RE: [EXTERNAL] [PATCH net] octeontx2-pf: fix double free in rvu_rep_rsrc_init()

From: Geethasowjanya Akula

Date: Thu May 14 2026 - 01:06:02 EST


>-----Original Message-----
>From: Dawei Feng <dawei.feng@xxxxxxxxxx>
>Sent: Wednesday, May 13, 2026 8:43 PM
>To: Sunil Kovvuri Goutham <sgoutham@xxxxxxxxxxx>
>Cc: Geethasowjanya Akula <gakula@xxxxxxxxxxx>; Subbaraya Sundeep Bhatta
><sbhatta@xxxxxxxxxxx>; Hariprasad Kelam <hkelam@xxxxxxxxxxx>; Bharat
>Bhushan <bbhushan2@xxxxxxxxxxx>; andrew+netdev@xxxxxxx;
>davem@xxxxxxxxxxxxx; edumazet@xxxxxxxxxx; kuba@xxxxxxxxxx;
>pabeni@xxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
>jianhao.xu@xxxxxxxxxx; Dawei Feng <dawei.feng@xxxxxxxxxx>;
>stable@xxxxxxxxxxxxxxx; Zilin Guan <zilin@xxxxxxxxxx>
>Subject: [EXTERNAL] [PATCH net] octeontx2-pf: fix double free in
>rvu_rep_rsrc_init()
>
>rvu_rep_rsrc_init() allocates queue memory before calling
>otx2_init_hw_resources(). When hardware resource setup fails,
>otx2_init_hw_resources() already unwinds the partially initialized SQ, CQ, and
>aura state before returning an error. The representor error path then calls
>otx2_free_hw_resources() again and can free the same resources a second
>time.
>
>Fix this by splitting the cleanup labels so that a failure from
>otx2_init_hw_resources() only releases queue memory. Keep the
>otx2_free_hw_resources() call for failures that happen after hardware resource
>initialization completed successfully.
>
>The bug was first flagged by an experimental analysis tool we are developing
>for kernel memory-management bugs while analyzing v6.13-rc1. The tool is
>still under development and is not yet publicly available. Manual inspection
>confirms that the bug is still present in v7.1-rc3.
>
>Runtime validation was not performed because reproducing this path requires
>OcteonTX2 representor hardware.
>
>Fixes: 3937b7308d4f ("octeontx2-pf: Create representor netdev")
>Cc: stable@xxxxxxxxxxxxxxx # v6.13+
>Signed-off-by: Zilin Guan <zilin@xxxxxxxxxx>
>Signed-off-by: Dawei Feng <dawei.feng@xxxxxxxxxx>
>---
> drivers/net/ethernet/marvell/octeontx2/nic/rep.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
>b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
>index 94f155ffb17f..0f5d5642d3f7 100644
>--- a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
>+++ b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
>@@ -609,7 +609,7 @@ static int rvu_rep_rsrc_init(struct otx2_nic *priv)
>
> err = otx2_init_hw_resources(priv);
> if (err)
>- goto err_free_rsrc;
>+ goto err_free_mem;
>
> /* Set maximum frame size allowed in HW */
> err = otx2_hw_set_mtu(priv, priv->hw.max_mtu); @@ -621,6 +621,7
>@@ static int rvu_rep_rsrc_init(struct otx2_nic *priv)
>
> err_free_rsrc:
> otx2_free_hw_resources(priv);
>+err_free_mem:
> otx2_free_queue_mem(qset);
> return err;
> }
>--
>2.34.1
Reviewed-by: Geetha sowjanya <gakula@xxxxxxxxxxx>

Thanks,
Geetha.