[PATCH 6.1] net: enetc: fix PF !of_device_is

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 6.1] net: enetc: fix PF !of_device_is_available() teardown path
@ 2026-03-30  8:19 Vladimir Oltean
  2026-03-31 15:38 ` Nathan Chancellor
  0 siblings, 1 reply; 2+ messages in thread
From: Vladimir Oltean @ 2026-03-30  8:19 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, netdev, Claudiu Manoil,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Wei Fang, Rahul Sharma, linux-kernel, Nathan Chancellor

Upstream commit e15c5506dd39 ("net: enetc: allocate vf_state during PF
probes") was backported incorrectly to kernels where enetc_pf_probe()
still has to manually check whether the OF node of the PCI device is
enabled.

In kernels which contain commit bfce089ddd0e ("net: enetc: remove
of_device_is_available() handling") and its dependent change, commit
6fffbc7ae137 ("PCI: Honor firmware's device disabled status"), the
"err_device_disabled" label has disappeared. Yet, linux-6.1.y and
earlier still contains it.

The trouble is that upstream commit e15c5506dd39 ("net: enetc: allocate
vf_state during PF probes"), backported as 35668e29e979 in linux-6.1.y,
introduces new code for the err_setup_mac_addresses and err_alloc_netdev
labels which calls kfree(pf->vf_state). This code must not execute for
the err_device_disabled label, because at that stage, the pf structure
has not yet been allocated, and is an uninitialized pointer.

By moving the err_device_disabled label to undo just the previous
operation, i.e. a successful enetc_psi_create() call with
enetc_psi_destroy(), the dereference of uninitialized pf->vf_state is
avoided.

Fixes: 35668e29e979 ("net: enetc: allocate vf_state during PF probes")
Reported-by: Nathan Chancellor <nathan@kernel.org>
Closes: https://lore.kernel.org/linux-patches/20260330073356.GA1017537@ax162/
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
---
 drivers/net/ethernet/freescale/enetc/enetc_pf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/freescale/enetc/enetc_pf.c b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
index 99422c0b4a26..8cb4c759b165 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
@@ -1393,10 +1393,10 @@ static int enetc_pf_probe(struct pci_dev *pdev,
 	si->ndev = NULL;
 	free_netdev(ndev);
 err_alloc_netdev:
-err_device_disabled:
 err_setup_mac_addresses:
 	kfree(pf->vf_state);
 err_alloc_vf_state:
+err_device_disabled:
 	enetc_psi_destroy(pdev);
 err_psi_create:
 	return err;
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 6.1] net: enetc: fix PF !of_device_is_available() teardown path
  2026-03-30  8:19 [PATCH 6.1] net: enetc: fix PF !of_device_is_available() teardown path Vladimir Oltean
@ 2026-03-31 15:38 ` Nathan Chancellor
  0 siblings, 0 replies; 2+ messages in thread
From: Nathan Chancellor @ 2026-03-31 15:38 UTC (permalink / raw)
  To: Vladimir Oltean
  Cc: stable, Greg Kroah-Hartman, patches, netdev, Claudiu Manoil,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Wei Fang, Rahul Sharma, linux-kernel

On Mon, Mar 30, 2026 at 11:19:44AM +0300, Vladimir Oltean wrote:
> Upstream commit e15c5506dd39 ("net: enetc: allocate vf_state during PF
> probes") was backported incorrectly to kernels where enetc_pf_probe()
> still has to manually check whether the OF node of the PCI device is
> enabled.
> 
> In kernels which contain commit bfce089ddd0e ("net: enetc: remove
> of_device_is_available() handling") and its dependent change, commit
> 6fffbc7ae137 ("PCI: Honor firmware's device disabled status"), the
> "err_device_disabled" label has disappeared. Yet, linux-6.1.y and
> earlier still contains it.
> 
> The trouble is that upstream commit e15c5506dd39 ("net: enetc: allocate
> vf_state during PF probes"), backported as 35668e29e979 in linux-6.1.y,
> introduces new code for the err_setup_mac_addresses and err_alloc_netdev
> labels which calls kfree(pf->vf_state). This code must not execute for
> the err_device_disabled label, because at that stage, the pf structure
> has not yet been allocated, and is an uninitialized pointer.
> 
> By moving the err_device_disabled label to undo just the previous
> operation, i.e. a successful enetc_psi_create() call with
> enetc_psi_destroy(), the dereference of uninitialized pf->vf_state is
> avoided.
> 
> Fixes: 35668e29e979 ("net: enetc: allocate vf_state during PF probes")
> Reported-by: Nathan Chancellor <nathan@kernel.org>
> Closes: https://lore.kernel.org/linux-patches/20260330073356.GA1017537@ax162/
> Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>

Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org> # build

> ---
>  drivers/net/ethernet/freescale/enetc/enetc_pf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_pf.c b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
> index 99422c0b4a26..8cb4c759b165 100644
> --- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
> @@ -1393,10 +1393,10 @@ static int enetc_pf_probe(struct pci_dev *pdev,
>  	si->ndev = NULL;
>  	free_netdev(ndev);
>  err_alloc_netdev:
> -err_device_disabled:
>  err_setup_mac_addresses:
>  	kfree(pf->vf_state);
>  err_alloc_vf_state:
> +err_device_disabled:
>  	enetc_psi_destroy(pdev);
>  err_psi_create:
>  	return err;
> -- 
> 2.43.0
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-31 15:38 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-30  8:19 [PATCH 6.1] net: enetc: fix PF !of_device_is_available() teardown path Vladimir Oltean
2026-03-31 15:38 ` Nathan Chancellor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox