RE: [Intel-wired-lan] [PATCH net v2 1/2] ice: dpll: set pointers to NULL after kfree in ice_dpll_deinit_info

[Loktionov, Aleksandr]

> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf
> Of ZhaoJinming
> Sent: Friday, May 29, 2026 7:38 AM
> To: Nguyen, Anthony L <anthony.l.nguyen@xxxxxxxxx>; Kitszel,
> Przemyslaw <przemyslaw.kitszel@xxxxxxxxx>; Andrew Lunn
> <andrew+netdev@xxxxxxx>; David S . Miller <davem@xxxxxxxxxxxxx>; Eric
> Dumazet <edumazet@xxxxxxxxxx>; Jakub Kicinski <kuba@xxxxxxxxxx>; Paolo
> Abeni <pabeni@xxxxxxxxxx>
> Cc: intel-wired-lan@xxxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; ZhaoJinming <zhaojinming@xxxxxxxxxxxxx>
> Subject: [Intel-wired-lan] [PATCH net v2 1/2] ice: dpll: set pointers
> to NULL after kfree in ice_dpll_deinit_info
> 
> ice_dpll_deinit_info() calls kfree() on several pf->dplls fields
> (inputs, outputs, eec.input_prio, pps.input_prio) but does not set the
> pointers to NULL afterward. This leaves dangling pointers in the
> pf->dplls structure.
> 
> While not currently exploitable through existing code paths, this is
> unsafe because:
> 
> 1. If ice_dpll_init_info() is called again after a deinit (e.g. during
>    driver recovery), and a subsequent allocation within init fails,
> the
>    error path will jump to deinit_info and call ice_dpll_deinit_info()
>    again. Since some pointers still hold the old freed addresses, this
>    would result in a double-free.
> 
> 2. Any future code that checks these pointers before use or after free
>    would be unprotected against use-after-free.
> 
> Follow the common kernel convention of setting pointers to NULL after
> kfree() so that:
> - kfree(NULL) is a safe no-op, preventing double-free
> - NULL checks on these pointers become meaningful
> 
> This is a preparatory fix for a subsequent patch that routes
> additional error paths in ice_dpll_init_info() to the deinit_info
> label.
> 
> Fixes: d7999f5ea64b ("ice: implement dpll interface to control cgu")
> Signed-off-by: ZhaoJinming <zhaojinming@xxxxxxxxxxxxx>
> ---
>  drivers/net/ethernet/intel/ice/ice_dpll.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c
> b/drivers/net/ethernet/intel/ice/ice_dpll.c
> index 892bc7c2e28b..99bb308255cc 100644
> --- a/drivers/net/ethernet/intel/ice/ice_dpll.c
> +++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
> @@ -4247,9 +4247,13 @@ ice_dpll_init_pins_info(struct ice_pf *pf, enum
> ice_dpll_pin_type pin_type)  static void ice_dpll_deinit_info(struct
> ice_pf *pf)  {
>  	kfree(pf->dplls.inputs);
> +	pf->dplls.inputs = NULL;
>  	kfree(pf->dplls.outputs);
> +	pf->dplls.outputs = NULL;
>  	kfree(pf->dplls.eec.input_prio);
> +	pf->dplls.eec.input_prio = NULL;
>  	kfree(pf->dplls.pps.input_prio);
> +	pf->dplls.pps.input_prio = NULL;
>  }
> 
>  /**
> --
> 2.20.1


Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@xxxxxxxxx>

Code looks correct. Please add `Cc: stable@xxxxxxxxxxxxxxx # v6.7+` to both patches and include a v1→v2 changelog before reposting as v3.