|WARNING| net/mlx5: fix double free in vectorized Rx recovery
dpdklab at iol.unh.edu
dpdklab at iol.unh.edu
Wed Jun 17 16:22:27 CEST 2026
Test-Label: ai-code-review
Test-Status: WARNING
https://dpdk.org/patch/165609
_AI Code Review_
=== Patch Review: series.patch (via Claude) ===
Review date: 2026-06-17
# DPDK Patch Review
## Summary
This patch fixes a critical double-free bug in the mlx5 driver's vectorized Rx error recovery path. The bug is real and the fix is correct.
---
## Errors
**1. Correctness: Double-free / use-after-free bug (FIXED BY THIS PATCH)**
The original code uses `& elts_n` instead of `& (elts_n - 1)` in the rollback loop.
Since `elts_n` is a power-of-two element count, `x & elts_n` can only produce 0 or `elts_n`,
meaning the rollback loop repeatedly frees the same two elements (elts[0] and elts[elts_n])
instead of freeing the mbufs just allocated.
Impact:
- Newly allocated mbufs are leaked (never freed)
- elts[0], a live mbuf still posted to the NIC, is freed multiple times (use-after-free)
- elts[elts_n], the fake_mbuf padding entry, is also freed (corrupting vector datapath state)
The patch correctly changes the mask to `e_mask` (which equals `elts_n - 1`)
to match the forward allocation loop above it.
**This is a valid correctness fix.**
---
## Warnings
None.
---
## Info
**1. Code context analysis**
The forward allocation loop (lines just above the rollback) already uses:
```c
elt_idx = (elts_ci + i) & e_mask;
```
The rollback loop was inconsistent with this pattern by using `& elts_n`.
The patch makes the rollback loop match the forward loop, which is the correct approach.
**2. Error handling pattern**
The error path is triggered when `rte_mbuf_raw_alloc()` returns NULL (mempool exhausted).
The rollback correctly iterates backward through the just-allocated mbufs
(now that the mask is fixed) and frees them with `rte_pktmbuf_free_seg()`.
**3. `.mailmap` update**
The addition of the author to `.mailmap` is appropriate for a first-time contributor.
---
## Conclusion
**This patch correctly fixes a real double-free/use-after-free bug.**
The original code was fundamentally broken:
- Used wrong bitmask in error rollback (`& elts_n` instead of `& (elts_n - 1)`)
- This caused it to free the wrong mbufs (live NIC buffers and padding entry)
- And leak the mbufs it just allocated
The fix is minimal, correct, and matches the existing pattern in the forward allocation loop.
**Recommendation: Accept this patch.**
The `Fixes:` tag and `Cc: stable at dpdk.org` are appropriate given this is a correctness bug
in error-handling code dating back to the original vectorized MPRQ implementation.
More information about the test-report
mailing list