On 5/20/26 12:02 AM, Kishore Padmanabha wrote:
On Tue, May 19, 2026 at 12:44 AM Denis Sergeev <[email protected]>
wrote:
The return value of tfc_em_delete_raw() in tfc_em_delete() was
silently discarded: rc was unconditionally overwritten by the
subsequent tfc_cpm_get_cmm_inst() call without any error check.
If tfc_em_delete_raw() fails, the HW EM entry is not removed but
the function continues to free the corresponding SW pool entry,
creating a HW/SW state inconsistency that can lead to stale flow
matches or incorrect pool slot reuse.
Add an error check after the call and return -EINVAL on failure.
Found by Linux Verification Center (linuxtesting.org
<http://linuxtesting.org>) with SVACE.
Fixes: 80317ff6adfd ("net/bnxt/tf_core: support Thor2")
Cc: [email protected]
Signed-off-by: Denis Sergeev <[email protected]>
---
drivers/net/bnxt/tf_core/v3/tfc_em.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/bnxt/tf_core/v3/tfc_em.c
b/drivers/net/bnxt/tf_core/v3/tfc_em.c
index 3fe4dbe3fe..4c126dc2f4 100644
--- a/drivers/net/bnxt/tf_core/v3/tfc_em.c
+++ b/drivers/net/bnxt/tf_core/v3/tfc_em.c
@@ -661,6 +661,11 @@ int tfc_em_delete(struct tfc *tfcp, struct
tfc_em_delete_parms *parms)
&db_offset
#endif
);
+ if (rc != 0) {
+ PMD_DRV_LOG_LINE(ERR, "tfc_em_delete_raw() failed:
%s",
+ strerror(-rc));
+ return -EINVAL;
+ }
record_offset = REMOVE_POOL_FROM_OFFSET(pi.lkup_pool_sz_exp,
record_offset);
This change is not required, even if deletion of the HW entry fails,
it should continue to delete the SW state, since at the end all the HW
entries are invalidated. Have you been able to reproduce a scenario
where this failure is seen.
--
2.50.1
Thanks for the review. I'll drop this patch.
The issue was flagged by a static analyzer that caught the discarded
return value of tfc_em_delete_raw(). Over the past week I tried to
reproduce an actual failure at runtime, but I couldn't. So it seems
this failure doesn't occur in real runtime.
--
Best regards,
Denis Sergeev
