* Re: [Intel-wired-lan] [PATCH net] idpf: fix double free and use-after-free in aux device error paths
2026-04-11 10:12 [Intel-wired-lan] [PATCH net] idpf: fix double free and use-after-free in aux device error paths Greg Kroah-Hartman
@ 2026-04-13 11:06 ` Loktionov, Aleksandr
2026-04-14 0:46 ` Jacob Keller
2026-04-14 6:54 ` Paul Menzel
2 siblings, 0 replies; 5+ messages in thread
From: Loktionov, Aleksandr @ 2026-04-13 11:06 UTC (permalink / raw)
To: Greg Kroah-Hartman, intel-wired-lan@lists.osuosl.org
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Nguyen, Anthony L, Kitszel, Przemyslaw, Andrew Lunn,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
stable
> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf
> Of Greg Kroah-Hartman
> Sent: Saturday, April 11, 2026 12:12 PM
> To: intel-wired-lan@lists.osuosl.org
> Cc: netdev@vger.kernel.org; linux-kernel@vger.kernel.org; Greg Kroah-
> Hartman <gregkh@linuxfoundation.org>; Nguyen, Anthony L
> <anthony.l.nguyen@intel.com>; Kitszel, Przemyslaw
> <przemyslaw.kitszel@intel.com>; Andrew Lunn <andrew+netdev@lunn.ch>;
> David S. Miller <davem@davemloft.net>; Eric Dumazet
> <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo Abeni
> <pabeni@redhat.com>; stable <stable@kernel.org>
> Subject: [Intel-wired-lan] [PATCH net] idpf: fix double free and use-
> after-free in aux device error paths
>
> When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or
> idpf_plug_core_aux_dev(), the err_aux_dev_add label calls
> auxiliary_device_uninit() and falls through to err_aux_dev_init. The
> uninit call will trigger put_device(), which invokes the release
> callback (idpf_vport_adev_release / idpf_core_adev_release) that frees
> iadev. The fall-through then reads adev->id from the freed iadev for
> ida_free() and double-frees iadev with kfree().
>
> Free the IDA slot and clear the back-pointer before uninit, while adev
> is still valid, then return immediately.
>
> Commit 65637c3a1811 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev
> deinitialization") fixed the same use-after-free in the matching
> unplug path in this file but missed both probe error paths.
>
> Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
> Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> Cc: Andrew Lunn <andrew+netdev@lunn.ch>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: stable <stable@kernel.org>
> Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create,
> init, and destroy")
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create,
> init, and destroy")
> Assisted-by: gregkh_clanker_t1000
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> Note, these cleanup paths are messy, but I couldn't see a simpler way
> without a lot more rework, so I choose the simple way :)
>
> drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c
> b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> index 7e4f4ac92653..b7d6b08fc89e 100644
> --- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
> +++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> @@ -90,7 +90,10 @@ static int idpf_plug_vport_aux_dev(struct
> iidc_rdma_core_dev_info *cdev_info,
> return 0;
>
> err_aux_dev_add:
> + ida_free(&idpf_idc_ida, adev->id);
> + vdev_info->adev = NULL;
> auxiliary_device_uninit(adev);
> + return ret;
> err_aux_dev_init:
> ida_free(&idpf_idc_ida, adev->id);
> err_ida_alloc:
> @@ -228,7 +231,10 @@ static int idpf_plug_core_aux_dev(struct
> iidc_rdma_core_dev_info *cdev_info)
> return 0;
>
> err_aux_dev_add:
> + ida_free(&idpf_idc_ida, adev->id);
> + cdev_info->adev = NULL;
> auxiliary_device_uninit(adev);
> + return ret;
> err_aux_dev_init:
> ida_free(&idpf_idc_ida, adev->id);
> err_ida_alloc:
> --
> 2.53.0
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [Intel-wired-lan] [PATCH net] idpf: fix double free and use-after-free in aux device error paths
2026-04-11 10:12 [Intel-wired-lan] [PATCH net] idpf: fix double free and use-after-free in aux device error paths Greg Kroah-Hartman
2026-04-13 11:06 ` Loktionov, Aleksandr
@ 2026-04-14 0:46 ` Jacob Keller
2026-04-14 6:54 ` Paul Menzel
2 siblings, 0 replies; 5+ messages in thread
From: Jacob Keller @ 2026-04-14 0:46 UTC (permalink / raw)
To: Greg Kroah-Hartman, intel-wired-lan, netdev@vger.kernel.org,
Jakub Kicinski
Cc: netdev, linux-kernel, Tony Nguyen, Przemek Kitszel, Andrew Lunn,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
stable
On 4/11/2026 3:12 AM, Greg Kroah-Hartman wrote:
> When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or
> idpf_plug_core_aux_dev(), the err_aux_dev_add label calls
> auxiliary_device_uninit() and falls through to err_aux_dev_init. The
> uninit call will trigger put_device(), which invokes the release
> callback (idpf_vport_adev_release / idpf_core_adev_release) that frees
> iadev. The fall-through then reads adev->id from the freed iadev for
> ida_free() and double-frees iadev with kfree().
>
> Free the IDA slot and clear the back-pointer before uninit, while adev
> is still valid, then return immediately.
>
> Commit 65637c3a1811 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev
> deinitialization") fixed the same use-after-free in the matching unplug
> path in this file but missed both probe error paths.
>
> Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
> Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> Cc: Andrew Lunn <andrew+netdev@lunn.ch>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: stable <stable@kernel.org>
> Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy")
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
> Assisted-by: gregkh_clanker_t1000
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
This is targeted at [net]. The fix seems straight forward enough.
@Jakub, I have no objections if you want to pull this directly. I am not
sure our validation team will find anything when testing since this is
an error path that is historically been difficult for us to test.
I'm also fine with taking it through iwl-net if you prefer, but just
want to avoid duplicate work if you're already considering it.
> Note, these cleanup paths are messy, but I couldn't see a simpler way
> without a lot more rework, so I choose the simple way :)
>
Yea, I didn't see a better way either.
Thanks,
Jake
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [Intel-wired-lan] [PATCH net] idpf: fix double free and use-after-free in aux device error paths
2026-04-11 10:12 [Intel-wired-lan] [PATCH net] idpf: fix double free and use-after-free in aux device error paths Greg Kroah-Hartman
2026-04-13 11:06 ` Loktionov, Aleksandr
2026-04-14 0:46 ` Jacob Keller
@ 2026-04-14 6:54 ` Paul Menzel
2026-04-14 8:00 ` Greg Kroah-Hartman
2 siblings, 1 reply; 5+ messages in thread
From: Paul Menzel @ 2026-04-14 6:54 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: intel-wired-lan, netdev, linux-kernel, Tony Nguyen,
Przemek Kitszel, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, stable
Dear Greg,
Thank you for the patch.
Am 11.04.26 um 12:12 schrieb Greg Kroah-Hartman:
> When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or
> idpf_plug_core_aux_dev(), the err_aux_dev_add label calls
> auxiliary_device_uninit() and falls through to err_aux_dev_init. The
> uninit call will trigger put_device(), which invokes the release
> callback (idpf_vport_adev_release / idpf_core_adev_release) that frees
> iadev. The fall-through then reads adev->id from the freed iadev for
> ida_free() and double-frees iadev with kfree().
>
> Free the IDA slot and clear the back-pointer before uninit, while adev
> is still valid, then return immediately.
>
> Commit 65637c3a1811 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev
The commit hash is pasted twice.
> deinitialization") fixed the same use-after-free in the matching unplug
> path in this file but missed both probe error paths.
>
> Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
> Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> Cc: Andrew Lunn <andrew+netdev@lunn.ch>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: stable <stable@kernel.org>
> Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy")
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
> Assisted-by: gregkh_clanker_t1000
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> Note, these cleanup paths are messy, but I couldn't see a simpler way
> without a lot more rework, so I choose the simple way :)
>
> drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> index 7e4f4ac92653..b7d6b08fc89e 100644
> --- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
> +++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> @@ -90,7 +90,10 @@ static int idpf_plug_vport_aux_dev(struct iidc_rdma_core_dev_info *cdev_info,
> return 0;
>
> err_aux_dev_add:
> + ida_free(&idpf_idc_ida, adev->id);
> + vdev_info->adev = NULL;
> auxiliary_device_uninit(adev);
> + return ret;
> err_aux_dev_init:
> ida_free(&idpf_idc_ida, adev->id);
> err_ida_alloc:
> @@ -228,7 +231,10 @@ static int idpf_plug_core_aux_dev(struct iidc_rdma_core_dev_info *cdev_info)
> return 0;
>
> err_aux_dev_add:
> + ida_free(&idpf_idc_ida, adev->id);
> + cdev_info->adev = NULL;
> auxiliary_device_uninit(adev);
> + return ret;
> err_aux_dev_init:
> ida_free(&idpf_idc_ida, adev->id);
> err_ida_alloc:
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
gemini/gemini-3.1-pro-preview has two comments [1]. Maybe the driver
developers could judge their relevance.
Kind regards,
Paul
[1]:
https://sashiko.dev/#/patchset/2026041116-retail-bagginess-250f%40gregkh
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [Intel-wired-lan] [PATCH net] idpf: fix double free and use-after-free in aux device error paths
2026-04-14 6:54 ` Paul Menzel
@ 2026-04-14 8:00 ` Greg Kroah-Hartman
0 siblings, 0 replies; 5+ messages in thread
From: Greg Kroah-Hartman @ 2026-04-14 8:00 UTC (permalink / raw)
To: Paul Menzel
Cc: intel-wired-lan, netdev, linux-kernel, Tony Nguyen,
Przemek Kitszel, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, stable
On Tue, Apr 14, 2026 at 08:54:55AM +0200, Paul Menzel wrote:
> Dear Greg,
>
>
> Thank you for the patch.
>
> Am 11.04.26 um 12:12 schrieb Greg Kroah-Hartman:
> > When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or
> > idpf_plug_core_aux_dev(), the err_aux_dev_add label calls
> > auxiliary_device_uninit() and falls through to err_aux_dev_init. The
> > uninit call will trigger put_device(), which invokes the release
> > callback (idpf_vport_adev_release / idpf_core_adev_release) that frees
> > iadev. The fall-through then reads adev->id from the freed iadev for
> > ida_free() and double-frees iadev with kfree().
> >
> > Free the IDA slot and clear the back-pointer before uninit, while adev
> > is still valid, then return immediately.
> >
> > Commit 65637c3a1811 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev
>
> The commit hash is pasted twice.
Argh, when I cut/paste from my terminal that happened, my fault.
> > deinitialization") fixed the same use-after-free in the matching unplug
> > path in this file but missed both probe error paths.
> >
> > Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
> > Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> > Cc: Andrew Lunn <andrew+netdev@lunn.ch>
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Cc: Eric Dumazet <edumazet@google.com>
> > Cc: Jakub Kicinski <kuba@kernel.org>
> > Cc: Paolo Abeni <pabeni@redhat.com>
> > Cc: stable <stable@kernel.org>
> > Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy")
> > Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
> > Assisted-by: gregkh_clanker_t1000
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > Note, these cleanup paths are messy, but I couldn't see a simpler way
> > without a lot more rework, so I choose the simple way :)
> >
> > drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> > index 7e4f4ac92653..b7d6b08fc89e 100644
> > --- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
> > +++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
> > @@ -90,7 +90,10 @@ static int idpf_plug_vport_aux_dev(struct iidc_rdma_core_dev_info *cdev_info,
> > return 0;
> > err_aux_dev_add:
> > + ida_free(&idpf_idc_ida, adev->id);
> > + vdev_info->adev = NULL;
> > auxiliary_device_uninit(adev);
> > + return ret;
> > err_aux_dev_init:
> > ida_free(&idpf_idc_ida, adev->id);
> > err_ida_alloc:
> > @@ -228,7 +231,10 @@ static int idpf_plug_core_aux_dev(struct iidc_rdma_core_dev_info *cdev_info)
> > return 0;
> > err_aux_dev_add:
> > + ida_free(&idpf_idc_ida, adev->id);
> > + cdev_info->adev = NULL;
> > auxiliary_device_uninit(adev);
> > + return ret;
> > err_aux_dev_init:
> > ida_free(&idpf_idc_ida, adev->id);
> > err_ida_alloc:
>
> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
>
> gemini/gemini-3.1-pro-preview has two comments [1]. Maybe the driver
> developers could judge their relevance.
These "pre-existing" reports are getting annoying. While they are nice
to see for driver authors, it makes developers sending bug fixes in feel
like they are forced to do "more". I think they are trying to tune this
to be a bit more sane...
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread