The error path of ixgbe_recovery_probe() has two memory bugs. For non-E610 adapters, the function jumps to clean_up_probe without calling devlink_free(), leaking the devlink instance and its embedded adapter structure. For E610 adapters, devlink_free() is called at shutdown_aci, but clean_up_probe then accesses adapter->state, sometimes triggering use-after-free because adapter is embedded in devlink. This UAF is similar to the one recently reported in ixgbe_remove(). (Link) Fix both issues by moving devlink_free() after adapter->state access, aligning with the cleanup order in ixgbe_probe(). Link: https://lore.kernel.org/intel-wired-lan/20250828020558.1450422-1-den@valinux.co.jp/ Fixes: 29cb3b8d95c7 ("ixgbe: add E610 implementation of FW recovery mode") Signed-off-by: Kohei Enju --- Cc: Koichiro Den --- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c index ff6e8ebda5ba..08368e2717c2 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c @@ -11510,10 +11510,10 @@ static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter) shutdown_aci: mutex_destroy(&adapter->hw.aci.lock); ixgbe_release_hw_control(adapter); - devlink_free(adapter->devlink); clean_up_probe: disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); free_netdev(netdev); + devlink_free(adapter->devlink); pci_release_mem_regions(pdev); if (disable_dev) pci_disable_device(pdev); -- 2.51.0