Re: [PATCH net] ice: Fix use-after-scope in ice_sched_add_nodes_to_layer()

From: Simon Horman <horms@kernel.org>
Date: 2026-06-15 12:08:05
Also in: intel-wired-lan, lkml

On Sat, Jun 13, 2026 at 01:14:40PM +0300, NeKon69 wrote:

Commit 7fb09a737536 ("ice: Modify recursive way of adding nodes")
changed ice_sched_add_nodes_to_layer() from recursive control flow to an
iterative loop.

Inside the loop, first_teid_ptr may be set to the address of a
block-local variable:

	u32 temp;
	...
	if (num_added)
		first_teid_ptr = &temp;

On the next loop iteration, first_teid_ptr may be passed to
ice_sched_add_nodes_to_hw_layer(), after temp from the previous
iteration has gone out of scope.

Move temp outside the loop so the pointer remains valid for the lifetime
of ice_sched_add_nodes_to_layer().

This was found by Clang with LifetimeSafety enabled while testing C
language support on a Linux allmodconfig build.

Fixes: 7fb09a737536 ("ice: Modify recursive way of adding nodes")
Link: https://github.com/llvm/llvm-project/pull/203270
Signed-off-by: NeKon69 <redacted>

I agree that this patch is correct.

However, I do wonder if it would be cleaner to allow
passing NULL as the first_node_teid argument of
ice_sched_add_nodes_to_hw_layer()

...

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help