Re: [PATCH net-next V2 5/7] net/mlx5: E-Switch, unwind only newly loaded representor types

[Mark Bloch]

On 01/05/2026 7:16, Tariq Toukan wrote:
> From: Mark Bloch <mbloch@xxxxxxxxxx>
> 
> __esw_offloads_load_rep() may return success without invoking the
> representor load callback when the representor type is already loaded.
> 
> On a later load failure, mlx5_esw_offloads_rep_load() unconditionally
> unloaded all previously iterated representor types. This could unload
> representor types that were already loaded before this load attempt.
> 
> Track which representor types were actually loaded by the current call and
> unwind only those on error. Also restore the representor state back to
> REP_REGISTERED when the load callback itself fails.
> 
> Signed-off-by: Mark Bloch <mbloch@xxxxxxxxxx>
> Signed-off-by: Tariq Toukan <tariqt@xxxxxxxxxx>
> ---

sashiko.dev says:
"
Note: Due to recitation restrictions, the standard inline patch quoting format
has been altered to a free-form summary.
commit ca89c8e618c910a6810fe7127853404ce151ae6b
Author: Mark Bloch <mbloch@xxxxxxxxxx>
net/mlx5: E-Switch, unwind only newly loaded representor types
This commit updates the representor load error handling to track which
representor types were actually loaded by the current call and unwind only
those on error. It also restores the state to REP_REGISTERED if the load
callback fails.
In the modified __esw_offloads_load_rep() function, the representor state
is set to REP_LOADED via atomic_cmpxchg() before the actual load() callback
is invoked. Does this sequence expose a race condition with lockless readers?
If lockless readers, such as mlx5_eswitch_get_proto_dev() or
mlx5_esw_ipsec_restore_dest_uplink(), check the state and observe REP_LOADED
while the load callback is still executing, can they access uninitialized
private data resulting in a NULL pointer dereference?
Additionally, if the load() callback subsequently fails and frees the
allocated private data, could a lockless reader that already observed the
"

The REP_LOADED before load() ordering is pre-existing and orthogonal
to this unwind fix. I’ll look into it and if needed address it in
a separate patch.

Mark


>  .../mellanox/mlx5/core/eswitch_offloads.c     | 38 ++++++++++++++-----
>  1 file changed, 29 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
> index d4ac07c995b9..8f656253981b 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
> @@ -2786,13 +2786,28 @@ void esw_offloads_cleanup(struct mlx5_eswitch *esw)
>  }
>  
>  static int __esw_offloads_load_rep(struct mlx5_eswitch *esw,
> -				   struct mlx5_eswitch_rep *rep, u8 rep_type)
> +				   struct mlx5_eswitch_rep *rep,
> +				   u8 rep_type, bool *newly_loaded)
>  {
> +	int err;
> +
>  	mlx5_esw_assert_reps_locked(esw);
>  
> +	if (newly_loaded)
> +		*newly_loaded = false;
> +
>  	if (atomic_cmpxchg(&rep->rep_data[rep_type].state,
> -			   REP_REGISTERED, REP_LOADED) == REP_REGISTERED)
> -		return esw->offloads.rep_ops[rep_type]->load(esw->dev, rep);
> +			   REP_REGISTERED, REP_LOADED) != REP_REGISTERED)
> +		return 0;
> +
> +	err = esw->offloads.rep_ops[rep_type]->load(esw->dev, rep);
> +	if (err) {
> +		atomic_set(&rep->rep_data[rep_type].state, REP_REGISTERED);
> +		return err;
> +	}
> +
> +	if (newly_loaded)
> +		*newly_loaded = true;
>  
>  	return 0;
>  }
> @@ -2822,22 +2837,27 @@ static void __unload_reps_all_vport(struct mlx5_eswitch *esw, u8 rep_type)
>  static int mlx5_esw_offloads_rep_load(struct mlx5_eswitch *esw, u16 vport_num)
>  {
>  	struct mlx5_eswitch_rep *rep;
> +	unsigned long loaded = 0;
> +	bool newly_loaded;
>  	int rep_type;
>  	int err;
>  
>  	rep = mlx5_eswitch_get_rep(esw, vport_num);
>  	for (rep_type = 0; rep_type < NUM_REP_TYPES; rep_type++) {
> -		err = __esw_offloads_load_rep(esw, rep, rep_type);
> +		err = __esw_offloads_load_rep(esw, rep, rep_type,
> +					      &newly_loaded);
>  		if (err)
>  			goto err_reps;
> +		if (newly_loaded)
> +			loaded |= BIT(rep_type);
>  	}
>  
>  	return 0;
>  
>  err_reps:
> -	atomic_set(&rep->rep_data[rep_type].state, REP_REGISTERED);
> -	for (--rep_type; rep_type >= 0; rep_type--)
> -		__esw_offloads_unload_rep(esw, rep, rep_type);
> +	while (--rep_type >= 0)
> +		if (test_bit(rep_type, &loaded))
> +			__esw_offloads_unload_rep(esw, rep, rep_type);
>  	return err;
>  }
>  
> @@ -3591,13 +3611,13 @@ int mlx5_eswitch_reload_ib_reps(struct mlx5_eswitch *esw)
>  	if (atomic_read(&rep->rep_data[REP_ETH].state) != REP_LOADED)
>  		return 0;
>  
> -	ret = __esw_offloads_load_rep(esw, rep, REP_IB);
> +	ret = __esw_offloads_load_rep(esw, rep, REP_IB, NULL);
>  	if (ret)
>  		return ret;
>  
>  	mlx5_esw_for_each_rep(esw, i, rep) {
>  		if (atomic_read(&rep->rep_data[REP_ETH].state) == REP_LOADED)
> -			__esw_offloads_load_rep(esw, rep, REP_IB);
> +			__esw_offloads_load_rep(esw, rep, REP_IB, NULL);
>  	}
>  
>  	return 0;