On Thu, Mar 19, 2026 at 09:58:59PM +0800, Guangshuo Li wrote:
> When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to
> aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).
>
> The device release callback ice_sf_dev_release() frees sf_dev, but
> the current error path falls through to sf_dev_free and calls
> kfree(sf_dev) again, causing a double free.
>
> Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but
> avoid falling through to sf_dev_free after auxiliary_device_uninit().
>
> Fixes: 13acc5c4cdbe ("ice: subfunction activation and base devlink ops")
> Cc: [email protected]
> Reviewed-by: Aleksandr Loktionov <[email protected]>
> Signed-off-by: Guangshuo Li <[email protected]>
> ---
> v2:
> - replace goto xa_erase with return err after auxiliary_device_uninit()
> - avoid xa_erase() in the auxiliary_device_uninit() path since it is already
> done in ice_sf_dev_release()
Reviewed-by: Simon Horman <[email protected]>
