[PATCH net] ice: Fix use-after-scope in ice_sched_add_nodes_to

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH net] ice: Fix use-after-scope in ice_sched_add_nodes_to_layer()
@ 2026-06-13 10:14 ` NeKon69
  0 siblings, 0 replies; 4+ messages in thread
From: NeKon69 @ 2026-06-13 10:14 UTC (permalink / raw)
  To: anthony.l.nguyen, przemyslaw.kitszel
  Cc: andrew+netdev, davem, edumazet, kuba, pabeni, victor.raj,
	intel-wired-lan, netdev, linux-kernel, NeKon69

Commit 7fb09a737536 ("ice: Modify recursive way of adding nodes")
changed ice_sched_add_nodes_to_layer() from recursive control flow to an
iterative loop.

Inside the loop, first_teid_ptr may be set to the address of a
block-local variable:

	u32 temp;
	...
	if (num_added)
		first_teid_ptr = &temp;

On the next loop iteration, first_teid_ptr may be passed to
ice_sched_add_nodes_to_hw_layer(), after temp from the previous
iteration has gone out of scope.

Move temp outside the loop so the pointer remains valid for the lifetime
of ice_sched_add_nodes_to_layer().

This was found by Clang with LifetimeSafety enabled while testing C
language support on a Linux allmodconfig build.

Fixes: 7fb09a737536 ("ice: Modify recursive way of adding nodes")
Link: https://github.com/llvm/llvm-project/pull/203270
Signed-off-by: NeKon69 <nobodqwe@gmail.com>
---
 drivers/net/ethernet/intel/ice/ice_sched.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
index fff0c1afdb41..089ad3967be5 100644
--- a/drivers/net/ethernet/intel/ice/ice_sched.c
+++ b/drivers/net/ethernet/intel/ice/ice_sched.c
@@ -1074,11 +1074,11 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi,
 	u32 *first_teid_ptr = first_node_teid;
 	u16 new_num_nodes = num_nodes;
 	int status = 0;
+	u32 temp;

 	*num_nodes_added = 0;
 	while (*num_nodes_added < num_nodes) {
 		u16 max_child_nodes, num_added = 0;
-		u32 temp;

 		status = ice_sched_add_nodes_to_hw_layer(pi, tc_node, parent,
 							 layer,	new_num_nodes,
-- 
2.54.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [Intel-wired-lan] [PATCH net] ice: Fix use-after-scope in ice_sched_add_nodes_to_layer()
@ 2026-06-13 10:14 ` NeKon69
  0 siblings, 0 replies; 4+ messages in thread
From: NeKon69 @ 2026-06-13 10:14 UTC (permalink / raw)
  To: anthony.l.nguyen, przemyslaw.kitszel
  Cc: andrew+netdev, davem, edumazet, kuba, pabeni, victor.raj,
	intel-wired-lan, netdev, linux-kernel, NeKon69

Commit 7fb09a737536 ("ice: Modify recursive way of adding nodes")
changed ice_sched_add_nodes_to_layer() from recursive control flow to an
iterative loop.

Inside the loop, first_teid_ptr may be set to the address of a
block-local variable:

	u32 temp;
	...
	if (num_added)
		first_teid_ptr = &temp;

On the next loop iteration, first_teid_ptr may be passed to
ice_sched_add_nodes_to_hw_layer(), after temp from the previous
iteration has gone out of scope.

Move temp outside the loop so the pointer remains valid for the lifetime
of ice_sched_add_nodes_to_layer().

This was found by Clang with LifetimeSafety enabled while testing C
language support on a Linux allmodconfig build.

Fixes: 7fb09a737536 ("ice: Modify recursive way of adding nodes")
Link: https://github.com/llvm/llvm-project/pull/203270
Signed-off-by: NeKon69 <nobodqwe@gmail.com>
---
 drivers/net/ethernet/intel/ice/ice_sched.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
index fff0c1afdb41..089ad3967be5 100644
--- a/drivers/net/ethernet/intel/ice/ice_sched.c
+++ b/drivers/net/ethernet/intel/ice/ice_sched.c
@@ -1074,11 +1074,11 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi,
 	u32 *first_teid_ptr = first_node_teid;
 	u16 new_num_nodes = num_nodes;
 	int status = 0;
+	u32 temp;

 	*num_nodes_added = 0;
 	while (*num_nodes_added < num_nodes) {
 		u16 max_child_nodes, num_added = 0;
-		u32 temp;

 		status = ice_sched_add_nodes_to_hw_layer(pi, tc_node, parent,
 							 layer,	new_num_nodes,
-- 
2.54.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [Intel-wired-lan] [PATCH net] ice: Fix use-after-scope in ice_sched_add_nodes_to_layer()
  2026-06-13 10:14 ` [Intel-wired-lan] " NeKon69
@ 2026-06-15 12:08   ` Simon Horman
  -1 siblings, 0 replies; 4+ messages in thread
From: Simon Horman @ 2026-06-15 12:08 UTC (permalink / raw)
  To: NeKon69
  Cc: anthony.l.nguyen, przemyslaw.kitszel, andrew+netdev, davem,
	edumazet, kuba, pabeni, victor.raj, intel-wired-lan, netdev,
	linux-kernel

On Sat, Jun 13, 2026 at 01:14:40PM +0300, NeKon69 wrote:
> Commit 7fb09a737536 ("ice: Modify recursive way of adding nodes")
> changed ice_sched_add_nodes_to_layer() from recursive control flow to an
> iterative loop.
> 
> Inside the loop, first_teid_ptr may be set to the address of a
> block-local variable:
> 
> 	u32 temp;
> 	...
> 	if (num_added)
> 		first_teid_ptr = &temp;
> 
> On the next loop iteration, first_teid_ptr may be passed to
> ice_sched_add_nodes_to_hw_layer(), after temp from the previous
> iteration has gone out of scope.
> 
> Move temp outside the loop so the pointer remains valid for the lifetime
> of ice_sched_add_nodes_to_layer().
> 
> This was found by Clang with LifetimeSafety enabled while testing C
> language support on a Linux allmodconfig build.
> 
> Fixes: 7fb09a737536 ("ice: Modify recursive way of adding nodes")
> Link: https://github.com/llvm/llvm-project/pull/203270
> Signed-off-by: NeKon69 <nobodqwe@gmail.com>

I agree that this patch is correct.

However, I do wonder if it would be cleaner to allow
passing NULL as the first_node_teid argument of
ice_sched_add_nodes_to_hw_layer()

...

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ice: Fix use-after-scope in ice_sched_add_nodes_to_layer()
@ 2026-06-15 12:08   ` Simon Horman
  0 siblings, 0 replies; 4+ messages in thread
From: Simon Horman @ 2026-06-15 12:08 UTC (permalink / raw)
  To: NeKon69
  Cc: anthony.l.nguyen, przemyslaw.kitszel, andrew+netdev, davem,
	edumazet, kuba, pabeni, victor.raj, intel-wired-lan, netdev,
	linux-kernel

On Sat, Jun 13, 2026 at 01:14:40PM +0300, NeKon69 wrote:
> Commit 7fb09a737536 ("ice: Modify recursive way of adding nodes")
> changed ice_sched_add_nodes_to_layer() from recursive control flow to an
> iterative loop.
> 
> Inside the loop, first_teid_ptr may be set to the address of a
> block-local variable:
> 
> 	u32 temp;
> 	...
> 	if (num_added)
> 		first_teid_ptr = &temp;
> 
> On the next loop iteration, first_teid_ptr may be passed to
> ice_sched_add_nodes_to_hw_layer(), after temp from the previous
> iteration has gone out of scope.
> 
> Move temp outside the loop so the pointer remains valid for the lifetime
> of ice_sched_add_nodes_to_layer().
> 
> This was found by Clang with LifetimeSafety enabled while testing C
> language support on a Linux allmodconfig build.
> 
> Fixes: 7fb09a737536 ("ice: Modify recursive way of adding nodes")
> Link: https://github.com/llvm/llvm-project/pull/203270
> Signed-off-by: NeKon69 <nobodqwe@gmail.com>

I agree that this patch is correct.

However, I do wonder if it would be cleaner to allow
passing NULL as the first_node_teid argument of
ice_sched_add_nodes_to_hw_layer()

...

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-15 16:36 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-13 10:14 [PATCH net] ice: Fix use-after-scope in ice_sched_add_nodes_to_layer() NeKon69
2026-06-13 10:14 ` [Intel-wired-lan] " NeKon69
2026-06-15 12:08 ` Simon Horman
2026-06-15 12:08   ` Simon Horman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.