From: Lama Kayal <lkayal@nvidia.com>

Restore-rule creation stores ERR_PTR(errno) in act_id_restore_rule
on failure.  Teardown still called mlx5_del_flow_rules() with that
value, which dereferenced it like a real mlx5_flow_handle and could
crash.

Clear act_id_restore_rule to NULL in the error branch after
esw_add_restore_rule() fails so teardown only sees NULL or a valid
handle.

Call Trace:
 ? page_fault+0x1e/0x30
 ? mlx5_del_flow_rules+0x12/0x140 [mlx5_core]
 mlx5e_tc_action_miss_mapping_put+0x49/0x50 [mlx5_core]
 mlx5_tc_ct_delete_flow+0x4d/0x70 [mlx5_core]
 mlx5_free_flow_attr_actions+0xd2/0x160 [mlx5_core]
 mlx5e_tc_del_fdb_flow+0x15d/0x210 [mlx5_core]
 mlx5e_flow_put+0x23/0x40 [mlx5_core]
 __mlx5e_add_fdb_flow+0xf3/0x430 [mlx5_core]
 mlx5e_tc_add_flow+0x2ab/0x9c0 [mlx5_core]
 mlx5e_configure_flower+0x2f4/0x620 [mlx5_core]
 tc_setup_cb_add+0xca/0x1e0
 fl_hw_replace_filter+0x143/0x1e0 [cls_flower]
 [...]

Fixes: dfa1e46d6093 ("net/mlx5e: TC, Fix using eswitch mapping in nic mode")
Signed-off-by: Lama Kayal <lkayal@nvidia.com>
Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index a9001d1c902f..4c135858f297 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -5863,6 +5863,7 @@ int mlx5e_tc_action_miss_mapping_get(struct mlx5e_priv *priv, struct mlx5_flow_a
 	attr->act_id_restore_rule = esw_add_restore_rule(esw, *act_miss_mapping);
 	if (IS_ERR(attr->act_id_restore_rule)) {
 		err = PTR_ERR(attr->act_id_restore_rule);
+		attr->act_id_restore_rule = NULL;
 		goto err_rule;
 	}
 

base-commit: 0068940907d33217ae01217f84910a5cde606c17
-- 
2.44.0