Hi,
On 17/06/2026 4:43 PM, Borys Tsyrulnikov wrote:
During Rx queue error recovery, the vectorized path in
mlx5_rx_err_handle() reallocates an mbuf for every queue element. When
rte_mbuf_raw_alloc() fails (for example, the mempool is exhausted), the
rollback loop frees the mbufs allocated so far, but masks the element
ring index with "& elts_n" instead of "& (elts_n - 1)".
elts_n is a power-of-two element count, so "x & elts_n" isolates a
single bit and can only evaluate to 0 or elts_n, regardless of the loop
counter. The rollback therefore never frees the mbufs just allocated in
this pass (they are leaked); instead it repeatedly frees elts[0], a live
mbuf still posted to the NIC (use-after-free / double free), and
elts[elts_n], the fake_mbuf padding entry used by the vector datapath.
Mask with the existing e_mask (elts_n - 1), as already done in the
matching forward allocation loop just above.
Fixes: 0f20acbf5eda ("net/mlx5: implement vectorized MPRQ burst")
Cc: [email protected]
Signed-off-by: Borys Tsyrulnikov <[email protected]>
Patch applied to next-net-mlx,
Kindest regards
Raslan Darawsheh
