[PATCH net v1] net/mlx5: Fix flow steering alloc unwind

[PATCH net v1] net/mlx5: Fix flow steering alloc unwind

[Prathamesh Deshpande]

mlx5_fs_core_alloc() uses mlx5_fs_core_free() for its common error path,
but mlx5_fs_core_free() dereferences dev->priv.steering.

If mlx5_ft_pool_init() fails, or if allocating the steering object fails,
dev->priv.steering has not been assigned yet. The error path can then
dereference NULL while unwinding the original failure.

Split the unwind paths so only resources that were successfully
initialized are released.

Fixes: b33886971dbc ("net/mlx5: Initialize flow steering during driver probe")
Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
---
 .../net/ethernet/mellanox/mlx5/core/fs_core.c    | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index 61a6ba1e49dd..e1662dcedbf4 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -3984,12 +3984,12 @@ int mlx5_fs_core_alloc(struct mlx5_core_dev *dev)
 
 	err = mlx5_ft_pool_init(dev);
 	if (err)
-		goto err;
+		goto err_fc_stats;
 
 	steering = kzalloc_obj(*steering);
 	if (!steering) {
 		err = -ENOMEM;
-		goto err;
+		goto err_ft_pool;
 	}
 
 	steering->dev = dev;
@@ -4011,13 +4011,19 @@ int mlx5_fs_core_alloc(struct mlx5_core_dev *dev)
 						 0, NULL);
 	if (!steering->ftes_cache || !steering->fgs_cache) {
 		err = -ENOMEM;
-		goto err;
+		goto err_fs_core;
 	}
 
 	return 0;
 
-err:
-	mlx5_fs_core_free(dev);
+err_fs_core:
+	kmem_cache_destroy(steering->ftes_cache);
+	kmem_cache_destroy(steering->fgs_cache);
+	kfree(steering);
+err_ft_pool:
+	mlx5_ft_pool_destroy(dev);
+err_fc_stats:
+	mlx5_cleanup_fc_stats(dev);
 	return err;
 }
 
-- 
2.43.0

Re: [PATCH net v1] net/mlx5: Fix flow steering alloc unwind

[Mark Bloch]

On 02/05/2026 2:20, Prathamesh Deshpande wrote:
> mlx5_fs_core_alloc() uses mlx5_fs_core_free() for its common error path,
> but mlx5_fs_core_free() dereferences dev->priv.steering.
> 
> If mlx5_ft_pool_init() fails, or if allocating the steering object fails,
> dev->priv.steering has not been assigned yet. The error path can then
> dereference NULL while unwinding the original failure.
> 
> Split the unwind paths so only resources that were successfully
> initialized are released.
> 
> Fixes: b33886971dbc ("net/mlx5: Initialize flow steering during driver probe")
> Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
> ---
>  .../net/ethernet/mellanox/mlx5/core/fs_core.c    | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
> index 61a6ba1e49dd..e1662dcedbf4 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
> @@ -3984,12 +3984,12 @@ int mlx5_fs_core_alloc(struct mlx5_core_dev *dev)
>  
>  	err = mlx5_ft_pool_init(dev);
>  	if (err)
> -		goto err;
> +		goto err_fc_stats;
>  
>  	steering = kzalloc_obj(*steering);
>  	if (!steering) {
>  		err = -ENOMEM;
> -		goto err;
> +		goto err_ft_pool;
>  	}
>  
>  	steering->dev = dev;
> @@ -4011,13 +4011,19 @@ int mlx5_fs_core_alloc(struct mlx5_core_dev *dev)
>  						 0, NULL);
>  	if (!steering->ftes_cache || !steering->fgs_cache) {
>  		err = -ENOMEM;
> -		goto err;
> +		goto err_fs_core;
>  	}
>  
>  	return 0;
>  
> -err:
> -	mlx5_fs_core_free(dev);
> +err_fs_core:
> +	kmem_cache_destroy(steering->ftes_cache);
> +	kmem_cache_destroy(steering->fgs_cache);
> +	kfree(steering);
> +err_ft_pool:
> +	mlx5_ft_pool_destroy(dev);
> +err_fc_stats:
> +	mlx5_cleanup_fc_stats(dev);
>  	return err;
>  }
>  

Reviewed-by: Mark Bloch <mbloch@nvidia.com>

Thanks for the fix.