From: Simon Horman <horms@kernel.org>
To: tariqt@nvidia.com
Cc: Simon Horman <horms@kernel.org>,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
andrew+netdev@lunn.ch, davem@davemloft.net, saeedm@nvidia.com,
mbloch@nvidia.com, leon@kernel.org, shayd@nvidia.com,
ohartoov@nvidia.com, edwards@nvidia.com, msanalla@nvidia.com,
phaddad@nvidia.com, parav@nvidia.com, gbayer@linux.ibm.com,
kees@kernel.org, moshe@nvidia.com, rongweil@nvidia.com,
jacob.e.keller@intel.com, netdev@vger.kernel.org,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
gal@nvidia.com
Subject: Re: [PATCH net 3/3] net/mlx5e: TC, skip peer flow cleanup when LAG seq is unavailable
Date: Thu, 18 Jun 2026 13:48:22 +0100 [thread overview]
Message-ID: <20260618124820.890808-3-horms@kernel.org> (raw)
In-Reply-To: <20260617063204.547427-4-tariqt@nvidia.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
Simon says: I think the first two issues flagged below warrant
consideration within the context of this patch.
But the third and final issue flagged below as pre-existing
seems to be something to consider in the context of
possible follow-up.
---
net/mlx5e: TC, skip peer flow cleanup when LAG seq is unavailable
This commit addresses a bad memory access crash by skipping peer flows when
mlx5_lag_get_dev_seq() returns an error. This occurs when the peer isn't in
the LAG or when no device is marked as master.
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> index a9001d1c902ff..c6e6534a5e23b 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> @@ -2155,6 +2155,9 @@ static void mlx5e_tc_del_fdb_peers_flow(struct mlx5e_tc_flow *flow)
> devcom = flow->priv->mdev->priv.eswitch->devcom;
> mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) {
> i = mlx5_lag_get_dev_seq(peer_esw->dev);
> + if (i < 0)
> + continue;
> +
[Severity: Critical]
Does skipping the remainder of this loop prevent the flow from being
unlinked from the doubly-linked list?
By using continue here in mlx5e_tc_del_fdb_peers_flow(), we skip calling
mlx5e_tc_del_fdb_peer_flow(), which means flow->peer[i] is never
unlinked from the esw->offloads.peer_flows[original_i] list.
If the flow is subsequently freed via mlx5e_flow_put(), will this leave a
freed list node resident in the active list and guarantee a use-after-free
list corruption during the next list traversal?
> mlx5e_tc_del_fdb_peer_flow(flow, i);
> }
> }
[ ... ]
> @@ -5526,6 +5529,9 @@ void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw)
>
> mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) {
> i = mlx5_lag_get_dev_seq(peer_esw->dev);
> + if (i < 0)
> + continue;
> +
[Severity: Critical]
Similarly to the above, does this skip unlinking during flow cleanup when
the LAG sequence is unavailable?
> list_for_each_entry_safe(flow, tmp, &esw->offloads.peer_flows[i], peer[i])
> mlx5e_tc_del_fdb_peers_flow(flow);
> }
[Severity: Critical]
This isn't a bug introduced by this patch, but is there a similar missing
bounds check during flow addition in mlx5e_tc_add_fdb_peer_flow() in this
same file?
If a flow is added concurrently with LAG teardown, mlx5_lag_get_dev_seq()
can return -ENOENT (-2):
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c:mlx5e_tc_add_fdb_peer_flow() {
...
int i = mlx5_lag_get_dev_seq(peer_esw->dev);
...
list_add_tail(&flow->peer[i], &esw->offloads.peer_flows[i]);
...
}
Does this result in an out-of-bounds write to a negative array index?
prev parent reply other threads:[~2026-06-18 12:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 6:32 [PATCH net 0/3] net/mlx5: LAG bug fixes Tariq Toukan
2026-06-17 6:32 ` [PATCH net 1/3] net/mlx5: LAG, Fix off-by-one in single-FDB error rollback Tariq Toukan
2026-06-17 6:32 ` [PATCH net 2/3] net/mlx5: LAG, MPESW, Fix missing complete() on devcom error Tariq Toukan
2026-06-17 6:32 ` [PATCH net 3/3] net/mlx5e: TC, skip peer flow cleanup when LAG seq is unavailable Tariq Toukan
2026-06-18 12:48 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618124820.890808-3-horms@kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=edwards@nvidia.com \
--cc=gal@nvidia.com \
--cc=gbayer@linux.ibm.com \
--cc=jacob.e.keller@intel.com \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mbloch@nvidia.com \
--cc=moshe@nvidia.com \
--cc=msanalla@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=ohartoov@nvidia.com \
--cc=pabeni@redhat.com \
--cc=parav@nvidia.com \
--cc=phaddad@nvidia.com \
--cc=rongweil@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=shayd@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox