[PATCH] net/mlx5: fix ASan issue in RSS flow creation

Maayan Kashani mkashani at nvidia.com
Tue Aug 5 15:20:57 CEST 2025

Previous message (by thread): [PATCH] This patch validate a connection tracking state when matching 'conntrack is' in rte_flow rules. The conntract possible CT states are SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK and TIME_WAIT. Therefore the maximum possible value to match on in rte_flow is TIME_WAIT but mlx5 allowed matching on any values.
Next message (by thread): [PATCH] net/mlx5: fix connection tracking state item validation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch addresses AddressSanitizer (ASan) stack-use-after-scope
issues occurring during RSS flow creation in the MLX5 driver.
The root cause stemmed from the use of compound literals to
initialize flow action configurations, which could result in
pointers to temporary stack memory being retained in flow structures.
When these pointers were later accessed during flow conversion,
the underlying stack memory was no longer valid,
leading to ASAN-detected errors.

Modifications:
In mlx5_hw_rss_ptype_create_base_flow(),
the struct rte_flow_action_jump is now constructed
at the start of the function, rather than within the do statement.
This ensures a persistent stack allocation for the structure,
preventing use-after-scope situations.

This change eliminates the following ASan errors:
stack-use-after-scope reported in rte_flow_conv_copy

Fixes: ae67e3c43dd5 ("net/mlx5: support RSS expansion in non-template HWS setup")
Cc: stable at dpdk.org

Signed-off-by: Maayan Kashani <mkashani at nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski at nvidia.com>
---
 drivers/net/mlx5/mlx5_nta_rss.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_nta_rss.c b/drivers/net/mlx5/mlx5_nta_rss.c
index 8f005104454..1d2940a370d 100644
--- a/drivers/net/mlx5/mlx5_nta_rss.c
+++ b/drivers/net/mlx5/mlx5_nta_rss.c
@@ -320,6 +320,9 @@ mlx5_hw_rss_ptype_create_base_flow(struct rte_eth_dev *dev,
 	struct rte_flow_hw *flow = NULL;
 	struct rte_flow_action actions[MLX5_HW_MAX_ACTS];
 	enum mlx5_indirect_type indirect_type;
+	const struct rte_flow_action_jump jump_conf = {
+		.group = ptype_group
+	};
 
 	do {
 		switch (orig_actions[i].type) {
@@ -334,9 +337,7 @@ mlx5_hw_rss_ptype_create_base_flow(struct rte_eth_dev *dev,
 			/* Fall through */
 		case RTE_FLOW_ACTION_TYPE_RSS:
 			actions[i].type = RTE_FLOW_ACTION_TYPE_JUMP;
-			actions[i].conf = &(const struct rte_flow_action_jump) {
-				.group = ptype_group
-			};
+			actions[i].conf = &jump_conf;
 			break;
 		default:
 			actions[i] = orig_actions[i];
-- 
2.21.0

Previous message (by thread): [PATCH] This patch validate a connection tracking state when matching 'conntrack is' in rte_flow rules. The conntract possible CT states are SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK and TIME_WAIT. Therefore the maximum possible value to match on in rte_flow is TIME_WAIT but mlx5 allowed matching on any values.
Next message (by thread): [PATCH] net/mlx5: fix connection tracking state item validation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list