Re: [Intel-wired-lan] [PATCH net] i40e: fix netdev leak in i40e_vsi_setup() error paths
From: Shannon Nelson
Date: Thu May 28 2026 - 14:10:23 EST
On 5/28/26 01:49, Loktionov, Aleksandr wrote:
-----Original Message-----
From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf
Of Dawei Feng
Sent: Wednesday, May 27, 2026 1:02 PM
To: Nguyen, Anthony L <anthony.l.nguyen@xxxxxxxxx>
Cc: Kitszel, Przemyslaw <przemyslaw.kitszel@xxxxxxxxx>;
andrew+netdev@xxxxxxx; davem@xxxxxxxxxxxxx; edumazet@xxxxxxxxxx;
kuba@xxxxxxxxxx; pabeni@xxxxxxxxxx; jesse.brandeburg@xxxxxxxxx;
sln@xxxxxxxxxxx; intel-wired-lan@xxxxxxxxxxxxxxxx;
netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
jianhao.xu@xxxxxxxxxx; Dawei Feng <dawei.feng@xxxxxxxxxx>;
stable@xxxxxxxxxxxxxxx; Zilin Guan <zilin@xxxxxxxxxx>
Subject: [Intel-wired-lan] [PATCH net] i40e: fix netdev leak in
i40e_vsi_setup() error paths
i40e_config_netdev() allocates vsi->netdev for main and VMDQ VSIs. If
i40e_netif_set_realnum_tx_rx_queues(), i40e_devlink_create_port(), or
register_netdev() fails, i40e_vsi_setup() goes to err_netdev without
releasing the netdev. The existing cleanup only frees the netdev after
a successful register_netdev(), so these error paths leak the
allocation.
Reorder the error paths at err_netdev to ensure proper cleanup of the
allocated device.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing v6.13-
rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc5.
An x86_64 allyesconfig build showed no new warnings. As we do not have
an Intel Ethernet Controller XL710 family adapter to test with, no
runtime testing was able to be performed.
Fixes: 41c445ff0f48 ("i40e: main driver core")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zilin Guan <zilin@xxxxxxxxxx>
Signed-off-by: Dawei Feng <dawei.feng@xxxxxxxxxx>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c
b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 6d4f9218dc68..1ced01b0cc09 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -14491,13 +14491,15 @@ struct i40e_vsi *i40e_vsi_setup(struct
i40e_pf *pf, u8 type,
if (vsi->netdev_registered) {
vsi->netdev_registered = false;
unregister_netdev(vsi->netdev);
- free_netdev(vsi->netdev);
- vsi->netdev = NULL;
}
err_dl_port:
if (vsi->type == I40E_VSI_MAIN)
i40e_devlink_destroy_port(pf);
err_netdev:
+ if (vsi->netdev) {
+ free_netdev(vsi->netdev);
+ vsi->netdev = NULL;
+ }
i40e_aq_delete_element(&pf->hw, vsi->seid, NULL);
Would it make sense to put these 4 lines into i40e_vsi_clear()? Then you can also clean up i40e_vsi_release() and i40e_vsi_reinit_setup() in a similar way.
sln
err_vsi:Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@xxxxxxxxx>
i40e_vsi_clear(vsi);
--
2.34.1