patch 'net/ionic: fix mbuf double-free when emptying array' has been queued to stable release 22.11.6

[luca.boccassi at gmail.com]

Hi,

FYI, your patch has been queued to stable release 22.11.6

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/17/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/047aff2cf1715705748e3cc4b20b28e61340393a

Thanks.

Luca Boccassi

---
>From 047aff2cf1715705748e3cc4b20b28e61340393a Mon Sep 17 00:00:00 2001
From: Andrew Boyer <andrew.boyer at amd.com>
Date: Mon, 1 Jul 2024 08:19:43 -0700
Subject: [PATCH] net/ionic: fix mbuf double-free when emptying array

[ upstream commit d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 ]

The bulk-allocation array is used back to front, so we need to free
everything before the marker, not after it. Flip ionic_empty_array()
so that it frees from 0 to the provided index. Adjust the callers
as needed.

Fixes: 218afd825bca ("net/ionic: do bulk allocations of Rx mbufs")

Signed-off-by: Andrew Boyer <andrew.boyer at amd.com>
---
 drivers/net/ionic/ionic_rxtx.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/drivers/net/ionic/ionic_rxtx.c b/drivers/net/ionic/ionic_rxtx.c
index 2f1ca986b3..170d3b0802 100644
--- a/drivers/net/ionic/ionic_rxtx.c
+++ b/drivers/net/ionic/ionic_rxtx.c
@@ -26,38 +26,40 @@
 #include "ionic_logs.h"
 
 static void
-ionic_empty_array(void **array, uint32_t cnt, uint16_t idx)
+ionic_empty_array(void **array, uint32_t free_idx, uint32_t zero_idx)
 {
 	uint32_t i;
 
-	for (i = idx; i < cnt; i++)
+	for (i = 0; i < free_idx; i++)
 		if (array[i])
 			rte_pktmbuf_free_seg(array[i]);
 
-	memset(array, 0, sizeof(void *) * cnt);
+	memset(array, 0, sizeof(void *) * zero_idx);
 }
 
 static void __rte_cold
 ionic_tx_empty(struct ionic_tx_qcq *txq)
 {
 	struct ionic_queue *q = &txq->qcq.q;
+	uint32_t info_len = q->num_descs * q->num_segs;
 
-	ionic_empty_array(q->info, q->num_descs * q->num_segs, 0);
+	ionic_empty_array(q->info, info_len, info_len);
 }
 
 static void __rte_cold
 ionic_rx_empty(struct ionic_rx_qcq *rxq)
 {
 	struct ionic_queue *q = &rxq->qcq.q;
+	uint32_t info_len = q->num_descs * q->num_segs;
 
 	/*
 	 * Walk the full info array so that the clean up includes any
 	 * fragments that were left dangling for later reuse
 	 */
-	ionic_empty_array(q->info, q->num_descs * q->num_segs, 0);
+	ionic_empty_array(q->info, info_len, info_len);
 
-	ionic_empty_array((void **)rxq->mbs,
-			IONIC_MBUF_BULK_ALLOC, rxq->mb_idx);
+	ionic_empty_array((void **)rxq->mbs, rxq->mb_idx,
+			IONIC_MBUF_BULK_ALLOC);
 	rxq->mb_idx = 0;
 }
 
-- 
2.39.2

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-07-15 16:19:38.482283536 +0100
+++ 0078-net-ionic-fix-mbuf-double-free-when-emptying-array.patch	2024-07-15 16:19:34.720209709 +0100
@@ -1 +1 @@
-From d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 Mon Sep 17 00:00:00 2001
+From 047aff2cf1715705748e3cc4b20b28e61340393a Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit d46b9fa83f136beb0e6feedd0a7b3a228b0d8cd3 ]
+
@@ -12 +13,0 @@
-CC: stable at dpdk.org
@@ -20 +21 @@
-index 923f517661..339b20f113 100644
+index 2f1ca986b3..170d3b0802 100644