[RFT 3/4] net/mlx5: fix use-after-free in ASO management init

[Stephen Hemminger]

mlx5_flow_aso_age_mng_init() and mlx5_flow_aso_ct_mng_init() each
allocate a management structure, then call mlx5_aso_queue_init().
If the queue init fails, the structure is freed but the pointer in
the shared context (sh->aso_age_mng / sh->ct_mng) is not set to
NULL.

A subsequent call to the same init function sees the non-NULL
pointer, skips re-allocation, and returns success, leaving the
caller operating on freed memory.

Set the pointer to NULL after freeing in both error paths.

Fixes: f935ed4b645a ("net/mlx5: support flow hit action for aging")
Cc: stable at dpdk.org

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
---
 drivers/net/mlx5/mlx5.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/mlx5/mlx5.c b/drivers/net/mlx5/mlx5.c
index d533ce41e1..71383f2ac7 100644
--- a/drivers/net/mlx5/mlx5.c
+++ b/drivers/net/mlx5/mlx5.c
@@ -459,6 +459,7 @@ mlx5_flow_aso_age_mng_init(struct mlx5_dev_ctx_shared *sh)
 	err = mlx5_aso_queue_init(sh, ASO_OPC_MOD_FLOW_HIT, 1);
 	if (err) {
 		mlx5_free(sh->aso_age_mng);
+		sh->aso_age_mng = NULL;
 		return -1;
 	}
 	rte_rwlock_init(&sh->aso_age_mng->resize_rwl);
@@ -823,6 +824,7 @@ mlx5_flow_aso_ct_mng_init(struct mlx5_dev_ctx_shared *sh)
 	err = mlx5_aso_queue_init(sh, ASO_OPC_MOD_CONNECTION_TRACKING, MLX5_ASO_CT_SQ_NUM);
 	if (err) {
 		mlx5_free(sh->ct_mng);
+		sh->ct_mng = NULL;
 		/* rte_errno should be extracted from the failure. */
 		rte_errno = EINVAL;
 		return -rte_errno;
-- 
2.51.0