{"id":2222669,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2222669/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260413112030.2694563-1-lgs201920130244@gmail.com/","project":{"id":46,"url":"http://patchwork.ozlabs.org/api/1.2/projects/46/?format=json","name":"Intel Wired Ethernet development","link_name":"intel-wired-lan","list_id":"intel-wired-lan.osuosl.org","list_email":"intel-wired-lan@osuosl.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260413112030.2694563-1-lgs201920130244@gmail.com>","list_archive_url":null,"date":"2026-04-13T11:20:30","name":"[v2] dpf: fix UAF and double free in idpf_plug_vport_aux_dev() error path","commit_ref":null,"pull_url":null,"state":"rejected","archived":false,"hash":"fb8c4ff4642876eedd673d4a26c23123efb17554","submitter":{"id":91722,"url":"http://patchwork.ozlabs.org/api/1.2/people/91722/?format=json","name":"Guangshuo Li","email":"lgs201920130244@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260413112030.2694563-1-lgs201920130244@gmail.com/mbox/","series":[{"id":499684,"url":"http://patchwork.ozlabs.org/api/1.2/series/499684/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=499684","date":"2026-04-13T11:20:30","name":"[v2] dpf: fix UAF and double free in idpf_plug_vport_aux_dev() error path","version":2,"mbox":"http://patchwork.ozlabs.org/series/499684/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222669/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222669/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=6DxwWetI;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvQ2G5xdRz1yDF\n\tfor ; Mon, 13 Apr 2026 21:20:54 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 4248F60EA1;\n\tMon, 13 Apr 2026 11:20:53 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id unxUxV5DSjuq; Mon, 13 Apr 2026 11:20:51 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 1972460E91;\n\tMon, 13 Apr 2026 11:20:51 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists1.osuosl.org (Postfix) with ESMTP id 093C1194\n for ; Mon, 13 Apr 2026 11:20:49 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id E4C9582384\n for ; Mon, 13 Apr 2026 11:20:48 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id LXu0p8dE60iZ for ;\n Mon, 13 Apr 2026 11:20:48 +0000 (UTC)","from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com\n [IPv6:2607:f8b0:4864:20::42b])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 4A5A98236D\n for ; Mon, 13 Apr 2026 11:20:48 +0000 (UTC)","by mail-pf1-x42b.google.com with SMTP id\n d2e1a72fcca58-82f22f6b0feso736728b3a.0\n for ; Mon, 13 Apr 2026 04:20:48 -0700 (PDT)","from lgs.. ([101.32.189.54]) by smtp.gmail.com with ESMTPSA id\n d2e1a72fcca58-82f0c4df7f5sm13555346b3a.43.2026.04.13.04.20.42\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 13 Apr 2026 04:20:47 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1972460E91","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4A5A98236D"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1776079251;\n\tbh=iQ7f9KI9JqtBNgCC6+8bgvZa6CW8q9FixqdbvIgHfKA=;\n\th=From:To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From;\n\tb=6DxwWetIvLtwxfFN+0ppEWT1OSps7oGn+v9Kdgh8WQTpJJCnVzig5Vs1jGntsX0Xc\n\t 7RjED9RMPsEl2j412F9S3LgJ9osmQDme/l24mmu+xPsHI4QkSX34gDWf6AyCSONHEk\n\t lhtv9UHCQI3oqLVx+C8/dWPUIx8GIbT+lLeYGbAucw2isCGAP9deklf6QRscrnoHVV\n\t VGbOJO0QMGbxjtr0Bch29gIjJc/EsZxXkpMfUUbG3K/m5Z6L2OfHp9fy80dmeUWiVc\n\t 8FQY7fknejYIbUX9fKOKHaNM0JRrYJYO22JnqhxD44bhKSnz3QjRzXj40/THYrMncJ\n\t UB9+ZZEuC6ybQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2607:f8b0:4864:20::42b; helo=mail-pf1-x42b.google.com;\n envelope-from=lgs201920130244@gmail.com; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 4A5A98236D","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776079247; x=1776684047;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=iQ7f9KI9JqtBNgCC6+8bgvZa6CW8q9FixqdbvIgHfKA=;\n b=IjQV5Qst7g0ofP427f24ccEUpKGmI9aAumgU83T42uhZL0XMdZbfxl1/N4G6Zxajjq\n 841djbJIjrVmrBlV7tB8miyxB0cTaC/gtTn8ga5nyjt19BAIOkgynPYIXXBhpOZKhgQK\n aotGbsVLfg75XAuuyhX1kwJlYz5LCyT5JuDLTJi/hLLLxcInokCB1494eiCgKf5qAvbm\n TkxzlwrA+acXFFzQkgqthVHOcfPGuoR3Od5ZLGDv96VsBlklnhhTBvhH3uOxL5Sykeno\n W4W5s/5xp78ZIdh4x9xQZLTDWLUIT56zCK7TQ6yVfq/b8bEYOj8xjq6zHf4BnFZijFPy\n kkrw==","X-Forwarded-Encrypted":"i=1;\n AFNElJ/FvCCh/7FYZtovMUjRKS/Fa9AhGwUG1SY4QK8hU1sT/livEEiMiZMHx2JZzbCZbaPpIUj4spwf/1/XUFBTs4s=@lists.osuosl.org","X-Gm-Message-State":"AOJu0Yzrmh6W5ZasMEHUshN0GH8LbalPWVkIpdgej7TWT9tUsMK+Jnw5\n 0dLewoMwGnzOIAIxCXmbg/gLMPXrpopRj13ZDPqD5OpOv/ZNG8GEIFRJ","X-Gm-Gg":"AeBDieuGDSwhRbm5L0C0rWs0lDn8STmKspbdLGxgY/JpVmEiiBWeAXDhaF5NHQwpl1u\n 1wfjf7hniFhxJ4s5oNcD5trqhcZSLki/eVlwAfHPHJ8Y0cTfdefBJhPRsKaNO0e82FBgnY2QL3S\n JQb3qfdrZAYuHIpwAddNx79Py5Jhz629HT9vKdnbA0TpGtlp/wrFxiOkfZpdBcTOVdbuwAVhFzx\n AkNSvejW7fW4glAl04D8H3RScKdzn8BnSNehrg6+Lweo1F3yQDDElxVq33a9fwm8hcQpbaROyt5\n jMxAHlMsow8HpmDHPRtuSsJAF6/J7WJHEwTDhSPGRQgv7aNI6Yq0TufmJyUuyZVNsTX4qNCMGCC\n dDZiVEWnyXv4Dd90sECde/t2+gKl/V9C78udk3xm0CETXpzkQ1EZee9/42ek1EfyT3AAK3XMfQn\n oXp/C7n0VqJGPdvQ==","X-Received":"by 2002:a05:6a00:1887:b0:829:924c:348a with SMTP id\n d2e1a72fcca58-82f0c26b71fmr14463158b3a.45.1776079247519;\n Mon, 13 Apr 2026 04:20:47 -0700 (PDT)","From":"Guangshuo Li ","To":"Tony Nguyen ,\n Przemek Kitszel ,\n Andrew Lunn ,\n \"David S. Miller\" ,\n Eric Dumazet , Jakub Kicinski ,\n Paolo Abeni , Joshua Hay ,\n Tatyana Nikolova ,\n Madhu Chittim , intel-wired-lan@lists.osuosl.org,\n netdev@vger.kernel.org, linux-kernel@vger.kernel.org","Cc":"Guangshuo Li ,\n\tstable@vger.kernel.org","Date":"Mon, 13 Apr 2026 19:20:30 +0800","Message-ID":"<20260413112030.2694563-1-lgs201920130244@gmail.com>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776079247; x=1776684047; darn=lists.osuosl.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=iQ7f9KI9JqtBNgCC6+8bgvZa6CW8q9FixqdbvIgHfKA=;\n b=JII1BoFIAOicR6mVj6LklhffFCEeVPjzlADMLwbWau1BKznfJ9GM1qgrLKq7/K6yts\n iogY4sRoU3jOhkyB1d7fliZOn6GxnLvh6qhfcF85JgQOUb1FC9L18qOqW0rcFabcTu4b\n vyJ5zvQAGz/mdoxmSmGSbWpHOAaf+vC329gWg4PNvzHvO+s75rAwU35mMykOw0eN3maj\n B3RGNiU6B1lsHHGwJEKgzQ5b7MP6Q58URoZzXaqDMMeaGLRVqZz2n/wtWU4L5SR/Q/M9\n vj8R3UY+WzxvVd5Dh404aGOd+LhGzkQ4nEA8DUHmDkRcNDhmNC8B1E/aBEKyBXDmXlV9\n Vx0A==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=gmail.com","smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=JII1BoFI"],"Subject":"[Intel-wired-lan] [PATCH v2] dpf: fix UAF and double free in\n idpf_plug_vport_aux_dev() error path","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" "},"content":"If auxiliary_device_add() fails, idpf_plug_vport_aux_dev() calls\nauxiliary_device_uninit(adev), whose release callback\nidpf_vport_adev_release() frees the containing\nstruct iidc_rdma_vport_auxiliary_dev.\n\nThe current error path then accesses adev->id and later frees iadev\nagain, which may lead to a use-after-free and double free.\n\nThe issue was identified by a static analysis tool I developed and\nconfirmed by manual review.\n\nFix it by storing the allocated auxiliary device id in a local\nvariable and avoiding direct freeing of iadev after\nauxiliary_device_uninit().\n\nFixes: be91128c579c (\"idpf: implement RDMA vport auxiliary dev create, init, and destroy\")\nCc: stable@vger.kernel.org\nSigned-off-by: Guangshuo Li \n---\nv2:\n - note that the issue was identified by my static analysis tool\n - and confirmed by manual review\n\n drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 +++++-\n 1 file changed, 5 insertions(+), 1 deletion(-)","diff":"diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c\nindex 6dad0593f7f2..2a18907643fc 100644\n--- a/drivers/net/ethernet/intel/idpf/idpf_idc.c\n+++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c\n@@ -59,6 +59,7 @@ static int idpf_plug_vport_aux_dev(struct iidc_rdma_core_dev_info *cdev_info,\n \tchar name[IDPF_IDC_MAX_ADEV_NAME_LEN];\n \tstruct auxiliary_device *adev;\n \tint ret;\n+\tint adev_id;\n \n \tiadev = kzalloc(sizeof(*iadev), GFP_KERNEL);\n \tif (!iadev)\n@@ -74,11 +75,14 @@ static int idpf_plug_vport_aux_dev(struct iidc_rdma_core_dev_info *cdev_info,\n \t\tgoto err_ida_alloc;\n \t}\n \tadev->id = ret;\n+\tadev->id = adev_id;\n \tadev->dev.release = idpf_vport_adev_release;\n \tadev->dev.parent = &cdev_info->pdev->dev;\n \tsprintf(name, \"%04x.rdma.vdev\", cdev_info->pdev->vendor);\n \tadev->name = name;\n \n+\t/* iadev is owned by the auxiliary device */\n+\tiadev = NULL;\n \tret = auxiliary_device_init(adev);\n \tif (ret)\n \t\tgoto err_aux_dev_init;\n@@ -92,7 +96,7 @@ static int idpf_plug_vport_aux_dev(struct iidc_rdma_core_dev_info *cdev_info,\n err_aux_dev_add:\n \tauxiliary_device_uninit(adev);\n err_aux_dev_init:\n-\tida_free(&idpf_idc_ida, adev->id);\n+\tida_free(&idpf_idc_ida, adev_id);\n err_ida_alloc:\n \tvdev_info->adev = NULL;\n \tkfree(iadev);\n","prefixes":["v2"]}