[PATCH] net/mlx5: fix double free in vectorized Rx recovery

Borys Tsyrulnikov tsyrulnikov.borys at gmail.com
Wed Jun 17 15:43:01 CEST 2026

Previous message (by thread): [PATCH v3 4/4] net/txgbe: add VF support for Amber-Lite 40G NIC
Next message (by thread): [PATCH] net/mlx5: fix double free in vectorized Rx recovery
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

During Rx queue error recovery, the vectorized path in
mlx5_rx_err_handle() reallocates an mbuf for every queue element. When
rte_mbuf_raw_alloc() fails (for example, the mempool is exhausted), the
rollback loop frees the mbufs allocated so far, but masks the element
ring index with "& elts_n" instead of "& (elts_n - 1)".

elts_n is a power-of-two element count, so "x & elts_n" isolates a
single bit and can only evaluate to 0 or elts_n, regardless of the loop
counter. The rollback therefore never frees the mbufs just allocated in
this pass (they are leaked); instead it repeatedly frees elts[0], a live
mbuf still posted to the NIC (use-after-free / double free), and
elts[elts_n], the fake_mbuf padding entry used by the vector datapath.

Mask with the existing e_mask (elts_n - 1), as already done in the
matching forward allocation loop just above.

Fixes: 0f20acbf5eda ("net/mlx5: implement vectorized MPRQ burst")
Cc: stable at dpdk.org

Signed-off-by: Borys Tsyrulnikov <tsyrulnikov.borys at gmail.com>
---
 .mailmap                   | 1 +
 drivers/net/mlx5/mlx5_rx.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.mailmap b/.mailmap
index 4001e5fb0e..0b09243c45 100644
--- a/.mailmap
+++ b/.mailmap
@@ -222,6 +222,7 @@ Boleslav Stankevich <boleslav.stankevich at oktetlabs.ru>
 Boon Ang <boon.ang at broadcom.com> <bang at vmware.com>
 Boris Ouretskey <borisusun at gmail.com>
 Boris Pismenny <borisp at mellanox.com>
+Borys Tsyrulnikov <tsyrulnikov.borys at gmail.com>
 Brad Larson <bradley.larson at amd.com>
 Brandon Lo <blo at iol.unh.edu>
 Brendan Ryan <brendan.ryan at intel.com>
diff --git a/drivers/net/mlx5/mlx5_rx.c b/drivers/net/mlx5/mlx5_rx.c
index ce50087b70..c0ad8d6701 100644
--- a/drivers/net/mlx5/mlx5_rx.c
+++ b/drivers/net/mlx5/mlx5_rx.c
@@ -662,7 +662,7 @@ mlx5_rx_err_handle(struct mlx5_rxq_data *rxq, uint8_t vec,
 					if (!*elt) {
 						for (i--; i >= 0; --i) {
 							elt_idx = (elts_ci +
-								   i) & elts_n;
+								   i) & e_mask;
 							elt = &(*rxq->elts)
 								[elt_idx];
 							rte_pktmbuf_free_seg
-- 
2.34.1

Previous message (by thread): [PATCH v3 4/4] net/txgbe: add VF support for Amber-Lite 40G NIC
Next message (by thread): [PATCH] net/mlx5: fix double free in vectorized Rx recovery
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list