{"id":2222380,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2222380/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/2026041116-retail-bagginess-250f@gregkh/","project":{"id":46,"url":"http://patchwork.ozlabs.org/api/1.1/projects/46/?format=json","name":"Intel Wired Ethernet development","link_name":"intel-wired-lan","list_id":"intel-wired-lan.osuosl.org","list_email":"intel-wired-lan@osuosl.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<2026041116-retail-bagginess-250f@gregkh>","date":"2026-04-11T10:12:16","name":"[net] idpf: fix double free and use-after-free in aux device error paths","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"3a8ec24df6eca603aeca581e0ba3ce768426fa9e","submitter":{"id":11800,"url":"http://patchwork.ozlabs.org/api/1.1/people/11800/?format=json","name":"Greg Kroah-Hartman","email":"gregkh@linuxfoundation.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/2026041116-retail-bagginess-250f@gregkh/mbox/","series":[{"id":499546,"url":"http://patchwork.ozlabs.org/api/1.1/series/499546/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=499546","date":"2026-04-11T10:12:16","name":"[net] idpf: fix double free and use-after-free in aux device error paths","version":1,"mbox":"http://patchwork.ozlabs.org/series/499546/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222380/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222380/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=CiShGdZn;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4ft8cL52rrz1y2d\n\tfor ; Sat, 11 Apr 2026 20:12:34 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id A383B40197;\n\tSat, 11 Apr 2026 10:12:30 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Crm2zUZJATAh; Sat, 11 Apr 2026 10:12:29 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 1C32E41E54;\n\tSat, 11 Apr 2026 10:12:29 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n by lists1.osuosl.org (Postfix) with ESMTP id 4614E194\n for ; Sat, 11 Apr 2026 10:12:28 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 3846141E52\n for ; Sat, 11 Apr 2026 10:12:28 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id VzZBHRb6tM-H for ;\n Sat, 11 Apr 2026 10:12:27 +0000 (UTC)","from sea.source.kernel.org (sea.source.kernel.org\n [IPv6:2600:3c0a:e001:78e:0:1991:8:25])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 85BEC40197\n for ; Sat, 11 Apr 2026 10:12:27 +0000 (UTC)","from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])\n by sea.source.kernel.org (Postfix) with ESMTP id C76F0437FC;\n Sat, 11 Apr 2026 10:12:26 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 2E7CFC4CEF7;\n Sat, 11 Apr 2026 10:12:26 +0000 (UTC)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 1C32E41E54","OpenDKIM Filter v2.11.0 smtp4.osuosl.org 85BEC40197"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1775902349;\n\tbh=aY+ZObLSwWsXhnHHK1PlUlQk28w6zqlnBH6XYFBEOZM=;\n\th=From:To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From;\n\tb=CiShGdZntdg1VNKfCaOWoD7Ygez5yCdzuxKm1XMCUxe3BHEKA+NN8INOKN/iySa5b\n\t eSUmWRSU+cPZs5rJFyjAgH6IqtSTHkUbaGUzUk0MIaKzCh0nUEFHSgImRnQUn/KHH7\n\t Aj43UwC8IM/v+JzAgIoSeFg2PmIoAg4GEnsguX5tmeO7uKP0As/bfE5JnLvHG6Gunq\n\t iIrCedzEwPQeqINIsU9AS9WKxLNzjqI/ydwJGFSIbX89qMfhx94Sao33RzSddL5zpJ\n\t PmKLsctzLrTrCembRDP1hSuWWSOd4GJ3rH7/A293AjNLPrkURc7HBfMKkhZzubQhzU\n\t yYIyPm1YTKhKQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2600:3c0a:e001:78e:0:1991:8:25; helo=sea.source.kernel.org;\n envelope-from=gregkh@linuxfoundation.org; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org 85BEC40197","From":"Greg Kroah-Hartman ","To":"intel-wired-lan@lists.osuosl.org","Cc":"netdev@vger.kernel.org, linux-kernel@vger.kernel.org,\n Greg Kroah-Hartman ,\n Tony Nguyen ,\n Przemek Kitszel ,\n Andrew Lunn ,\n \"David S. Miller\" ,\n Eric Dumazet , Jakub Kicinski ,\n Paolo Abeni , stable ","Date":"Sat, 11 Apr 2026 12:12:16 +0200","Message-ID":"<2026041116-retail-bagginess-250f@gregkh>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","Lines":"62","X-Developer-Signature":"v=1; a=openpgp-sha256; l=2515;\n i=gregkh@linuxfoundation.org; h=from:subject:message-id;\n bh=xeOwmbvZi8iIq2Y68tN3V7TkwozyYLvVfG0YS4MKjmE=;\n b=owGbwMvMwCRo6H6F97bub03G02pJDJm35BoMVPK/975pV2ZLmDXZcP3bci394zuzu/2Y028un\n 8mgLZbbEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABOpYGGYp1D2SnfW/x/MmhI7\n Lt18H1SwwNGugmGuzEMf+63x0UrFuzg3CrVkVpbee54PAA==","X-Developer-Key":"i=gregkh@linuxfoundation.org; a=openpgp;\n fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29","Content-Transfer-Encoding":"8bit","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=linuxfoundation.org;\n s=korg; t=1775902346;\n bh=xeOwmbvZi8iIq2Y68tN3V7TkwozyYLvVfG0YS4MKjmE=;\n h=From:To:Cc:Subject:Date:From;\n b=Vvay9Ig4a2bEcyW7Z9ihyHzvIUEMxYpQ5kgkYCDsEnb4w7ZEQZFHRgtaKwdlO8O1R\n N8+RCgYmk+Y9s+s0loppd7EMwaN04ULgLgHgjO1PT4xOtT7P36/avFyshkMe6EwM1q\n yPRwb13JRrYIBFE2F2kdH1VsKQTTINhBNi9eStxY=","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=linuxfoundation.org","smtp4.osuosl.org;\n dkim=pass (1024-bit key,\n unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org\n header.a=rsa-sha256 header.s=korg header.b=Vvay9Ig4"],"Subject":"[Intel-wired-lan] [PATCH net] idpf: fix double free and\n use-after-free in aux device error paths","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" "},"content":"When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or\nidpf_plug_core_aux_dev(), the err_aux_dev_add label calls\nauxiliary_device_uninit() and falls through to err_aux_dev_init. The\nuninit call will trigger put_device(), which invokes the release\ncallback (idpf_vport_adev_release / idpf_core_adev_release) that frees\niadev. The fall-through then reads adev->id from the freed iadev for\nida_free() and double-frees iadev with kfree().\n\nFree the IDA slot and clear the back-pointer before uninit, while adev\nis still valid, then return immediately.\n\nCommit 65637c3a1811 65637c3a1811 (\"idpf: fix UAF in RDMA core aux dev\ndeinitialization\") fixed the same use-after-free in the matching unplug\npath in this file but missed both probe error paths.\n\nCc: Tony Nguyen \nCc: Przemek Kitszel \nCc: Andrew Lunn \nCc: \"David S. Miller\" \nCc: Eric Dumazet \nCc: Jakub Kicinski \nCc: Paolo Abeni \nCc: stable \nFixes: be91128c579c (\"idpf: implement RDMA vport auxiliary dev create, init, and destroy\")\nFixes: f4312e6bfa2a (\"idpf: implement core RDMA auxiliary dev create, init, and destroy\")\nAssisted-by: gregkh_clanker_t1000\nSigned-off-by: Greg Kroah-Hartman \n---\nNote, these cleanup paths are messy, but I couldn't see a simpler way\nwithout a lot more rework, so I choose the simple way :)\n\n drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 ++++++\n 1 file changed, 6 insertions(+)","diff":"diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c\nindex 7e4f4ac92653..b7d6b08fc89e 100644\n--- a/drivers/net/ethernet/intel/idpf/idpf_idc.c\n+++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c\n@@ -90,7 +90,10 @@ static int idpf_plug_vport_aux_dev(struct iidc_rdma_core_dev_info *cdev_info,\n \treturn 0;\n \n err_aux_dev_add:\n+\tida_free(&idpf_idc_ida, adev->id);\n+\tvdev_info->adev = NULL;\n \tauxiliary_device_uninit(adev);\n+\treturn ret;\n err_aux_dev_init:\n \tida_free(&idpf_idc_ida, adev->id);\n err_ida_alloc:\n@@ -228,7 +231,10 @@ static int idpf_plug_core_aux_dev(struct iidc_rdma_core_dev_info *cdev_info)\n \treturn 0;\n \n err_aux_dev_add:\n+\tida_free(&idpf_idc_ida, adev->id);\n+\tcdev_info->adev = NULL;\n \tauxiliary_device_uninit(adev);\n+\treturn ret;\n err_aux_dev_init:\n \tida_free(&idpf_idc_ida, adev->id);\n err_ida_alloc:\n","prefixes":["net"]}