|WARNING| [v2, 6/6] net/iavf: fix leak of IPsec crypto capabilities array

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Fri Jul 3 16:02:48 CEST 2026


Test-Label: ai-code-review
Test-Status: WARNING
https://dpdk.org/patch/166539

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-07-03

# DPDK Patch Review

Reviewing patch series 'series.patch' containing 6 patches fixing memory leaks in the Intel iavf and ice network drivers.

---

## PATCH 1/6: net/iavf: fix local memory leaks in TM hierarchy commit

### Errors

**Memory leak on qtc_map allocation failure (line 894-897)**

When `qtc_map` allocation fails (line 894), the code correctly sets `ret_val = IAVF_ERR_NO_MEMORY` and jumps to `fail_clear` (line 896). However, at this point `q_bw` and `q_tc_mapping` have already been successfully allocated (lines 837, 845) but are not freed on this error path. The `fail_clear` label (line 918) only calls `iavf_tm_conf_uninit(dev)` and does not free these temporary buffers. The `free()` calls for `q_bw` and `q_tc_mapping` at line 925-926 are only reached via the `err:` label, not from `fail_clear`.

Suggested fix:
```c
fail_clear:
	/* if we have error before we commit, we do not need to clear */
	if (clear_on_fail) {
		iavf_tm_conf_uninit(dev);
		iavf_tm_conf_init(dev);
	}
	/* fall through to err label to free temporary allocations */
err:
	free(q_bw);
	free(q_tc_mapping);
	free(qtc_map);
	return ret_val;
```
Or move the `free()` calls before the `if (clear_on_fail)` block in `fail_clear:`.

---

## PATCH 2/6: net/iavf: fix leak of queue to traffic class mapping data

### Warnings

**Unnecessary `free(NULL)` in iavf_tm_conf_uninit (line 100-101)**

The added free calls at lines 100-101 are executed regardless of whether `vf->qtc_map` was allocated. While `free(NULL)` is safe per POSIX, the driver already handles this cleanup at other uninit sites (lines 2758-2759 in patch 1), making this second cleanup redundant. Consider verifying the intended lifecycle: if `qtc_map` is always freed at `iavf_uninit_vf()`, the `iavf_tm_conf_uninit()` call may be unnecessary or indicate double-free risk.

---

## PATCH 3/6: net/iavf: fix memory leak on error when adding flow parser

### No issues found

The fix correctly adds `rte_free(parser_node)` on the error path where `parser_node` is allocated but never added to a TAILQ.

---

## PATCH 4/6: net/ice: fix buffer leak in config of Tx queue TM node

### No issues found

The patch correctly moves the `free(buf)` call outside the error check so it executes unconditionally after the adminq call. The replacement of `ice_malloc(hw, buf_size)` with `calloc(1, buf_size)` is appropriate since this is a temporary buffer that does not need hugepage backing.

---

## PATCH 5/6: net/iavf: fix leak of flex metadata extraction field

### No issues found

The fix correctly adds `rte_free(vf->proto_xtr)` and NULL assignment in `iavf_uninit_vf()` to match the allocation in `iavf_init_proto_xtr()`.

---

## PATCH 6/6: net/iavf: fix leak of IPsec crypto capabilities array

### No issues found

The patch correctly frees `iavf_sctx->crypto_capabilities` before freeing the containing `iavf_sctx` structure in the security context destroy path.

---

## Summary

- **Patch 1** has a correctness bug: the `qtc_map` allocation failure path does not free `q_bw` and `q_tc_mapping`.
- **Patch 2** has a minor warning about potential redundant cleanup, but is not a correctness issue.
- **Patches 3-6** are correct.

All patches correctly use `free()` for memory allocated with `calloc()` and `rte_free()` for memory allocated with `rte_malloc()`/`rte_zmalloc()`, following DPDK conventions.


More information about the test-report mailing list