> -----Original Message----- > From: Intel-wired-lan <[email protected]> On Behalf Of Kohei > Enju > Sent: 01 September 2025 02:03 > To: [email protected]; [email protected] > Cc: Nguyen, Anthony L <[email protected]>; Kitszel, Przemyslaw > <[email protected]>; Andrew Lunn <[email protected]>; David S. > Miller <[email protected]>; Eric Dumazet <[email protected]>; Jakub > Kicinski <[email protected]>; Paolo Abeni <[email protected]>; Wegrzyn, Stefan > <[email protected]>; Mateusz Polchlopek > <[email protected]>; Jagielski, Jedrzej > <[email protected]>; [email protected]; Kohei Enju > <[email protected]>; Koichiro Den <[email protected]> > Subject: [Intel-wired-lan] [PATCH iwl-net v1] ixgbe: fix memory leak and > use-after-free in ixgbe_recovery_probe() > > The error path of ixgbe_recovery_probe() has two memory bugs. > > For non-E610 adapters, the function jumps to clean_up_probe without calling > devlink_free(), leaking the devlink instance and its embedded adapter > structure. > > For E610 adapters, devlink_free() is called at shutdown_aci, but > clean_up_probe then accesses adapter->state, sometimes triggering > use-after-free because adapter is embedded in devlink. This UAF is similar to > the one recently reported in ixgbe_remove(). (Link) > > Fix both issues by moving devlink_free() after adapter->state access, > aligning with the cleanup order in ixgbe_probe(). > > Link: > https://lore.kernel.org/intel-wired-lan/[email protected]/ > Fixes: 29cb3b8d95c7 ("ixgbe: add E610 implementation of FW recovery mode") > Signed-off-by: Kohei Enju <[email protected]> > --- > Cc: Koichiro Den <[email protected]> > --- > drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >
Tested-by: Rinitha S <[email protected]> (A Contingent worker at Intel)
