CVE-2026-46162
Description
In the Linux kernel, the following vulnerability has been resolved:
ice: fix double free in ice_sf_eth_activate() error path
When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).
The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.
Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().
Affected products
2Patches
8121d1f253aedice: fix double free in ice_sf_eth_activate() error path
1 file changed · +2 −1
drivers/net/ethernet/intel/ice/ice_sf_eth.c+2 −1 modifieddiff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c index 1a2c94375ca71e..f7266d03681535 100644 --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c @@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port, aux_dev_uninit: auxiliary_device_uninit(&sf_dev->adev); + return err; + sf_dev_free: kfree(sf_dev); xa_erase: -- cgit 1.3-korg
d0c6a4816609ice: fix double free in ice_sf_eth_activate() error path
1 file changed · +2 −1
drivers/net/ethernet/intel/ice/ice_sf_eth.c+2 −1 modifieddiff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c index 2cf04bc6edceb1..a730aa368c92f6 100644 --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c @@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port, aux_dev_uninit: auxiliary_device_uninit(&sf_dev->adev); + return err; + sf_dev_free: kfree(sf_dev); xa_erase: -- cgit 1.3-korg
9aab1c3d7299ice: fix double free in ice_sf_eth_activate() error path
1 file changed · +2 −1
drivers/net/ethernet/intel/ice/ice_sf_eth.c+2 −1 modifieddiff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c index 2cf04bc6edceb1..a730aa368c92f6 100644 --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c @@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port, aux_dev_uninit: auxiliary_device_uninit(&sf_dev->adev); + return err; + sf_dev_free: kfree(sf_dev); xa_erase: -- cgit 1.3-korg
2ca30340b502ice: fix double free in ice_sf_eth_activate() error path
1 file changed · +2 −1
drivers/net/ethernet/intel/ice/ice_sf_eth.c+2 −1 modifieddiff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c index 75d7147e1c01c0..4776e7aaab9fd2 100644 --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c @@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port, aux_dev_uninit: auxiliary_device_uninit(&sf_dev->adev); + return err; + sf_dev_free: kfree(sf_dev); xa_erase: -- cgit 1.3-korg
d0c6a4816609ice: fix double free in ice_sf_eth_activate() error path
1 file changed · +2 −1
drivers/net/ethernet/intel/ice/ice_sf_eth.c+2 −1 modifieddiff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c index 2cf04bc6edceb1..a730aa368c92f6 100644 --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c @@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port, aux_dev_uninit: auxiliary_device_uninit(&sf_dev->adev); + return err; + sf_dev_free: kfree(sf_dev); xa_erase: -- cgit 1.3-korg
2ca30340b502ice: fix double free in ice_sf_eth_activate() error path
1 file changed · +2 −1
drivers/net/ethernet/intel/ice/ice_sf_eth.c+2 −1 modifieddiff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c index 75d7147e1c01c0..4776e7aaab9fd2 100644 --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c @@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port, aux_dev_uninit: auxiliary_device_uninit(&sf_dev->adev); + return err; + sf_dev_free: kfree(sf_dev); xa_erase: -- cgit 1.3-korg
9aab1c3d7299ice: fix double free in ice_sf_eth_activate() error path
1 file changed · +2 −1
drivers/net/ethernet/intel/ice/ice_sf_eth.c+2 −1 modifieddiff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c index 2cf04bc6edceb1..a730aa368c92f6 100644 --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c @@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port, aux_dev_uninit: auxiliary_device_uninit(&sf_dev->adev); + return err; + sf_dev_free: kfree(sf_dev); xa_erase: -- cgit 1.3-korg
121d1f253aedice: fix double free in ice_sf_eth_activate() error path
1 file changed · +2 −1
drivers/net/ethernet/intel/ice/ice_sf_eth.c+2 −1 modifieddiff --git a/drivers/net/ethernet/intel/ice/ice_sf_eth.c b/drivers/net/ethernet/intel/ice/ice_sf_eth.c index 1a2c94375ca71e..f7266d03681535 100644 --- a/drivers/net/ethernet/intel/ice/ice_sf_eth.c +++ b/drivers/net/ethernet/intel/ice/ice_sf_eth.c @@ -305,6 +305,8 @@ ice_sf_eth_activate(struct ice_dynamic_port *dyn_port, aux_dev_uninit: auxiliary_device_uninit(&sf_dev->adev); + return err; + sf_dev_free: kfree(sf_dev); xa_erase: -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing early return in error path causes double free of sf_dev after auxiliary_device_uninit() already freed it via the release callback."
Attack vector
An attacker would need to trigger a failure of `auxiliary_device_add()` within `ice_sf_eth_activate()`, for example by exhausting kernel memory or manipulating device registration resources. When that call fails, the function jumps to the `aux_dev_uninit` label, calls `auxiliary_device_uninit()`, whose release callback `ice_sf_dev_release()` frees the `sf_dev` structure. The error path then falls through to `sf_dev_free`, which calls `kfree(sf_dev)` again on the already-freed pointer, causing a double-free memory corruption. This is a local denial-of-service or potential privilege-escalation vector on systems with Intel ice network hardware.
Affected code
The bug is in the `ice_sf_eth_activate()` function in `drivers/net/ethernet/intel/ice/ice_sf_eth.c` [patch_id=2898165]. The error path after `auxiliary_device_add()` failure falls through from the `aux_dev_uninit` label (which calls `auxiliary_device_uninit()`, triggering `ice_sf_dev_release()` to free `sf_dev`) into the `sf_dev_free` label, which calls `kfree(sf_dev)` a second time.
What the fix does
The patch inserts a `return err;` statement after `auxiliary_device_uninit(&sf_dev->adev);` in the `aux_dev_uninit` error path [patch_id=2898165]. This prevents fall-through to the `sf_dev_free` label, so `kfree(sf_dev)` is only reached when `auxiliary_device_init()` itself fails (where no release callback has freed `sf_dev`). The fix ensures exactly one free path exists for each allocation, eliminating the double free.
Preconditions
- configThe system must have an Intel ice network device and the ice driver must be loaded.
- inputThe attacker must be able to trigger a failure of auxiliary_device_add() within ice_sf_eth_activate(), e.g., by exhausting kernel memory.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.