From: Stephen Hemminger <stephen@networkplumber.org>
To: Dimon Zhao <dimon.zhao@nebula-matrix.com>
Cc: dev@dpdk.org, stable@dpdk.org,
Kyo Liu <kyo.liu@nebula-matrix.com>,
Leon Yu <leon.yu@nebula-matrix.com>,
Sam Chen <sam.chen@nebula-matrix.com>
Subject: Re: [PATCH v2 1/4] net/nbl: fix memzone leak in queue release
Date: Mon, 26 Jan 2026 17:02:22 -0800 [thread overview]
Message-ID: <20260126170222.6ca4c05c@phoenix.local> (raw)
In-Reply-To: <20260126075815.178216-2-dimon.zhao@nebula-matrix.com>
On Sun, 25 Jan 2026 23:58:12 -0800
Dimon Zhao <dimon.zhao@nebula-matrix.com> wrote:
> diff --git a/drivers/net/nbl/nbl_hw/nbl_txrx.c b/drivers/net/nbl/nbl_hw/nbl_txrx.c
> index 650790b4fc..563f011cd3 100644
> --- a/drivers/net/nbl/nbl_hw/nbl_txrx.c
> +++ b/drivers/net/nbl/nbl_hw/nbl_txrx.c
> @@ -69,9 +69,10 @@ static void nbl_res_txrx_release_tx_ring(void *priv, u16 queue_idx)
> struct nbl_resource_mgt *res_mgt = (struct nbl_resource_mgt *)priv;
> struct nbl_txrx_mgt *txrx_mgt = NBL_RES_MGT_TO_TXRX_MGT(res_mgt);
> struct nbl_res_tx_ring *tx_ring = NBL_RES_MGT_TO_TX_RING(res_mgt, queue_idx);
> - if (!tx_ring)
> - return;
> +
Automated patch review spotted this removal as possible problem.
Code Review:
ERROR: NULL pointer dereference introduced
The NULL check for tx_ring was removed but the code immediately dereferences it:
c
static void nbl_res_txrx_release_tx_ring(void *priv, u16 queue_idx)
{
struct nbl_resource_mgt *res_mgt = (struct nbl_resource_mgt *)priv;
struct nbl_txrx_mgt *txrx_mgt = NBL_RES_MGT_TO_TXRX_MGT(res_mgt);
struct nbl_res_tx_ring *tx_ring = NBL_RES_MGT_TO_TX_RING(res_mgt, queue_idx);
rte_free(tx_ring->tx_entry); /* <-- crash if tx_ring is NULL */
The old code had:
c
if (!tx_ring)
return;
This guard must be restored, or the callers must guarantee tx_ring is never NULL.
Similarly for nbl_res_txrx_release_rx_ring — no NULL check before dereferencing rx_ring->rx_entry and rx_ring->desc_mz.
Further AI lead analysis show scenarios where it could be a problem.
Complete Call Chain Analysis for Patch 1/4
Call Flow
DPDK Application
↓
rte_eth_dev_tx_queue_release() or eth_dev_ops->tx_queue_release
↓
nbl_tx_queues_release() [nbl_dev.c:420]
↓
disp_ops->release_tx_ring() → nbl_disp_release_tx_ring() [nbl_dispatch.c:163]
↓
res_ops->release_tx_ring() → nbl_res_txrx_release_tx_ring() [nbl_txrx.c]
Where tx_ring Can Be NULL
The macro definition:
c
#define NBL_RES_MGT_TO_TX_RING(res_mgt, index) \
(NBL_RES_MGT_TO_TXRX_MGT(res_mgt)->tx_rings[(index)])
Where tx_rings is:
c
struct nbl_res_tx_ring **tx_rings; // Array of pointers
Scenario 1: Normal close without all queues set up
In nbl_dev_port_close() → nbl_release_queues() (line 337-349):
c
for (i = 0; i < eth_dev->data->nb_tx_queues; i++)
disp_ops->release_tx_ring(NBL_DEV_MGT_TO_DISP_PRIV(dev_mgt), i);
If the application configured 4 queues but only called tx_queue_setup() on 2 of them, tx_rings[2] and tx_rings[3] will be NULL.
Scenario 2: DPDK ethdev layer calling release on never-setup queue
DPDK's rte_eth_dev_close() can call tx_queue_release for all configured queues without validating they were set up.
Scenario 3: Re-setup path mismatch
In the patched nbl_res_txrx_start_tx_ring():
c
if (eth_dev->data->tx_queues[param->queue_idx] != NULL) {
NBL_LOG(WARNING, "re-setup an already allocated tx queue");
nbl_res_txrx_release_tx_ring(priv, param->queue_idx); // <-- Called
The check is on eth_dev->data->tx_queues[] (ethdev layer), but tx_rings[] (resource layer) could differ if a previous setup partially failed.
Verdict: Confirmed Bug in Patch 1/4
The removal of NULL checks causes NULL pointer dereference in both nbl_res_txrx_release_tx_ring() and nbl_res_txrx_release_rx_ring().
Required Fix
c
static void nbl_res_txrx_release_tx_ring(void *priv, u16 queue_idx)
{
struct nbl_resource_mgt *res_mgt = (struct nbl_resource_mgt *)priv;
struct nbl_txrx_mgt *txrx_mgt = NBL_RES_MGT_TO_TXRX_MGT(res_mgt);
struct nbl_res_tx_ring *tx_ring = NBL_RES_MGT_TO_TX_RING(res_mgt, queue_idx);
+ if (!tx_ring)
+ return;
+
rte_free(tx_ring->tx_entry);
rte_memzone_free(tx_ring->net_hdr_mz);
rte_memzone_free(tx_ring->desc_mz);
rte_free(tx_ring);
txrx_mgt->tx_rings[queue_idx] = NULL;
}
static void nbl_res_txrx_release_rx_ring(void *priv, u16 queue_idx)
{
struct nbl_resource_mgt *res_mgt = (struct nbl_resource_mgt *)priv;
struct nbl_txrx_mgt *txrx_mgt = NBL_RES_MGT_TO_TXRX_MGT(res_mgt);
struct nbl_res_rx_ring *rx_ring = NBL_RES_MGT_TO_RX_RING(res_mgt, queue_idx);
+ if (!rx_ring)
+ return;
+
rte_free(rx_ring->rx_entry);
rte_memzone_free(rx_ring->desc_mz);
rte_free(rx_ring);
txrx_mgt->rx_rings[queue_idx] = NULL;
}
The memzone leak fix itself is correct and needed — but the defensive NULL checks must be preserved.
Conclusion put the null checks back into rx and tx and retest/resubmit new version.
Full chat is here if you are interested: https://claude.ai/share/d543bddd-7406-4f00-b5cb-4a92e8718476
next prev parent reply other threads:[~2026-01-27 1:02 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-23 3:16 [PATCH v1 0/4] improve NBL memory safety and mailbox reliability Dimon Zhao
2026-01-23 3:16 ` [PATCH v1 1/4] net/nbl: fix memzone leak in queue release Dimon Zhao
2026-01-23 3:16 ` [PATCH v1 2/4] net/nbl: optimize mbuf headroom usage in packet transmission Dimon Zhao
2026-01-23 3:16 ` [PATCH v1 3/4] net/nbl: fix mbuf double-free in queue cleanup Dimon Zhao
2026-01-23 3:16 ` [PATCH v1 4/4] net/nbl: improve exception handling for the mailbox Dimon Zhao
2026-01-24 18:31 ` [REVIEW] " Stephen Hemminger
2026-01-23 4:36 ` [PATCH v1 0/4] improve NBL memory safety and mailbox reliability Stephen Hemminger
2026-01-24 19:08 ` Stephen Hemminger
2026-01-26 1:37 ` 回复:[PATCH " Dimon
2026-01-26 7:58 ` [PATCH v2 " Dimon Zhao
2026-01-26 7:58 ` [PATCH v2 1/4] net/nbl: fix memzone leak in queue release Dimon Zhao
2026-01-27 1:02 ` Stephen Hemminger [this message]
2026-01-26 7:58 ` [PATCH v2 2/4] net/nbl: optimize mbuf headroom usage in packet Tx Dimon Zhao
2026-01-26 7:58 ` [PATCH v2 3/4] net/nbl: fix mbuf double-free in queue cleanup Dimon Zhao
2026-01-26 7:58 ` [PATCH v2 4/4] net/nbl: improve exception handling for the mailbox Dimon Zhao
2026-01-26 18:18 ` [REVIEW] " Stephen Hemminger
2026-01-26 18:28 ` Stephen Hemminger
2026-01-27 2:52 ` [PATCH v3 0/4] improve NBL memory safety and mailbox reliability Dimon Zhao
2026-01-27 2:52 ` [PATCH v3 1/4] net/nbl: fix memzone leak on queue release Dimon Zhao
2026-01-27 2:52 ` [PATCH v3 2/4] net/nbl: fix mbuf headroom usage in packet Tx Dimon Zhao
2026-01-27 2:52 ` [PATCH v3 3/4] net/nbl: fix mbuf double-free in queue cleanup Dimon Zhao
2026-01-27 2:52 ` [PATCH v3 4/4] net/nbl: improve mailbox exception handling Dimon Zhao
2026-01-27 15:10 ` [PATCH v3 0/4] improve NBL memory safety and mailbox reliability Stephen Hemminger
2026-01-28 2:00 ` 回复:[PATCH " Dimon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260126170222.6ca4c05c@phoenix.local \
--to=stephen@networkplumber.org \
--cc=dev@dpdk.org \
--cc=dimon.zhao@nebula-matrix.com \
--cc=kyo.liu@nebula-matrix.com \
--cc=leon.yu@nebula-matrix.com \
--cc=sam.chen@nebula-matrix.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox