From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-m155101.qiye.163.com (mail-m155101.qiye.163.com [101.71.155.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 741BC4921A8; Fri, 15 May 2026 15:23:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=101.71.155.101 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778858635; cv=none; b=g4c8xHAHbPtteh1GEnBP8yqQsdqLR5IAaSWtBD1w1V2Aj24B+7uTG5Vx0tdgQBvRyN5+Fd33mhU7RMtI7Y3LtnY1/YWO7p8ap4rVgGNHOZVsKvcCj4R7Cwdo1A7K6qHTF+BhD9Xiv8P6Ypr299l+ADkApduRhqPGpEHJ9HUpzZU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778858635; c=relaxed/simple; bh=nmV8p/T76++v4kS8HMb/fCezPJOSLRoxPxDZl47Q6Ww=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=OB/h1GJjM9cJZ1rH2Yjv3EOWLT1NigdmgjrdNUzjVgUcovxzKlasUFiM/xjN0CooZKR06TQMGqSFxQHU++WGMS6FfNeD8gKAwAtGtlO5oFB6sVIWnKJyMSe9mhxHswToSG+PFXksfApaEL+5hY0FVT6afmvs/FoAgT6MaHoi0Sw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn; spf=pass smtp.mailfrom=seu.edu.cn; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b=YwLp0g94; arc=none smtp.client-ip=101.71.155.101 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seu.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=seu.edu.cn header.i=@seu.edu.cn header.b="YwLp0g94" Received: from DESKTOP-SUEFNF9.taila7e912.ts.net (unknown [58.241.16.34]) by smtp.qiye.163.com (Hmail) with ESMTP id 3e998b2e7; Fri, 15 May 2026 23:18:31 +0800 (GMT+08:00) From: Dawei Feng To: sgoutham@marvell.com Cc: gakula@marvell.com, sbhatta@marvell.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, jianhao.xu@seu.edu.cn, Dawei Feng , stable@vger.kernel.org, Zilin Guan Subject: [PATCH net] octeontx2-pf: avoid double free of pool->stack on AQ init failure Date: Fri, 15 May 2026 23:18:26 +0800 Message-Id: <20260515151826.1005397-1-dawei.feng@seu.edu.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-HM-Tid: 0a9e2c37bdaa03a2kunm5da3c6f1b5961 X-HM-MType: 10 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWRgWCB1ZQUpXWS1ZQUlXWQ8JGhUIEh9ZQVkaGh1DVkJNGR9CHR1JGEJKT1YeHw 5VEwETFhoSFyQUDg9ZV1kYEgtZQVlOQ1VJT0pVSk1VSE9ZV1kWGg8SFR0UWUFZT0tIVUpLSUhOQ0 NVSktLVUtZBg++ DKIM-Signature: a=rsa-sha256; b=YwLp0g94UA9YAEUqjxpyrYtlzwNjQ3tQ/llGmv6rty0go3BbTnopTBKI4PHRnXhaRww2MGRO6qwc3Hskr/uOo9ryyDUFdTrbzv0VKhM2OxhOF0xZxkl/+2oHkwAPWA0C55TIgDfoS5bJAWU2Bt/QUEPqcNhYBAN5n5MfxB6SOi4=; s=default; c=relaxed/relaxed; d=seu.edu.cn; v=1; bh=u79pZuyIMbbIz9O7acDkygmJPHr/MQwleRbsEeDtsuA=; h=date:mime-version:subject:message-id:from; otx2_pool_aq_init() frees pool->stack when mailbox sync or retry allocation fails, but leaves the pointer unchanged. Later, otx2_sq_aura_pool_init() unwinds the partial setup through otx2_aura_pool_free(), which frees pool->stack again. The CN20K-specific cn20k_pool_aq_init() implementation has the same bug in its corresponding error path. Set pool->stack to NULL immediately after the local free so the shared cleanup path does not free the same stack again while cleaning up partially initialized pool state. The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available. Manual inspection confirms that the bug is still present in v7.1-rc3. Runtime validation was not performed because reproducing this path requires OcteonTX2/CN20K hardware. Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues") Fixes: d322fbd17203 ("octeontx2-pf: Initialize cn20k specific aura and pool contexts") Cc: stable@vger.kernel.org Signed-off-by: Zilin Guan Signed-off-by: Dawei Feng --- drivers/net/ethernet/marvell/octeontx2/nic/cn20k.c | 2 ++ drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn20k.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn20k.c index a5a8f4558717..dbf173196608 100644 --- a/drivers/net/ethernet/marvell/octeontx2/nic/cn20k.c +++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn20k.c @@ -619,11 +619,13 @@ static int cn20k_pool_aq_init(struct otx2_nic *pfvf, u16 pool_id, err = otx2_sync_mbox_msg(&pfvf->mbox); if (err) { qmem_free(pfvf->dev, pool->stack); + pool->stack = NULL; return err; } aq = otx2_mbox_alloc_msg_npa_cn20k_aq_enq(&pfvf->mbox); if (!aq) { qmem_free(pfvf->dev, pool->stack); + pool->stack = NULL; return -ENOMEM; } } diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c index 971fcab1c248..3d253132a17f 100644 --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c @@ -1482,11 +1482,13 @@ int otx2_pool_aq_init(struct otx2_nic *pfvf, u16 pool_id, err = otx2_sync_mbox_msg(&pfvf->mbox); if (err) { qmem_free(pfvf->dev, pool->stack); + pool->stack = NULL; return err; } aq = otx2_mbox_alloc_msg_npa_aq_enq(&pfvf->mbox); if (!aq) { qmem_free(pfvf->dev, pool->stack); + pool->stack = NULL; return -ENOMEM; } } -- 2.34.1