[PATCH net] octeontx2-pf: fix double free in rvu_rep_rsrc_init()

[PATCH net] octeontx2-pf: fix double free in rvu_rep_rsrc_init()

[Dawei Feng]

rvu_rep_rsrc_init() allocates queue memory before calling
otx2_init_hw_resources(). When hardware resource setup fails,
otx2_init_hw_resources() already unwinds the partially initialized
SQ, CQ, and aura state before returning an error. The representor
error path then calls otx2_free_hw_resources() again and can free
the same resources a second time.

Fix this by splitting the cleanup labels so that a failure from
otx2_init_hw_resources() only releases queue memory. Keep the
otx2_free_hw_resources() call for failures that happen after
hardware resource initialization completed successfully.

The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc3.

Runtime validation was not performed because reproducing this path
requires OcteonTX2 representor hardware.

Fixes: 3937b7308d4f ("octeontx2-pf: Create representor netdev")
Cc: stable@vger.kernel.org # v6.13+
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
---
 drivers/net/ethernet/marvell/octeontx2/nic/rep.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
index 94f155ffb17f..0f5d5642d3f7 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
@@ -609,7 +609,7 @@ static int rvu_rep_rsrc_init(struct otx2_nic *priv)
 
 	err = otx2_init_hw_resources(priv);
 	if (err)
-		goto err_free_rsrc;
+		goto err_free_mem;
 
 	/* Set maximum frame size allowed in HW */
 	err = otx2_hw_set_mtu(priv, priv->hw.max_mtu);
@@ -621,6 +621,7 @@ static int rvu_rep_rsrc_init(struct otx2_nic *priv)
 
 err_free_rsrc:
 	otx2_free_hw_resources(priv);
+err_free_mem:
 	otx2_free_queue_mem(qset);
 	return err;
 }
-- 
2.34.1

RE: [EXTERNAL] [PATCH net] octeontx2-pf: fix double free in rvu_rep_rsrc_init()

[Geethasowjanya Akula]

>-----Original Message-----
>From: Dawei Feng <dawei.feng@seu.edu.cn>
>Sent: Wednesday, May 13, 2026 8:43 PM
>To: Sunil Kovvuri Goutham <sgoutham@marvell.com>
>Cc: Geethasowjanya Akula <gakula@marvell.com>; Subbaraya Sundeep Bhatta
><sbhatta@marvell.com>; Hariprasad Kelam <hkelam@marvell.com>; Bharat
>Bhushan <bbhushan2@marvell.com>; andrew+netdev@lunn.ch;
>davem@davemloft.net; edumazet@google.com; kuba@kernel.org;
>pabeni@redhat.com; netdev@vger.kernel.org; linux-kernel@vger.kernel.org;
>jianhao.xu@seu.edu.cn; Dawei Feng <dawei.feng@seu.edu.cn>;
>stable@vger.kernel.org; Zilin Guan <zilin@seu.edu.cn>
>Subject: [EXTERNAL] [PATCH net] octeontx2-pf: fix double free in
>rvu_rep_rsrc_init()
>
>rvu_rep_rsrc_init() allocates queue memory before calling
>otx2_init_hw_resources(). When hardware resource setup fails,
>otx2_init_hw_resources() already unwinds the partially initialized SQ, CQ, and
>aura state before returning an error. The representor error path then calls
>otx2_free_hw_resources() again and can free the same resources a second
>time.
>
>Fix this by splitting the cleanup labels so that a failure from
>otx2_init_hw_resources() only releases queue memory. Keep the
>otx2_free_hw_resources() call for failures that happen after hardware resource
>initialization completed successfully.
>
>The bug was first flagged by an experimental analysis tool we are developing
>for kernel memory-management bugs while analyzing v6.13-rc1. The tool is
>still under development and is not yet publicly available. Manual inspection
>confirms that the bug is still present in v7.1-rc3.
>
>Runtime validation was not performed because reproducing this path requires
>OcteonTX2 representor hardware.
>
>Fixes: 3937b7308d4f ("octeontx2-pf: Create representor netdev")
>Cc: stable@vger.kernel.org # v6.13+
>Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
>Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
>---
> drivers/net/ethernet/marvell/octeontx2/nic/rep.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
>b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
>index 94f155ffb17f..0f5d5642d3f7 100644
>--- a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
>+++ b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
>@@ -609,7 +609,7 @@ static int rvu_rep_rsrc_init(struct otx2_nic *priv)
>
> 	err = otx2_init_hw_resources(priv);
> 	if (err)
>-		goto err_free_rsrc;
>+		goto err_free_mem;
>
> 	/* Set maximum frame size allowed in HW */
> 	err = otx2_hw_set_mtu(priv, priv->hw.max_mtu); @@ -621,6 +621,7
>@@ static int rvu_rep_rsrc_init(struct otx2_nic *priv)
>
> err_free_rsrc:
> 	otx2_free_hw_resources(priv);
>+err_free_mem:
> 	otx2_free_queue_mem(qset);
> 	return err;
> }
>--
>2.34.1
Reviewed-by: Geetha sowjanya <gakula@marvell.com>

Thanks,
Geetha.

Re: [PATCH net] octeontx2-pf: fix double free in rvu_rep_rsrc_init()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 13 May 2026 23:13:20 +0800 you wrote:
> rvu_rep_rsrc_init() allocates queue memory before calling
> otx2_init_hw_resources(). When hardware resource setup fails,
> otx2_init_hw_resources() already unwinds the partially initialized
> SQ, CQ, and aura state before returning an error. The representor
> error path then calls otx2_free_hw_resources() again and can free
> the same resources a second time.
> 
> [...]

Here is the summary with links:
  - [net] octeontx2-pf: fix double free in rvu_rep_rsrc_init()
    https://git.kernel.org/netdev/net/c/e8fb3de2a8ef

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html