net/ice: fix hash flow crash

Commit 'dc36bd5dfdeb' mistakenly initializes ret as -rte_errno, then
return ret if ice_search_pattern_match_item fails, if rte_errno happens
to be 0 in this case, it would cause an unrecognized flow rule to be
marked as recognition success. Later, when the code tries to parse the
flow rule, a segmentation fault will occur due to null pointer
reference.

Fixes: dc36bd5dfdeb ("net/ice: fix flow FDIR/switch memory leak")
Cc: stable@dpdk.org
Signed-off-by: Tao Zhu <taox.zhu@intel.com>
Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com>

diff --git a/drivers/net/ice/ice_hash.c b/drivers/net/ice/ice_hash.c
index d891538..0e9c3c4 100644 (file)
--- a/drivers/net/ice/ice_hash.c
+++ b/drivers/net/ice/ice_hash.c
@@ -409,7 +409,7 @@ ice_hash_parse_pattern_action(__rte_unused struct ice_adapter *ad,
                        void **meta,
                        struct rte_flow_error *error)
 {
-       int ret = -rte_errno;
+       int ret = 0;
        struct ice_pattern_match_item *pattern_match_item;
        struct rss_meta *rss_meta_ptr;
 
@@ -424,8 +424,10 @@ ice_hash_parse_pattern_action(__rte_unused struct ice_adapter *ad,
        /* Check rss supported pattern and find matched pattern. */
        pattern_match_item = ice_search_pattern_match_item(pattern,
                                        array, array_len, error);
-       if (!pattern_match_item)
+       if (!pattern_match_item) {
+               ret = -rte_errno;
                goto error;
+       }
 
        ret = ice_hash_check_inset(pattern, error);
        if (ret)