> -----Original Message-----
> From: Intel-wired-lan <[email protected]> On Behalf
> Of ZhaoJinming
> Sent: Friday, May 29, 2026 7:38 AM
> To: Nguyen, Anthony L <[email protected]>; Kitszel,
> Przemyslaw <[email protected]>; Andrew Lunn
> <[email protected]>; David S . Miller <[email protected]>; Eric
> Dumazet <[email protected]>; Jakub Kicinski <[email protected]>; Paolo
> Abeni <[email protected]>
> Cc: [email protected]; [email protected]; linux-
> [email protected]; ZhaoJinming <[email protected]>
> Subject: [Intel-wired-lan] [PATCH net v2 1/2] ice: dpll: set pointers
> to NULL after kfree in ice_dpll_deinit_info
>
> ice_dpll_deinit_info() calls kfree() on several pf->dplls fields
> (inputs, outputs, eec.input_prio, pps.input_prio) but does not set the
> pointers to NULL afterward. This leaves dangling pointers in the
> pf->dplls structure.
>
> While not currently exploitable through existing code paths, this is
> unsafe because:
>
> 1. If ice_dpll_init_info() is called again after a deinit (e.g. during
> driver recovery), and a subsequent allocation within init fails,
> the
> error path will jump to deinit_info and call ice_dpll_deinit_info()
> again. Since some pointers still hold the old freed addresses, this
> would result in a double-free.
>
> 2. Any future code that checks these pointers before use or after free
> would be unprotected against use-after-free.
>
> Follow the common kernel convention of setting pointers to NULL after
> kfree() so that:
> - kfree(NULL) is a safe no-op, preventing double-free
> - NULL checks on these pointers become meaningful
>
> This is a preparatory fix for a subsequent patch that routes
> additional error paths in ice_dpll_init_info() to the deinit_info
> label.
>
> Fixes: d7999f5ea64b ("ice: implement dpll interface to control cgu")
> Signed-off-by: ZhaoJinming <[email protected]>
> ---
> drivers/net/ethernet/intel/ice/ice_dpll.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c
> b/drivers/net/ethernet/intel/ice/ice_dpll.c
> index 892bc7c2e28b..99bb308255cc 100644
> --- a/drivers/net/ethernet/intel/ice/ice_dpll.c
> +++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
> @@ -4247,9 +4247,13 @@ ice_dpll_init_pins_info(struct ice_pf *pf, enum
> ice_dpll_pin_type pin_type) static void ice_dpll_deinit_info(struct
> ice_pf *pf) {
> kfree(pf->dplls.inputs);
> + pf->dplls.inputs = NULL;
> kfree(pf->dplls.outputs);
> + pf->dplls.outputs = NULL;
> kfree(pf->dplls.eec.input_prio);
> + pf->dplls.eec.input_prio = NULL;
> kfree(pf->dplls.pps.input_prio);
> + pf->dplls.pps.input_prio = NULL;
> }
>
> /**
> --
> 2.20.1
Reviewed-by: Aleksandr Loktionov <[email protected]>
Code looks correct. Please add `Cc: [email protected] # v6.7+` to both
patches and include a v1→v2 changelog before reposting as v3.
