[RFT 3/4] net/mlx5: fix use-after-free in ASO management init

Dariusz Sosnowski dsosnowski at nvidia.com
Thu Feb 26 10:57:34 CET 2026

Previous message (by thread): [RFT 3/4] net/mlx5: fix use-after-free in ASO management init
Next message (by thread): [RFT 4/4] net/mlx5: fix counter truncation in queue counter read
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 17, 2026 at 07:05:01AM -0800, Stephen Hemminger wrote:
> mlx5_flow_aso_age_mng_init() and mlx5_flow_aso_ct_mng_init() each
> allocate a management structure, then call mlx5_aso_queue_init().
> If the queue init fails, the structure is freed but the pointer in
> the shared context (sh->aso_age_mng / sh->ct_mng) is not set to
> NULL.
> 
> A subsequent call to the same init function sees the non-NULL
> pointer, skips re-allocation, and returns success, leaving the
> caller operating on freed memory.
> 
> Set the pointer to NULL after freeing in both error paths.
> 
> Fixes: f935ed4b645a ("net/mlx5: support flow hit action for aging")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>

Acked-by: Dariusz Sosnowski <dsosnowski at nvidia.com>

Previous message (by thread): [RFT 3/4] net/mlx5: fix use-after-free in ASO management init
Next message (by thread): [RFT 4/4] net/mlx5: fix counter truncation in queue counter read
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list