From da718c1919bd49faa83ded38b0549500c7e77f91 Mon Sep 17 00:00:00 2001
From: Nithin Dabilpuram <ndabilpuram@marvell.com>
Date: Fri, 21 Jan 2022 17:34:20 +0530
Subject: [PATCH] common/cnxk: fix null pointer dereferences

Fix null pointer dereference issues reported by
klockwork(static analysis tool).

Fixes: c045d2e5cbbc ("common/cnxk: add CPT configuration")
Fixes: 585bb3e538f9 ("common/cnxk: add VF support to base device class")
Fixes: 665ff1ccc2c4 ("common/cnxk: add base device class")
Fixes: da57d4589a6f ("common/cnxk: support NIX flow control")
Fixes: 218d022e1f3f ("common/cnxk: support NIX stats")
Fixes: 4efa6e82fe43 ("common/cnxk: support NIX extended stats")
Fixes: 0885429c3028 ("common/cnxk: add NIX TM hierarchy enable/disable")
Cc: stable@dpdk.org

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Jerin Jacob <jerinj@marvell.com>
---
 drivers/common/cnxk/roc_cpt.c       |  3 ++
 drivers/common/cnxk/roc_dev.c       | 19 +++++++++
 drivers/common/cnxk/roc_nix_debug.c |  6 +++
 drivers/common/cnxk/roc_nix_fc.c    | 12 ++++++
 drivers/common/cnxk/roc_nix_queue.c | 61 +++++++++++++++++++++++++++--
 drivers/common/cnxk/roc_nix_stats.c | 18 +++++++++
 drivers/common/cnxk/roc_nix_tm.c    |  6 +++
 7 files changed, 121 insertions(+), 4 deletions(-)

diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index 1bc7a29ef9..3f3d28196b 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -385,6 +385,9 @@ cpt_lfs_alloc(struct dev *dev, uint8_t eng_grpmsk, uint8_t blkaddr,
 		return -EINVAL;
 
 	req = mbox_alloc_msg_cpt_lf_alloc(mbox);
+	if (!req)
+		return -ENOSPC;
+
 	req->nix_pf_func = 0;
 	if (inl_dev_sso && nix_inl_dev_pffunc_get())
 		req->sso_pf_func = nix_inl_dev_pffunc_get();
diff --git a/drivers/common/cnxk/roc_dev.c b/drivers/common/cnxk/roc_dev.c
index 926a916e44..0ac50cab59 100644
--- a/drivers/common/cnxk/roc_dev.c
+++ b/drivers/common/cnxk/roc_dev.c
@@ -152,6 +152,11 @@ af_pf_wait_msg(struct dev *dev, uint16_t vf, int num_msg)
 		/* Reserve PF/VF mbox message */
 		size = PLT_ALIGN(size, MBOX_MSG_ALIGN);
 		rsp = mbox_alloc_msg(&dev->mbox_vfpf, vf, size);
+		if (!rsp) {
+			plt_err("Failed to reserve VF%d message", vf);
+			continue;
+		}
+
 		mbox_rsp_init(msg->id, rsp);
 
 		/* Copy message from AF<->PF mbox to PF<->VF mbox */
@@ -236,6 +241,12 @@ vf_pf_process_msgs(struct dev *dev, uint16_t vf)
 				BIT_ULL(vf % max_bits);
 			rsp = (struct ready_msg_rsp *)mbox_alloc_msg(
 				mbox, vf, sizeof(*rsp));
+			if (!rsp) {
+				plt_err("Failed to alloc VF%d READY message",
+					vf);
+				continue;
+			}
+
 			mbox_rsp_init(msg->id, rsp);
 
 			/* PF/VF function ID */
@@ -988,6 +999,9 @@ dev_setup_shared_lmt_region(struct mbox *mbox, bool valid_iova, uint64_t iova)
 	struct lmtst_tbl_setup_req *req;
 
 	req = mbox_alloc_msg_lmtst_tbl_setup(mbox);
+	if (!req)
+		return -ENOSPC;
+
 	/* This pcifunc is defined with primary pcifunc whose LMT address
 	 * will be shared. If call contains valid IOVA, following pcifunc
 	 * field is of no use.
@@ -1061,6 +1075,11 @@ dev_lmt_setup(struct dev *dev)
 	 */
 	if (!dev->disable_shared_lmt) {
 		idev = idev_get_cfg();
+		if (!idev) {
+			errno = EFAULT;
+			goto free;
+		}
+
 		if (!__atomic_load_n(&idev->lmt_pf_func, __ATOMIC_ACQUIRE)) {
 			idev->lmt_base_addr = dev->lmt_base;
 			idev->lmt_pf_func = dev->pf_func;
diff --git a/drivers/common/cnxk/roc_nix_debug.c b/drivers/common/cnxk/roc_nix_debug.c
index 5886650d6e..583e2e43c8 100644
--- a/drivers/common/cnxk/roc_nix_debug.c
+++ b/drivers/common/cnxk/roc_nix_debug.c
@@ -323,6 +323,9 @@ nix_q_ctx_get(struct dev *dev, uint8_t ctype, uint16_t qid, __io void **ctx_p)
 		int rc;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = qid;
 		aq->ctype = ctype;
 		aq->op = NIX_AQ_INSTOP_READ;
@@ -341,6 +344,9 @@ nix_q_ctx_get(struct dev *dev, uint8_t ctype, uint16_t qid, __io void **ctx_p)
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = qid;
 		aq->ctype = ctype;
 		aq->op = NIX_AQ_INSTOP_READ;
diff --git a/drivers/common/cnxk/roc_nix_fc.c b/drivers/common/cnxk/roc_nix_fc.c
index ca29cd2bf9..d31137188e 100644
--- a/drivers/common/cnxk/roc_nix_fc.c
+++ b/drivers/common/cnxk/roc_nix_fc.c
@@ -113,6 +113,9 @@ nix_fc_cq_config_get(struct roc_nix *roc_nix, struct roc_nix_fc_cfg *fc_cfg)
 		struct nix_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = fc_cfg->cq_cfg.rq;
 		aq->ctype = NIX_AQ_CTYPE_CQ;
 		aq->op = NIX_AQ_INSTOP_READ;
@@ -120,6 +123,9 @@ nix_fc_cq_config_get(struct roc_nix *roc_nix, struct roc_nix_fc_cfg *fc_cfg)
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = fc_cfg->cq_cfg.rq;
 		aq->ctype = NIX_AQ_CTYPE_CQ;
 		aq->op = NIX_AQ_INSTOP_READ;
@@ -147,6 +153,9 @@ nix_fc_cq_config_set(struct roc_nix *roc_nix, struct roc_nix_fc_cfg *fc_cfg)
 		struct nix_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = fc_cfg->cq_cfg.rq;
 		aq->ctype = NIX_AQ_CTYPE_CQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -164,6 +173,9 @@ nix_fc_cq_config_set(struct roc_nix *roc_nix, struct roc_nix_fc_cfg *fc_cfg)
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = fc_cfg->cq_cfg.rq;
 		aq->ctype = NIX_AQ_CTYPE_CQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
diff --git a/drivers/common/cnxk/roc_nix_queue.c b/drivers/common/cnxk/roc_nix_queue.c
index e8b42ed6be..a283d96a01 100644
--- a/drivers/common/cnxk/roc_nix_queue.c
+++ b/drivers/common/cnxk/roc_nix_queue.c
@@ -54,6 +54,9 @@ nix_rq_ena_dis(struct dev *dev, struct roc_nix_rq *rq, bool enable)
 		struct nix_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = rq->qid;
 		aq->ctype = NIX_AQ_CTYPE_RQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -64,6 +67,9 @@ nix_rq_ena_dis(struct dev *dev, struct roc_nix_rq *rq, bool enable)
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = rq->qid;
 		aq->ctype = NIX_AQ_CTYPE_RQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -95,6 +101,9 @@ nix_rq_cn9k_cfg(struct dev *dev, struct roc_nix_rq *rq, uint16_t qints,
 	struct nix_aq_enq_req *aq;
 
 	aq = mbox_alloc_msg_nix_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = rq->qid;
 	aq->ctype = NIX_AQ_CTYPE_RQ;
 	aq->op = cfg ? NIX_AQ_INSTOP_WRITE : NIX_AQ_INSTOP_INIT;
@@ -210,6 +219,9 @@ nix_rq_cfg(struct dev *dev, struct roc_nix_rq *rq, uint16_t qints, bool cfg,
 	struct mbox *mbox = dev->mbox;
 
 	aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = rq->qid;
 	aq->ctype = NIX_AQ_CTYPE_RQ;
 	aq->op = cfg ? NIX_AQ_INSTOP_WRITE : NIX_AQ_INSTOP_INIT;
@@ -478,6 +490,9 @@ roc_nix_cq_init(struct roc_nix *roc_nix, struct roc_nix_cq *cq)
 		struct nix_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = cq->qid;
 		aq->ctype = NIX_AQ_CTYPE_CQ;
 		aq->op = NIX_AQ_INSTOP_INIT;
@@ -486,6 +501,9 @@ roc_nix_cq_init(struct roc_nix *roc_nix, struct roc_nix_cq *cq)
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = cq->qid;
 		aq->ctype = NIX_AQ_CTYPE_CQ;
 		aq->op = NIX_AQ_INSTOP_INIT;
@@ -562,6 +580,9 @@ roc_nix_cq_fini(struct roc_nix_cq *cq)
 		struct nix_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = cq->qid;
 		aq->ctype = NIX_AQ_CTYPE_CQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -573,6 +594,9 @@ roc_nix_cq_fini(struct roc_nix_cq *cq)
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = cq->qid;
 		aq->ctype = NIX_AQ_CTYPE_CQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -674,7 +698,7 @@ fail:
 	return rc;
 }
 
-static void
+static int
 sq_cn9k_init(struct nix *nix, struct roc_nix_sq *sq, uint32_t rr_quantum,
 	     uint16_t smq)
 {
@@ -682,6 +706,9 @@ sq_cn9k_init(struct nix *nix, struct roc_nix_sq *sq, uint32_t rr_quantum,
 	struct nix_aq_enq_req *aq;
 
 	aq = mbox_alloc_msg_nix_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = sq->qid;
 	aq->ctype = NIX_AQ_CTYPE_SQ;
 	aq->op = NIX_AQ_INSTOP_INIT;
@@ -710,6 +737,7 @@ sq_cn9k_init(struct nix *nix, struct roc_nix_sq *sq, uint32_t rr_quantum,
 	 * might result in software missing the interrupt.
 	 */
 	aq->sq.qint_idx = 0;
+	return 0;
 }
 
 static int
@@ -723,6 +751,9 @@ sq_cn9k_fini(struct nix *nix, struct roc_nix_sq *sq)
 	int rc, count;
 
 	aq = mbox_alloc_msg_nix_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = sq->qid;
 	aq->ctype = NIX_AQ_CTYPE_SQ;
 	aq->op = NIX_AQ_INSTOP_READ;
@@ -736,6 +767,9 @@ sq_cn9k_fini(struct nix *nix, struct roc_nix_sq *sq)
 
 	/* Disable sq */
 	aq = mbox_alloc_msg_nix_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = sq->qid;
 	aq->ctype = NIX_AQ_CTYPE_SQ;
 	aq->op = NIX_AQ_INSTOP_WRITE;
@@ -747,6 +781,9 @@ sq_cn9k_fini(struct nix *nix, struct roc_nix_sq *sq)
 
 	/* Read SQ and free sqb's */
 	aq = mbox_alloc_msg_nix_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = sq->qid;
 	aq->ctype = NIX_AQ_CTYPE_SQ;
 	aq->op = NIX_AQ_INSTOP_READ;
@@ -778,7 +815,7 @@ sq_cn9k_fini(struct nix *nix, struct roc_nix_sq *sq)
 	return 0;
 }
 
-static void
+static int
 sq_init(struct nix *nix, struct roc_nix_sq *sq, uint32_t rr_quantum,
 	uint16_t smq)
 {
@@ -786,6 +823,9 @@ sq_init(struct nix *nix, struct roc_nix_sq *sq, uint32_t rr_quantum,
 	struct nix_cn10k_aq_enq_req *aq;
 
 	aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = sq->qid;
 	aq->ctype = NIX_AQ_CTYPE_SQ;
 	aq->op = NIX_AQ_INSTOP_INIT;
@@ -813,6 +853,7 @@ sq_init(struct nix *nix, struct roc_nix_sq *sq, uint32_t rr_quantum,
 	 * might result in software missing the interrupt.
 	 */
 	aq->sq.qint_idx = 0;
+	return 0;
 }
 
 static int
@@ -826,6 +867,9 @@ sq_fini(struct nix *nix, struct roc_nix_sq *sq)
 	int rc, count;
 
 	aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = sq->qid;
 	aq->ctype = NIX_AQ_CTYPE_SQ;
 	aq->op = NIX_AQ_INSTOP_READ;
@@ -839,6 +883,9 @@ sq_fini(struct nix *nix, struct roc_nix_sq *sq)
 
 	/* Disable sq */
 	aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = sq->qid;
 	aq->ctype = NIX_AQ_CTYPE_SQ;
 	aq->op = NIX_AQ_INSTOP_WRITE;
@@ -850,6 +897,9 @@ sq_fini(struct nix *nix, struct roc_nix_sq *sq)
 
 	/* Read SQ and free sqb's */
 	aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+	if (!aq)
+		return -ENOSPC;
+
 	aq->qidx = sq->qid;
 	aq->ctype = NIX_AQ_CTYPE_SQ;
 	aq->op = NIX_AQ_INSTOP_READ;
@@ -920,9 +970,12 @@ roc_nix_sq_init(struct roc_nix *roc_nix, struct roc_nix_sq *sq)
 
 	/* Init SQ context */
 	if (roc_model_is_cn9k())
-		sq_cn9k_init(nix, sq, rr_quantum, smq);
+		rc = sq_cn9k_init(nix, sq, rr_quantum, smq);
 	else
-		sq_init(nix, sq, rr_quantum, smq);
+		rc = sq_init(nix, sq, rr_quantum, smq);
+
+	if (rc)
+		goto nomem;
 
 	rc = mbox_process(mbox);
 	if (rc)
diff --git a/drivers/common/cnxk/roc_nix_stats.c b/drivers/common/cnxk/roc_nix_stats.c
index c50c8fa629..756111fb1c 100644
--- a/drivers/common/cnxk/roc_nix_stats.c
+++ b/drivers/common/cnxk/roc_nix_stats.c
@@ -124,6 +124,9 @@ nix_stat_rx_queue_reset(struct nix *nix, uint16_t qid)
 		struct nix_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = qid;
 		aq->ctype = NIX_AQ_CTYPE_RQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -143,6 +146,9 @@ nix_stat_rx_queue_reset(struct nix *nix, uint16_t qid)
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = qid;
 		aq->ctype = NIX_AQ_CTYPE_RQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -174,6 +180,9 @@ nix_stat_tx_queue_reset(struct nix *nix, uint16_t qid)
 		struct nix_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = qid;
 		aq->ctype = NIX_AQ_CTYPE_SQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -190,6 +199,9 @@ nix_stat_tx_queue_reset(struct nix *nix, uint16_t qid)
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = qid;
 		aq->ctype = NIX_AQ_CTYPE_SQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -295,6 +307,9 @@ roc_nix_xstats_get(struct roc_nix *roc_nix, struct roc_nix_xstat *xstats,
 
 	if (roc_model_is_cn9k()) {
 		req = mbox_alloc_msg_cgx_stats(mbox);
+		if (!req)
+			return -ENOSPC;
+
 		req->hdr.pcifunc = roc_nix_get_pf_func(roc_nix);
 
 		rc = mbox_process_msg(mbox, (void *)&cgx_resp);
@@ -316,6 +331,9 @@ roc_nix_xstats_get(struct roc_nix *roc_nix, struct roc_nix_xstat *xstats,
 		}
 	} else {
 		req = mbox_alloc_msg_rpm_stats(mbox);
+		if (!req)
+			return -ENOSPC;
+
 		req->hdr.pcifunc = roc_nix_get_pf_func(roc_nix);
 
 		rc = mbox_process_msg(mbox, (void *)&rpm_resp);
diff --git a/drivers/common/cnxk/roc_nix_tm.c b/drivers/common/cnxk/roc_nix_tm.c
index fe9e83fe1e..3b38cc087b 100644
--- a/drivers/common/cnxk/roc_nix_tm.c
+++ b/drivers/common/cnxk/roc_nix_tm.c
@@ -766,6 +766,9 @@ nix_tm_sq_sched_conf(struct nix *nix, struct nix_tm_node *node,
 		struct nix_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = qid;
 		aq->ctype = NIX_AQ_CTYPE_SQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
@@ -781,6 +784,9 @@ nix_tm_sq_sched_conf(struct nix *nix, struct nix_tm_node *node,
 		struct nix_cn10k_aq_enq_req *aq;
 
 		aq = mbox_alloc_msg_nix_cn10k_aq_enq(mbox);
+		if (!aq)
+			return -ENOSPC;
+
 		aq->qidx = qid;
 		aq->ctype = NIX_AQ_CTYPE_SQ;
 		aq->op = NIX_AQ_INSTOP_WRITE;
-- 
2.20.1