drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
i40e_config_netdev() allocates vsi->netdev for main and VMDQ VSIs. If
i40e_netif_set_realnum_tx_rx_queues(), i40e_devlink_create_port(), or
register_netdev() fails, i40e_vsi_setup() goes to err_netdev without
releasing the netdev. The existing cleanup only frees the netdev after a
successful register_netdev(), so these error paths leak the allocation.
Reorder the error paths at err_netdev to ensure proper cleanup of the
allocated device.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc5.
An x86_64 allyesconfig build showed no new warnings. As we do not have an
Intel Ethernet Controller XL710 family adapter to test with, no runtime
testing was able to be performed.
Fixes: 41c445ff0f48 ("i40e: main driver core")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 6d4f9218dc68..1ced01b0cc09 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -14491,13 +14491,15 @@ struct i40e_vsi *i40e_vsi_setup(struct i40e_pf *pf, u8 type,
if (vsi->netdev_registered) {
vsi->netdev_registered = false;
unregister_netdev(vsi->netdev);
- free_netdev(vsi->netdev);
- vsi->netdev = NULL;
}
err_dl_port:
if (vsi->type == I40E_VSI_MAIN)
i40e_devlink_destroy_port(pf);
err_netdev:
+ if (vsi->netdev) {
+ free_netdev(vsi->netdev);
+ vsi->netdev = NULL;
+ }
i40e_aq_delete_element(&pf->hw, vsi->seid, NULL);
err_vsi:
i40e_vsi_clear(vsi);
--
2.34.1
On 27/05/2026 13:02, Dawei Feng wrote:
> i40e_config_netdev() allocates vsi->netdev for main and VMDQ VSIs. If
> i40e_netif_set_realnum_tx_rx_queues(), i40e_devlink_create_port(), or
> register_netdev() fails, i40e_vsi_setup() goes to err_netdev without
> releasing the netdev. The existing cleanup only frees the netdev after a
> successful register_netdev(), so these error paths leak the allocation.
>
> Reorder the error paths at err_netdev to ensure proper cleanup of the
> allocated device.
>
> The bug was first flagged by an experimental analysis tool we are
> developing for kernel memory-management bugs while analyzing
> v6.13-rc1. The tool is still under development and is not yet publicly
> available. Manual inspection confirms that the bug is still
> present in v7.1-rc5.
>
> An x86_64 allyesconfig build showed no new warnings. As we do not have an
> Intel Ethernet Controller XL710 family adapter to test with, no runtime
> testing was able to be performed.
>
> Fixes: 41c445ff0f48 ("i40e: main driver core")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
We could introduce additional goto label for i40e_config_netdev() instead of
if condition, but the latter is probably safer in this case (without splitting
the different VSI types setup to functions).
Reviewed-by: Marcin Szycik <marcin.szycik@linux.intel.com>
> ---
> drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
> index 6d4f9218dc68..1ced01b0cc09 100644
> --- a/drivers/net/ethernet/intel/i40e/i40e_main.c
> +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
> @@ -14491,13 +14491,15 @@ struct i40e_vsi *i40e_vsi_setup(struct i40e_pf *pf, u8 type,
> if (vsi->netdev_registered) {
> vsi->netdev_registered = false;
> unregister_netdev(vsi->netdev);
> - free_netdev(vsi->netdev);
> - vsi->netdev = NULL;
> }
> err_dl_port:
> if (vsi->type == I40E_VSI_MAIN)
> i40e_devlink_destroy_port(pf);
> err_netdev:
> + if (vsi->netdev) {
> + free_netdev(vsi->netdev);
> + vsi->netdev = NULL;
> + }
> i40e_aq_delete_element(&pf->hw, vsi->seid, NULL);
> err_vsi:
> i40e_vsi_clear(vsi);
> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf
> Of Dawei Feng
> Sent: Wednesday, May 27, 2026 1:02 PM
> To: Nguyen, Anthony L <anthony.l.nguyen@intel.com>
> Cc: Kitszel, Przemyslaw <przemyslaw.kitszel@intel.com>;
> andrew+netdev@lunn.ch; davem@davemloft.net; edumazet@google.com;
> kuba@kernel.org; pabeni@redhat.com; jesse.brandeburg@intel.com;
> sln@onemain.com; intel-wired-lan@lists.osuosl.org;
> netdev@vger.kernel.org; linux-kernel@vger.kernel.org;
> jianhao.xu@seu.edu.cn; Dawei Feng <dawei.feng@seu.edu.cn>;
> stable@vger.kernel.org; Zilin Guan <zilin@seu.edu.cn>
> Subject: [Intel-wired-lan] [PATCH net] i40e: fix netdev leak in
> i40e_vsi_setup() error paths
>
> i40e_config_netdev() allocates vsi->netdev for main and VMDQ VSIs. If
> i40e_netif_set_realnum_tx_rx_queues(), i40e_devlink_create_port(), or
> register_netdev() fails, i40e_vsi_setup() goes to err_netdev without
> releasing the netdev. The existing cleanup only frees the netdev after
> a successful register_netdev(), so these error paths leak the
> allocation.
>
> Reorder the error paths at err_netdev to ensure proper cleanup of the
> allocated device.
>
> The bug was first flagged by an experimental analysis tool we are
> developing for kernel memory-management bugs while analyzing v6.13-
> rc1. The tool is still under development and is not yet publicly
> available. Manual inspection confirms that the bug is still present in
> v7.1-rc5.
>
> An x86_64 allyesconfig build showed no new warnings. As we do not have
> an Intel Ethernet Controller XL710 family adapter to test with, no
> runtime testing was able to be performed.
>
> Fixes: 41c445ff0f48 ("i40e: main driver core")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
> ---
> drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c
> b/drivers/net/ethernet/intel/i40e/i40e_main.c
> index 6d4f9218dc68..1ced01b0cc09 100644
> --- a/drivers/net/ethernet/intel/i40e/i40e_main.c
> +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
> @@ -14491,13 +14491,15 @@ struct i40e_vsi *i40e_vsi_setup(struct
> i40e_pf *pf, u8 type,
> if (vsi->netdev_registered) {
> vsi->netdev_registered = false;
> unregister_netdev(vsi->netdev);
> - free_netdev(vsi->netdev);
> - vsi->netdev = NULL;
> }
> err_dl_port:
> if (vsi->type == I40E_VSI_MAIN)
> i40e_devlink_destroy_port(pf);
> err_netdev:
> + if (vsi->netdev) {
> + free_netdev(vsi->netdev);
> + vsi->netdev = NULL;
> + }
> i40e_aq_delete_element(&pf->hw, vsi->seid, NULL);
> err_vsi:
> i40e_vsi_clear(vsi);
> --
> 2.34.1
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
On 5/28/26 01:49, Loktionov, Aleksandr wrote:
>
>> -----Original Message-----
>> From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf
>> Of Dawei Feng
>> Sent: Wednesday, May 27, 2026 1:02 PM
>> To: Nguyen, Anthony L <anthony.l.nguyen@intel.com>
>> Cc: Kitszel, Przemyslaw <przemyslaw.kitszel@intel.com>;
>> andrew+netdev@lunn.ch; davem@davemloft.net; edumazet@google.com;
>> kuba@kernel.org; pabeni@redhat.com; jesse.brandeburg@intel.com;
>> sln@onemain.com; intel-wired-lan@lists.osuosl.org;
>> netdev@vger.kernel.org; linux-kernel@vger.kernel.org;
>> jianhao.xu@seu.edu.cn; Dawei Feng <dawei.feng@seu.edu.cn>;
>> stable@vger.kernel.org; Zilin Guan <zilin@seu.edu.cn>
>> Subject: [Intel-wired-lan] [PATCH net] i40e: fix netdev leak in
>> i40e_vsi_setup() error paths
>>
>> i40e_config_netdev() allocates vsi->netdev for main and VMDQ VSIs. If
>> i40e_netif_set_realnum_tx_rx_queues(), i40e_devlink_create_port(), or
>> register_netdev() fails, i40e_vsi_setup() goes to err_netdev without
>> releasing the netdev. The existing cleanup only frees the netdev after
>> a successful register_netdev(), so these error paths leak the
>> allocation.
>>
>> Reorder the error paths at err_netdev to ensure proper cleanup of the
>> allocated device.
>>
>> The bug was first flagged by an experimental analysis tool we are
>> developing for kernel memory-management bugs while analyzing v6.13-
>> rc1. The tool is still under development and is not yet publicly
>> available. Manual inspection confirms that the bug is still present in
>> v7.1-rc5.
>>
>> An x86_64 allyesconfig build showed no new warnings. As we do not have
>> an Intel Ethernet Controller XL710 family adapter to test with, no
>> runtime testing was able to be performed.
>>
>> Fixes: 41c445ff0f48 ("i40e: main driver core")
>> Cc: stable@vger.kernel.org
>>
>> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
>> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
>> ---
>> drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c
>> b/drivers/net/ethernet/intel/i40e/i40e_main.c
>> index 6d4f9218dc68..1ced01b0cc09 100644
>> --- a/drivers/net/ethernet/intel/i40e/i40e_main.c
>> +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
>> @@ -14491,13 +14491,15 @@ struct i40e_vsi *i40e_vsi_setup(struct
>> i40e_pf *pf, u8 type,
>> if (vsi->netdev_registered) {
>> vsi->netdev_registered = false;
>> unregister_netdev(vsi->netdev);
>> - free_netdev(vsi->netdev);
>> - vsi->netdev = NULL;
>> }
>> err_dl_port:
>> if (vsi->type == I40E_VSI_MAIN)
>> i40e_devlink_destroy_port(pf);
>> err_netdev:
>> + if (vsi->netdev) {
>> + free_netdev(vsi->netdev);
>> + vsi->netdev = NULL;
>> + }
>> i40e_aq_delete_element(&pf->hw, vsi->seid, NULL);
Would it make sense to put these 4 lines into i40e_vsi_clear()? Then you
can also clean up i40e_vsi_release() and i40e_vsi_reinit_setup() in a
similar way.
sln
>> err_vsi:
>> i40e_vsi_clear(vsi);
>> --
>> 2.34.1
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
>
Hi Shannon, Thanks for the suggestion. I took a closer look at the cleanup paths, and I think the localized v1 fix is safer here. In particular, i40e_vsi_reinit_setup() has early failure paths that can reach i40e_vsi_clear() before unregister_netdev() is called. Moving free_netdev() into i40e_vsi_clear() could therefore free a still-registered netdev. So I plan to keep the current v1 approach for this fix, rather than moving free_netdev() into the common VSI teardown path. Best regards, Dawei
On 6/2/26 20:28, Dawei Feng wrote: > Hi Shannon, > > Thanks for the suggestion. I took a closer look at the cleanup paths, and > I think the localized v1 fix is safer here. > > In particular, i40e_vsi_reinit_setup() has early failure paths that can > reach i40e_vsi_clear() before unregister_netdev() is called. Moving > free_netdev() into i40e_vsi_clear() could therefore free a > still-registered netdev. > > So I plan to keep the current v1 approach for this fix, rather than moving > free_netdev() into the common VSI teardown path. > > Best regards, > Dawei That sounds fine, thanks for looking. sln
On Fri, May 29, 2026 at 1:57 AM, Shannon Nelson wrote:
>
> >> err_netdev:
> >> + if (vsi->netdev) {
> >> + free_netdev(vsi->netdev);
> >> + vsi->netdev = NULL;
> >> + }
> >> i40e_aq_delete_element(&pf->hw, vsi->seid, NULL);
>
> Would it make sense to put these 4 lines into i40e_vsi_clear()? Then you
> can also clean up i40e_vsi_release() and i40e_vsi_reinit_setup() in a
> similar way.
>
> sln
Hi sln,
Thanks for the suggestion. I will adjust this part in the upcoming v2.
Best regards,
Dawei
© 2016 - 2026 Red Hat, Inc.