RE: [Intel-wired-lan] [PATCH] ice: fix double free in ice_sf_eth_activate() error path

From: Loktionov, Aleksandr

Date: Wed Mar 18 2026 - 11:47:39 EST



> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf
> Of Guangshuo Li
> Sent: Wednesday, March 18, 2026 4:10 PM
> To: Nguyen, Anthony L <anthony.l.nguyen@xxxxxxxxx>; Kitszel,
> Przemyslaw <przemyslaw.kitszel@xxxxxxxxx>; Andrew Lunn
> <andrew+netdev@xxxxxxx>; David S. Miller <davem@xxxxxxxxxxxxx>; Eric
> Dumazet <edumazet@xxxxxxxxxx>; Jakub Kicinski <kuba@xxxxxxxxxx>; Paolo
> Abeni <pabeni@xxxxxxxxxx>; Simon Horman <horms@xxxxxxxxxx>; Michal
> Swiatkowski <michal.swiatkowski@xxxxxxxxxxxxxxx>; Piotr Raczynski
> <piotr.raczynski@xxxxxxxxx>; intel-wired-lan@xxxxxxxxxxxxxxxx;
> netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
> Cc: Guangshuo Li <lgs201920130244@xxxxxxxxx>; stable@xxxxxxxxxxxxxxx
> Subject: [Intel-wired-lan] [PATCH] ice: fix double free in
> ice_sf_eth_activate() error path
>
> When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to
> aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).
>
> The device release callback ice_sf_dev_release() frees sf_dev, but the
> current error path falls through to sf_dev_free and calls
> kfree(sf_dev) again, causing a double free.
>
> Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but
> avoid falling through to sf_dev_free after auxiliary_device_uninit().
>
> Fixes: 13acc5c4cdbe ("ice: subfunction activation and base devlink
> ops")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> ---
> drivers/net/ethernet/intel/ice/ice_sf_eth.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c
> b/drivers/net/ethernet/intel/ice/ice_sf_eth.c
> index 1a2c94375ca7..ec6020338b9f 100644
> --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c
> +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c
> @@ -305,6 +305,7 @@ ice_sf_eth_activate(struct ice_dynamic_port
> *dyn_port,
>
> aux_dev_uninit:
> auxiliary_device_uninit(&sf_dev->adev);
> + goto xa_erase;
> sf_dev_free:
> kfree(sf_dev);
> xa_erase:
> --
> 2.43.0

Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@xxxxxxxxx>