[PATCH net] ice: Fix use-after-scope in ice_sched_add_nodes_to_layer()
From: NeKon69 <hidden>
Date: 2026-06-13 10:15:32
Also in:
intel-wired-lan, lkml
Subsystem:
intel ethernet drivers, networking drivers, the rest · Maintainers:
Tony Nguyen, Przemek Kitszel, Andrew Lunn, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds
Commit 7fb09a737536 ("ice: Modify recursive way of adding nodes")
changed ice_sched_add_nodes_to_layer() from recursive control flow to an
iterative loop.
Inside the loop, first_teid_ptr may be set to the address of a
block-local variable:
u32 temp;
...
if (num_added)
first_teid_ptr = &temp;
On the next loop iteration, first_teid_ptr may be passed to
ice_sched_add_nodes_to_hw_layer(), after temp from the previous
iteration has gone out of scope.
Move temp outside the loop so the pointer remains valid for the lifetime
of ice_sched_add_nodes_to_layer().
This was found by Clang with LifetimeSafety enabled while testing C
language support on a Linux allmodconfig build.
Fixes: 7fb09a737536 ("ice: Modify recursive way of adding nodes")
Link: https://github.com/llvm/llvm-project/pull/203270
Signed-off-by: NeKon69 <redacted>
---
drivers/net/ethernet/intel/ice/ice_sched.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
index fff0c1afdb41..089ad3967be5 100644
--- a/drivers/net/ethernet/intel/ice/ice_sched.c
+++ b/drivers/net/ethernet/intel/ice/ice_sched.c@@ -1074,11 +1074,11 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi, u32 *first_teid_ptr = first_node_teid; u16 new_num_nodes = num_nodes; int status = 0; + u32 temp; *num_nodes_added = 0; while (*num_nodes_added < num_nodes) { u16 max_child_nodes, num_added = 0; - u32 temp; status = ice_sched_add_nodes_to_hw_layer(pi, tc_node, parent, layer, new_num_nodes,
--
2.54.0