e1c293d0fc1b8273e0ec47d2f0d577e87 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 ]
@@ -12 +14,0 @@
-CC: stable at dpdk.org
@@ -20 +22 @@
-index 923f517661..339b20f113 100644
+index 2f1ca986b3..170d3b0802 100644