Commit 6dc1049
net: hns3: fix double free issue for tx spare buffer
[ Upstream commit 6d2f142 ]
In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure
is created for rollback. However, the tx_spare pointer in the original
ring handle is incorrectly left pointing to the old backup memory.
Later, if memory allocation fails in hns3_init_all_ring() during the setup,
the error path attempts to free all newly allocated rings. Since tx_spare
contains a stale (non-NULL) pointer from the backup, it is mistaken for
a newly allocated buffer and is erroneously freed, leading to a double-free
of the backup memory.
The root cause is that the tx_spare field was not cleared after its value
was saved in tmp_rings, leaving a dangling pointer.
Fix this by setting tx_spare to NULL in the original ring structure
when the creation of the new `tx_spare` fails. This ensures the
error cleanup path only frees genuinely newly allocated buffers.
Fixes: 907676b ("net: hns3: use tx bounce buffer for small packets")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260205121719.3285730-1-shaojijie@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>1 parent 44b2256 commit 6dc1049
1 file changed
+9
-2
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1048 | 1048 | | |
1049 | 1049 | | |
1050 | 1050 | | |
1051 | | - | |
| 1051 | + | |
1052 | 1052 | | |
1053 | 1053 | | |
1054 | 1054 | | |
1055 | 1055 | | |
1056 | 1056 | | |
1057 | | - | |
| 1057 | + | |
1058 | 1058 | | |
1059 | 1059 | | |
1060 | 1060 | | |
| |||
1092 | 1092 | | |
1093 | 1093 | | |
1094 | 1094 | | |
| 1095 | + | |
| 1096 | + | |
| 1097 | + | |
| 1098 | + | |
| 1099 | + | |
| 1100 | + | |
| 1101 | + | |
1095 | 1102 | | |
1096 | 1103 | | |
1097 | 1104 | | |
| |||
0 commit comments