A use-after-free vulnerability has been resolved in the Linux kernel's octeon_ep_vf driver. The flaw occurs due to a mismatch in the dev_id used when freeing IRQs during an error rollback, potentially leading to a crash or code execution when an interrupt fires after the ioq_vector is freed.
In the Linux kernel, the following vulnerability has been resolved:
net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered.
This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires.
Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq().