[PATCH] net/mlx5: fix double free in vectorized Rx recovery

Dariusz Sosnowski dsosnowski at nvidia.com
Tue Jun 23 14:50:26 CEST 2026

Previous message (by thread): [PATCH] net/mlx5: fix double free in vectorized Rx recovery
Next message (by thread): [PATCH] net/mlx5: fix double free in vectorized Rx recovery
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jun 17, 2026 at 04:43:01PM +0300, Borys Tsyrulnikov wrote:
> During Rx queue error recovery, the vectorized path in
> mlx5_rx_err_handle() reallocates an mbuf for every queue element. When
> rte_mbuf_raw_alloc() fails (for example, the mempool is exhausted), the
> rollback loop frees the mbufs allocated so far, but masks the element
> ring index with "& elts_n" instead of "& (elts_n - 1)".
> 
> elts_n is a power-of-two element count, so "x & elts_n" isolates a
> single bit and can only evaluate to 0 or elts_n, regardless of the loop
> counter. The rollback therefore never frees the mbufs just allocated in
> this pass (they are leaked); instead it repeatedly frees elts[0], a live
> mbuf still posted to the NIC (use-after-free / double free), and
> elts[elts_n], the fake_mbuf padding entry used by the vector datapath.
> 
> Mask with the existing e_mask (elts_n - 1), as already done in the
> matching forward allocation loop just above.
> 
> Fixes: 0f20acbf5eda ("net/mlx5: implement vectorized MPRQ burst")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Borys Tsyrulnikov <tsyrulnikov.borys at gmail.com>

Acked-by: Dariusz Sosnowski <dsosnowski at nvidia.com>

Previous message (by thread): [PATCH] net/mlx5: fix double free in vectorized Rx recovery
Next message (by thread): [PATCH] net/mlx5: fix double free in vectorized Rx recovery
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list