Re: [PATCH net] net/mlx5e: Fix oops from ERR_PTR in act-miss restore teardown

Next message: Andy Shevchenko: "Re: [PATCH 2/2] pinctrl: upboard: add device id INTC1055 based UP boards support"
Previous message: Karunika Choo: "Re: [RFC PATCH 07/18] drm/panthor: Add Mali v15 hardware support"
In reply to: Tariq Toukan: "[PATCH net] net/mlx5e: Fix oops from ERR_PTR in act-miss restore teardown"
Next in thread: Jakub Kicinski: "Re: [PATCH net] net/mlx5e: Fix oops from ERR_PTR in act-miss restore teardown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexander Lobakin

Date: Thu Jun 11 2026 - 12:06:39 EST

From: Tariq Toukan <tariqt@xxxxxxxxxx>
Date: Thu, 11 Jun 2026 16:48:36 +0300

> From: Lama Kayal <lkayal@xxxxxxxxxx>
>
> Restore-rule creation stores ERR_PTR(errno) in act_id_restore_rule
> on failure. Teardown still called mlx5_del_flow_rules() with that
> value, which dereferenced it like a real mlx5_flow_handle and could
> crash.
>
> Clear act_id_restore_rule to NULL in the error branch after
> esw_add_restore_rule() fails so teardown only sees NULL or a valid
> handle.
>
> Call Trace:
> ? page_fault+0x1e/0x30
> ? mlx5_del_flow_rules+0x12/0x140 [mlx5_core]
> mlx5e_tc_action_miss_mapping_put+0x49/0x50 [mlx5_core]
> mlx5_tc_ct_delete_flow+0x4d/0x70 [mlx5_core]
> mlx5_free_flow_attr_actions+0xd2/0x160 [mlx5_core]
> mlx5e_tc_del_fdb_flow+0x15d/0x210 [mlx5_core]
> mlx5e_flow_put+0x23/0x40 [mlx5_core]
> __mlx5e_add_fdb_flow+0xf3/0x430 [mlx5_core]
> mlx5e_tc_add_flow+0x2ab/0x9c0 [mlx5_core]
> mlx5e_configure_flower+0x2f4/0x620 [mlx5_core]
> tc_setup_cb_add+0xca/0x1e0
> fl_hw_replace_filter+0x143/0x1e0 [cls_flower]
> [...]
>
> Fixes: dfa1e46d6093 ("net/mlx5e: TC, Fix using eswitch mapping in nic mode")
> Signed-off-by: Lama Kayal <lkayal@xxxxxxxxxx>
> Reviewed-by: Cosmin Ratiu <cratiu@xxxxxxxxxx>
> Signed-off-by: Tariq Toukan <tariqt@xxxxxxxxxx>

Reviewed-by: Alexander Lobakin <aleksander.lobakin@xxxxxxxxx>

Thanks,
Olek