Re: [PATCH net v1] net/mlx5: Fix HWS action unwind NULL dereference

[Moshe Shemesh]

On 5/5/2026 1:06 AM, Prathamesh Deshpande wrote:
> mlx5_fs_fte_get_hws_actions() stores some destination actions in
> fs_actions[] before checking whether action creation succeeded.
>
> If creating a table-number or range destination action fails, or if
> fetching a sampler destination action fails, dest_action is NULL but
> num_fs_actions has already been incremented. The shared error path then
> calls mlx5_fs_destroy_fs_action(), which dereferences fs_action->action
> to get the HWS action type, causing a NULL pointer dereference while
> unwinding the original failure.
>
> Track whether the current destination action needs fs_actions[] cleanup,
> but append it only after dest_action has been validated.
>
> Fixes: 2ec6786ad0a6b ("net/mlx5: fs, add HWS fte API functions")
> Fixes: 32e658c84b6d ("net/mlx5: fs, add support for dest flow sampler HWS action")
> Signed-off-by: Prathamesh Deshpande<prathameshdeshpande7@xxxxxxxxx>

Acked-by: Moshe Shemesh <moshe@xxxxxxxxxx>

> ---
>   .../mellanox/mlx5/core/steering/hws/fs_hws.c     | 16 +++++++++++-----
>   1 file changed, 11 insertions(+), 5 deletions(-)