Re: [PATCH net] octeontx2-pf: avoid double free of pool->stack on AQ init failure

[Simon Horman]

On Fri, May 15, 2026 at 11:18:26PM +0800, Dawei Feng wrote:
> otx2_pool_aq_init() frees pool->stack when mailbox sync or retry
> allocation fails, but leaves the pointer unchanged. Later,
> otx2_sq_aura_pool_init() unwinds the partial setup through
> otx2_aura_pool_free(), which frees pool->stack again. The CN20K-specific
> cn20k_pool_aq_init() implementation has the same bug in
> its corresponding error path.
> 
> Set pool->stack to NULL immediately after the local free so the shared
> cleanup path does not free the same stack again while cleaning up
> partially initialized pool state.
> 
> The bug was first flagged by an experimental analysis tool we are
> developing for kernel memory-management bugs while analyzing
> v6.13-rc1. The tool is still under development and is not yet publicly
> available. Manual inspection confirms that the bug is still present in
> v7.1-rc3.
> 
> Runtime validation was not performed because reproducing this path
> requires OcteonTX2/CN20K hardware.
> 
> Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
> Fixes: d322fbd17203 ("octeontx2-pf: Initialize cn20k specific aura and pool contexts")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Zilin Guan <zilin@xxxxxxxxxx>
> Signed-off-by: Dawei Feng <dawei.feng@xxxxxxxxxx>

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>

There is an AI generated review of this patch available on sashiko.dev
I believe the issues raised there can be considered in the context of
possible follow-up. I do not believe they should effect the progress
of this patch.