CVE-2026-23104

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix devlink reload call trace<br /> <br /> Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced<br /> internal temperature sensor reading via HWMON. ice_hwmon_init() was added<br /> to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a<br /> result if devlink reload is used to reinit the device and then the driver<br /> is removed, a call trace can occur.<br /> <br /> BUG: unable to handle page fault for address: ffffffffc0fd4b5d<br /> Call Trace:<br /> string+0x48/0xe0<br /> vsnprintf+0x1f9/0x650<br /> sprintf+0x62/0x80<br /> name_show+0x1f/0x30<br /> dev_attr_show+0x19/0x60<br /> <br /> The call trace repeats approximately every 10 minutes when system<br /> monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs<br /> attributes that reference freed module memory.<br /> <br /> The sequence is:<br /> 1. Driver load, ice_hwmon_init() gets called from ice_init_feature()<br /> 2. Devlink reload down, flow does not call ice_remove()<br /> 3. Devlink reload up, ice_hwmon_init() gets called from<br /> ice_init_feature() resulting in a second instance<br /> 4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the<br /> first hwmon instance orphaned with dangling pointer<br /> <br /> Fix this by moving ice_hwmon_exit() from ice_remove() to<br /> ice_deinit_features() to ensure proper cleanup symmetry with<br /> ice_hwmon_init().