[PATCH 24.11] net/mlx5: fix crash if malloc FCQS fails

Yunjian Wang wangyunjian at huawei.com
Thu Jun 11 16:38:41 CEST 2026

Previous message (by thread): [PATCH v2 22/22] common/cnxk: fix TM link config selection in debug dump
Next message (by thread): [PATCH 2/9] eal/interrupts: keep real errno on epoll error
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A crash is triggered when memory malloc for FCQS fails. Currently,
the abnormal branch releases the txq, and it removes the 'txq_ctrl->obj'
from the linked list, but the 'txq_ctrl->obj' has not actually been
added to the linked list yet. This triggers a null pointer reference
issue.

The call stack is as follows:
Program terminated with signal 11, Segmentation fault.
1210			LIST_REMOVE(txq_ctrl->obj, next);
(gdb) bt
 #0 mlx5_txq_release
 #1 mlx5_txq_start
 #2 mlx5_dev_start
 #3 rte_eth_dev_start
 #4 member_start
 #5 bond_ethdev_start

Fixes: f49f44839df3 ("net/mlx5: share Tx control code")
Cc: stable at dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
---
 drivers/net/mlx5/mlx5_trigger.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/mlx5/mlx5_trigger.c b/drivers/net/mlx5/mlx5_trigger.c
index b299ee10c1..11a6922e14 100644
--- a/drivers/net/mlx5/mlx5_trigger.c
+++ b/drivers/net/mlx5/mlx5_trigger.c
@@ -89,6 +89,9 @@ mlx5_txq_start(struct rte_eth_dev *dev)
 				DRV_LOG(ERR, "Port %u Tx queue %u cannot "
 					"allocate memory (FCQ).",
 					dev->data->port_id, i);
+				priv->obj_ops.txq_obj_release(txq_ctrl->obj);
+				mlx5_free(txq_ctrl->obj);
+				txq_ctrl->obj = NULL;
 				rte_errno = ENOMEM;
 				goto error;
 			}
-- 
2.33.0

Previous message (by thread): [PATCH v2 22/22] common/cnxk: fix TM link config selection in debug dump
Next message (by thread): [PATCH 2/9] eal/interrupts: keep real errno on epoll error
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list