[PATCH] net/mlx5: fix segfault on indirect action age query with conntrack

Wed, 25 Jun 2025 12:03:16 -0700 

This patch fixes a segmentation fault that occurs when querying the
age action of an indirect flow rule using connection tracking.

Steps to reproduce:
 1. Create an indirect action:
    flow indirect_action 0 create ingress action conntrack / end

 2. Create a root flow rule with a jump:
    flow create 0 ingress pattern eth / ipv4 / tcp / end /
         actions jump group 3 / end

 3. Create a group 3 rule using the indirect action:
    flow create 0 group 3 ingress pattern eth / ipv4 / tcp / end /
         actions indirect 0 / jump group 5 / end

 4. Create a group 5 rule matching on conntrack state:
    flow create 0 group 5 ingress pattern eth / ipv4 / tcp /
         conntrack is 1 / end actions queue index 5 / end

 5. Querying the first rule causes a segmentation fault:
    flow query 0 1 age

This patch ensures proper handling of the indirect action with
conntrack to prevent this crash.

Signed-off-by: Khadem Ullah <14pwcse1...@uetpeshawar.edu.pk>
---
 .mailmap                        | 1 +
 drivers/net/mlx5/mlx5_flow.c    | 2 ++
 drivers/net/mlx5/mlx5_flow_dv.c | 5 +++++
 3 files changed, 8 insertions(+)

diff --git a/.mailmap b/.mailmap
index 8483d96ec5..5c9ea95346 100644
--- a/.mailmap
+++ b/.mailmap
@@ -812,6 +812,7 @@ Kevin Scott <kevin.c.sc...@intel.com>
 Kevin Traynor <ktray...@redhat.com>
 Ke Xu <ke1...@intel.com>
 Ke Zhang <ke1x.zh...@intel.com>
+Khadem Ullah <14pw...@uetpeshawar.edu.pk>
 Khoa To <k...@microsoft.com>
 Kiran KN <kira...@juniper.net>
 Kiran Kumar K <kirankum...@marvell.com> <kkokkilaga...@caviumnetworks.com> 
<kiran.kokkilaga...@caviumnetworks.com>
diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 3d49a2d833..5c799ea4ce 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -4550,6 +4550,8 @@ flow_aso_age_get_by_idx(struct rte_eth_dev *dev, uint32_t 
age_idx)
        struct mlx5_aso_age_pool *pool;
 
        rte_rwlock_read_lock(&mng->resize_rwl);
+       if (mng->pools == NULL)
+               return NULL;
        pool = mng->pools[pool_idx];
        rte_rwlock_read_unlock(&mng->resize_rwl);
        return &pool->actions[offset - 1];
diff --git a/drivers/net/mlx5/mlx5_flow_dv.c b/drivers/net/mlx5/mlx5_flow_dv.c
index c217634d9b..f81ce20385 100644
--- a/drivers/net/mlx5/mlx5_flow_dv.c
+++ b/drivers/net/mlx5/mlx5_flow_dv.c
@@ -18086,6 +18086,11 @@ flow_dv_query_age(struct rte_eth_dev *dev, struct 
rte_flow *flow,
        if (flow->age) {
                struct mlx5_aso_age_action *act =
                                     flow_aso_age_get_by_idx(dev, flow->age);
+               if (!act)
+                       return rte_flow_error_set
+                                       (error, EINVAL,
+                                        RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+                                        NULL, "cannot read age data");
 
                age_param = &act->age_params;
        } else if (flow->counter) {
-- 
2.43.0

Reply via email to