From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0B83B1E32D6; Thu, 30 Apr 2026 04:01:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777521686; cv=none; b=uYsORrpFMn6EPrh0guxgo2xo8COHWtvheTkX6+AoBAl46SGVpiHwGgSJfvz0V/LtrQpXUvLF8RZWDGv8dxSPKv86Q1jPJ9kIwu2oq1lgIZxbnTODThX/8WWTqoh1+y0oiPuDVKqrBIdX2K0CxdZ57LanMLqoRIZ8mjV21egiOhc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777521686; c=relaxed/simple; bh=ihbHFS8fqcjykLtVPxLwkEHGOCgwdO8Sw8gLFVNIZA0=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=T5Lb4o0eYWluTJpRCktw6YujPqjzj6Mh2ECYJ8qYC0wPgHRJzOJU3jmg6QQJgaaLtYdG1P3E8KEPSvJBqpgfYwZMMxki0bLKzaY8tIvRc3Dhe4Ykb6p8VPOjTCYbZWhlnbae0wCqXddkfMTlqcy8AIV11YD9x5Kx7h/5fcNDmiE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=flP7c3Qz; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="flP7c3Qz" Received: from linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net (linux.microsoft.com [13.77.154.182]) by linux.microsoft.com (Postfix) with ESMTPSA id 16F7320B7172; Wed, 29 Apr 2026 21:01:25 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 16F7320B7172 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1777521685; bh=EnERMomum/goudk6/J3udw33PHVB548hHsdYQiEYmdg=; h=From:To:Subject:Date:In-Reply-To:References:From; b=flP7c3QzjUzHXjoyiDril6Z9M3lxe/6jKjRalsA3lDQLWvxFolIhWNL16ly8CizcN 6/C/ygveYA1rkXbriwFIkejXDtBdD95CUf5Vre/tQ3rW2vUsLYW0M8dDtpXqSv3/RX 9os2aNF34VtKUl43d0IXSMv1kGqaMWE9nvbhROH4= From: Dipayaan Roy To: kys@microsoft.com, haiyangz@microsoft.com, wei.liu@kernel.org, decui@microsoft.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, leon@kernel.org, longli@microsoft.com, kotaranov@microsoft.com, horms@kernel.org, shradhagupta@linux.microsoft.com, ssengar@linux.microsoft.com, ernis@linux.microsoft.com, shirazsaleem@microsoft.com, linux-hyperv@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, stephen@networkplumber.org, jacob.e.keller@intel.com, dipayanroy@microsoft.com, leitao@debian.org, kees@kernel.org, john.fastabend@gmail.com, hawk@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, sdf@fomichev.me, yury.norov@gmail.com Subject: [PATCH 3/3] net: mana: remove double CQ cleanup in mana_create_rxq error path Date: Wed, 29 Apr 2026 20:57:54 -0700 Message-ID: <20260430035935.1859220-4-dipayanroy@linux.microsoft.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260430035935.1859220-1-dipayanroy@linux.microsoft.com> References: <20260430035935.1859220-1-dipayanroy@linux.microsoft.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In mana_create_rxq(), the error cleanup path calls mana_destroy_rxq() followed by mana_deinit_cq(). This is incorrect for two reasons: 1. mana_destroy_rxq() already calls mana_deinit_cq() internally, so the CQ's GDMA queue is destroyed twice. 2. mana_destroy_rxq() frees the rxq via kfree(rxq) before returning. The subsequent mana_deinit_cq(apc, cq) then operates on freed memory since cq points to &rxq->rx_cq, which is embedded in the already-freed rxq structure — a use-after-free. Remove the redundant mana_deinit_cq() call from the error path since mana_destroy_rxq() already handles CQ cleanup. mana_deinit_cq() is itself safe for an uninitialized CQ as it checks for a NULL gdma_cq before proceeding. Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Reviewed-by: Haiyang Zhang Signed-off-by: Dipayaan Roy --- drivers/net/ethernet/microsoft/mana/mana_en.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c index f2a6ea162dc3..9afc786b297a 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -2799,9 +2799,6 @@ static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc, mana_destroy_rxq(apc, rxq, false); - if (cq) - mana_deinit_cq(apc, cq); - return NULL; } -- 2.43.0