From: Jakub Kicinski <kuba@kernel.org>
To: tariqt@nvidia.com
Cc: Jakub Kicinski <kuba@kernel.org>,
edumazet@google.com, pabeni@redhat.com, andrew+netdev@lunn.ch,
davem@davemloft.net, borisp@nvidia.com, saeedm@nvidia.com,
leon@kernel.org, mbloch@nvidia.com, daniel.zahka@gmail.com,
willemdebruijn.kernel@gmail.com, cratiu@nvidia.com,
raeds@nvidia.com, rrameshbabu@nvidia.com, dtatulea@nvidia.com,
kees@kernel.org, netdev@vger.kernel.org,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
gal@nvidia.com
Subject: Re: [PATCH net 1/2] net/mlx5e: psp: Fix invalid access on PSP dev registration fail
Date: Sat, 18 Apr 2026 12:08:48 -0700 [thread overview]
Message-ID: <20260418190848.204170-1-kuba@kernel.org> (raw)
In-Reply-To: <20260417050201.192070-2-tariqt@nvidia.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
net/mlx5e: psp: Fix invalid access on PSP dev registration fail
This commit updates PSP device registration to use a local variable,
only saving the PSP device pointer if psp_dev_create() succeeds. This
prevents an error pointer from being stored in priv->psp->psp.
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
[ ... ]
> @@ -1070,29 +1070,37 @@ static struct psp_dev_ops mlx5_psp_ops = {
[ ... ]
> void mlx5e_psp_register(struct mlx5e_priv *priv)
> {
> + struct mlx5e_psp *psp = priv->psp;
> + struct psp_dev *psd;
> +
[ ... ]
> - priv->psp->psp = psp_dev_create(priv->netdev, &mlx5_psp_ops,
> - &priv->psp->caps, NULL);
> - if (IS_ERR(priv->psp->psp))
> + psd = psp_dev_create(priv->netdev, &mlx5_psp_ops, &psp->caps, NULL);
> + if (IS_ERR(psd)) {
> mlx5_core_err(priv->mdev, "PSP failed to register due to %pe\n",
> - priv->psp->psp);
> + psd);
> + return;
> + }
> + psp->psp = psd;
> }
When psp_dev_create() fails, this function now returns without setting
psp->psp, leaving it as NULL. However, priv->psp remains allocated and
non-NULL.
Does this leave the RX datapath vulnerable to a NULL pointer dereference?
If priv->psp is non-NULL, the NIC RX initialization path can still call
mlx5_accel_psp_fs_init_rx_tables(), which creates hardware flow steering
rules to intercept UDP traffic.
If a UDP packet triggers these rules, the hardware flags the CQE with
MLX5E_PSP_MARKER_BIT. The RX fast-path sees the marker and invokes
mlx5e_psp_offload_handle_rx_skb(), which dereferences the pointer
unconditionally:
u16 dev_id = priv->psp->psp->id;
Since priv->psp->psp is NULL, this will cause a kernel panic. Should
priv->psp be cleaned up, or the error propagated, to prevent flow rules
from being installed when registration fails?
--
pw-bot: cr
next prev parent reply other threads:[~2026-04-18 19:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 5:01 [PATCH net 0/2] mlx5e PSP fixes Tariq Toukan
2026-04-17 5:02 ` [PATCH net 1/2] net/mlx5e: psp: Fix invalid access on PSP dev registration fail Tariq Toukan
2026-04-18 19:08 ` Jakub Kicinski [this message]
2026-04-20 10:30 ` Cosmin Ratiu
2026-04-20 17:09 ` Jakub Kicinski
2026-04-21 12:29 ` Cosmin Ratiu
2026-04-21 14:26 ` Jakub Kicinski
2026-04-21 14:33 ` Cosmin Ratiu
2026-04-21 15:09 ` Jakub Kicinski
2026-04-21 17:34 ` Cosmin Ratiu
2026-04-21 18:32 ` Jakub Kicinski
2026-04-22 9:25 ` Cosmin Ratiu
2026-04-22 15:13 ` Cosmin Ratiu
2026-04-23 2:59 ` Jakub Kicinski
2026-04-17 5:02 ` [PATCH net 2/2] net/mlx5e: psp: Hook PSP dev reg/unreg to profile enable/disable Tariq Toukan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260418190848.204170-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=borisp@nvidia.com \
--cc=cratiu@nvidia.com \
--cc=daniel.zahka@gmail.com \
--cc=davem@davemloft.net \
--cc=dtatulea@nvidia.com \
--cc=edumazet@google.com \
--cc=gal@nvidia.com \
--cc=kees@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mbloch@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=raeds@nvidia.com \
--cc=rrameshbabu@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.