mlx5: fix crash if malloc FCQS fails

Yunjian Wang Fri, 24 Apr 2026 03:48:42 -0700

A crash is triggered when memory malloc for FCQS fails. Currently,
the abnormal branch releases the txq, and it removes the 'txq_ctrl->obj'
from the linked list, but the 'txq_ctrl->obj' has not actually been
added to the linked list yet. This triggers a null pointer reference
issue.


The call stack is as follows:
Program terminated with signal 11, Segmentation fault.
1210                    LIST_REMOVE(txq_ctrl->obj, next);
(gdb) bt
 #0 mlx5_txq_release
 #1 mlx5_txq_start
 #2 mlx5_dev_start
 #3 rte_eth_dev_start
 #4 member_start
 #5 bond_ethdev_start

Fixes: f49f44839df3 ("net/mlx5: share Tx control code")
Cc: [email protected]

Signed-off-by: Yunjian Wang <[email protected]>
---
 drivers/net/mlx5/mlx5_trigger.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/mlx5/mlx5_trigger.c b/drivers/net/mlx5/mlx5_trigger.c
index a070aaecfd..594b518ba6 100644
--- a/drivers/net/mlx5/mlx5_trigger.c
+++ b/drivers/net/mlx5/mlx5_trigger.c
@@ -97,6 +97,9 @@ mlx5_txq_start(struct rte_eth_dev *dev)
                                        DRV_LOG(ERR, "Port %u Tx queue %u 
cannot "
                                                "allocate memory (FCQ).",
                                                dev->data->port_id, i);
+                                       
priv->obj_ops.txq_obj_release(txq_ctrl->obj);
+                                       mlx5_free(txq_ctrl->obj);
+                                       txq_ctrl->obj = NULL;
                                        rte_errno = ENOMEM;
                                        goto error;
                                }
-- 
2.33.0

[PATCH 1/1] net/mlx5: fix crash if malloc FCQS fails

Reply via email to