|SUCCESS| net/nfp: fix null dereference in flower ctrl NFD3 Tx

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Wed Jun 3 18:49:58 CEST 2026

Previous message (by thread): |WARNING| pw164877-164891 [PATCH] [v8,20/20] net/sxe2: update sxe2 f
Next message (by thread): compilation|SUCCESS| pw(164904) sid(38323) job(PER_PATCH_BUILD19017)[v3] net/ark: fix null dereference on allocation failure
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/164876

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-06-03

git commit a36634e87e16
Author: Denis Sergeev <denserg.edu at gmail.com>
net/nfp: fix null dereference in flower ctrl NFD3 Tx

In nfp_flower_ctrl_vnic_nfd3_xmit(), when txq is NULL, goto xmit_end
leads to unconditional dereference of txq->qcp_q in nfp_qcp_ptr_add().
The same goto from the "no free descriptors" path incorrectly increments
the hardware write pointer despite no descriptor being written.

Replace both gotos with early return, removing the unused xmit_end label.

> diff --git a/drivers/net/nfp/flower/nfp_flower_ctrl.c b/drivers/net/nfp/flower/nfp_flower_ctrl.c
> index 6ac2caf367..1fa751a106 100644
> --- a/drivers/net/nfp/flower/nfp_flower_ctrl.c
> +++ b/drivers/net/nfp/flower/nfp_flower_ctrl.c

[ ... ]

> @@ -168,7 +168,7 @@ nfp_flower_ctrl_vnic_nfd3_xmit(struct nfp_app_fw_flower *app_fw_flower,
>  		 * enabled. But the queue needs to be configured.
>  		 */
>  		PMD_TX_LOG(ERR, "Ctrl dev TX Bad queue.");
> -		goto xmit_end;
> +		return 0;
>  	}
> 
>  	txds = &txq->txds[txq->wr_p];

[ ... ]

> @@ -183,7 +183,7 @@ nfp_flower_ctrl_vnic_nfd3_xmit(struct nfp_app_fw_flower *app_fw_flower,
>  	free_descs = nfp_net_nfd3_free_tx_desc(txq);
>  	if (unlikely(free_descs == 0)) {
>  		PMD_TX_LOG(ERR, "Ctrl dev no free descs.");
> -		goto xmit_end;
> +		return 0;
>  	}
> 
>  	lmbuf = &txq->txbufs[txq->wr_p].mbuf;

Does the "no free descriptors" case leak the mbuf that was passed into 
this function? Looking at the context, this function appears to accept 
an mbuf parameter (likely via app_fw_flower or through a calling chain). 
When free_descs is 0, does this code return without freeing or enqueueing 
the mbuf?

Similarly for the txq NULL case: if an mbuf was allocated before calling 
nfp_flower_ctrl_vnic_nfd3_xmit(), does returning immediately here leak 
that mbuf?

> @@ -207,7 +207,6 @@ nfp_flower_ctrl_vnic_nfd3_xmit(struct nfp_app_fw_flower *app_fw_flower,
>  	cnt++;
>  	app_fw_flower->ctrl_vnic_tx_count++;
> 
> -xmit_end:
>  	rte_wmb();
>  	nfp_qcp_ptr_add(txq->qcp_q, NFP_QCP_WRITE_PTR, 1);

The removal of the xmit_end label correctly prevents the NULL 
dereference and avoids incorrectly advancing the write pointer on error 
paths. However, the memory barrier and queue pointer operations now only 
execute on the success path. Is this the intended behavior, or should 
error paths have additional cleanup or signaling?

Previous message (by thread): |WARNING| pw164877-164891 [PATCH] [v8,20/20] net/sxe2: update sxe2 f
Next message (by thread): compilation|SUCCESS| pw(164904) sid(38323) job(PER_PATCH_BUILD19017)[v3] net/ark: fix null dereference on allocation failure
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the test-report mailing list