[Patch next] octeontx2-pf: fix potential double free in rvu_rep_create()
From: cxxz16
Date: Sun Apr 13 2025 - 02:29:24 EST
In rvu_rep_create(), the netdev is allocated via alloc_etherdev()
and assigned to rep->netdev. This rep structure is then stored
in the priv->reps array indexed by rep_id.
If either rvu_rep_devlink_port_register() or register_netdev() fails,
the function frees ndev using free_netdev(ndev) before jumping to
the 'exit:' label. However, in the 'exit:' section, the function
iterates over priv->reps[] and again frees rep->netdev, which points
to the same ndev.
This results in a potential double free of the same netdev pointer,
which can cause memory corruption or crashes.
To fix this, avoid calling free_netdev(ndev) before jumping to 'exit:'.
The cleanup logic at 'exit:' should handle the freeing safely.
Signed-off-by: cxxz16 <990492108@xxxxxx>
---
drivers/net/ethernet/marvell/octeontx2/nic/rep.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
index 04e08e06f30f..de9a50f2fc39 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
@@ -681,7 +681,6 @@ int rvu_rep_create(struct otx2_nic *priv, struct netlink_ext_ack *extack)
eth_hw_addr_random(ndev);
err = rvu_rep_devlink_port_register(rep);
if (err) {
- free_netdev(ndev);
goto exit;
}
@@ -691,7 +690,6 @@ int rvu_rep_create(struct otx2_nic *priv, struct netlink_ext_ack *extack)
NL_SET_ERR_MSG_MOD(extack,
"PFVF representor registration failed");
rvu_rep_devlink_port_unregister(rep);
- free_netdev(ndev);
goto exit;
}
--
2.34.1