From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 184723E95B3 for ; Thu, 7 May 2026 10:34:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778150072; cv=none; b=BV1+XexSgpK/QU/s0f/41pIrxk4XeVjnDzl8NYUJv5cQVsoIlIwtfa3EXe8+dhY0h5BEOYBqSnnym6Q1pmivE/pyvaoW1pHGkQYOWpGo0Owozy361kyxam+tcbdhoef2/2yml6n5gZnu89BdFt5kxciFVTCYxCKlLNnMoCCALFU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778150072; c=relaxed/simple; bh=Gwjd0XD6/QbMMm4Izy0RkPLTGA2CEqD3rsj6B1S4mP0=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Pb5F6mvfoR21fKGyG/Y6Rqv2XYJIp8PGWySHTiCuzm9qBeYxM1s2wSfaWcz5Nvz2BBpLtJe3FEmEyfCQHLof9UvADMxrCq9/ov3Z1ja4JT+ZbDY253JGnf7uJmQYFmCvWahIhiYLx5LE/MH/wHIoWbBLXeRZo1Ua8bGkdTTQ7Ds= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=NXATEYnn; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=GryFukaL; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="NXATEYnn"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="GryFukaL" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1778150069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/kRzfpi6h8be8cBkbFeSW4gWzrbliYroPfK4BwMv/Uw=; b=NXATEYnnQSZMEzrR5EIt1YGyxHOknbpvbrQ/Ejpydgte5KRq9IFY089JLIELmrFOikQIW4 sQkaRUlal9FEA5uvpg6bLUBDzOMSTlqXToaQWklvg4k7WrEB1u4gavYZ8KTVq3LOijVEpO bs+GPN8Qb1COcLFjGbbnE8HVf366CNE= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-136-DSyQEe6XMF2YSatDzdbuWw-1; Thu, 07 May 2026 06:34:27 -0400 X-MC-Unique: DSyQEe6XMF2YSatDzdbuWw-1 X-Mimecast-MFC-AGG-ID: DSyQEe6XMF2YSatDzdbuWw_1778150067 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-488bd1ee9e7so6413795e9.1 for ; Thu, 07 May 2026 03:34:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1778150067; x=1778754867; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=/kRzfpi6h8be8cBkbFeSW4gWzrbliYroPfK4BwMv/Uw=; b=GryFukaLoqiy8mFOGmiL4v6b05m70gJvPUioRBAQfdiA7/js7XsSguEtiBnSqgh8wn ALgwJDgy9uII+67ylUf0gEGT4Tv2M8tmCGGxGd9MkKVeyR8d1ofD0oeBGSxdunlJS2m6 sSVFe6JlhUue9mEdYR69fNKFAakcdvtn2Haq+qnjjpfUl94e7H7clHOcij4PDss8+4GH 0sqCUkNKSrtOnwEFeu3rhU/qjARO1oVmTzNijKR0xCSrB6O2iXLMnw4seh5tSR44Lcjz u6ZHTG04S53a63hLdDUnm2bow01Yh+X8W4LDbBkBfjTMeKU5N4toGG+UomlZovGAeBPt UyQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778150067; x=1778754867; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/kRzfpi6h8be8cBkbFeSW4gWzrbliYroPfK4BwMv/Uw=; b=HXP9F4XrzyJAgHykgtYqUgY/rUvEOvCRNu5z07pIh/C2ndKxOX6OwX7JSa1kSQH6u6 r6EGjegQzqi5ZCDrj7LLh1EgQg+vCMoT86lg8UMEmKZSUA7BlS7jUfzDY3hxM98/wfcZ Sao1GkqIXkYH7lUynTRA4okejZEW7D33LIMlhdhTyslWXEB+JJ5b6Qorb9wyQtyfQ+63 1rOCuvyWtRKUFVNxDXU09VItd3xcdbQj+v9xycocpp74tChLYn/TcCbnjn7frs59ZVxT idE/yXQFgarjUC70hVlLXtac+oR5OYngtbSnO5vlwPbfoTcJoIbrH+272N23Vm46hhQT cHgQ== X-Forwarded-Encrypted: i=1; AFNElJ+Et0ZY4a/iWG1L7Ephl0KHVe7zL7fKKul3U3Mn++t6idjy3N5jk7sULrhXFQSRk/86O7VfnIdjYP+qezY=@vger.kernel.org X-Gm-Message-State: AOJu0Yz0kIhjCJO0TzQFPKaQ6end8BbgA5wGujuumiFbDciomZPJNkL/ mDKtOvqrGtLtED08afHcj9dFs1x7K2EUnShH4BVRAGSQaS4umYoVHhlTilQqCYs1HWUkm1wqYUV RLwXQ/EZyo5Ht/sZQ4aaUv4O2tvWowHXXl/QPG/EnXuzJRiUkqheXDnFkTykt5x0mUg== X-Gm-Gg: AeBDietdoTvFvHb+dVCoqPDPU6FfeUay9MTec5SPBYn8s6WI1UuiT3pp7mIks5Omokd Hz2T9kVttdVhwDh/TrmebHdIEgNKQEBE4Ei8Ok7As100fJj2ZvtxEug+dso5cduiX7Lg8OzPOSo n0TIjH0GOXkrbmoODedosqsXunjK6/hlIsw4rF7UwwPn4U9rKD8e5a5AYEkC0Y5tUigFoIPOa6Z 0FtJFJpeKaopRx/e/IIdyBb3L841omh4Am7B/3ia+H9EGjpu9da92NNwrinBw/NNtf2CSHqbtZk 5y8cL/MYgdGu7C9coiXC0M4hdVgKvRdOwyqJSnClqh5JovQg7GpOA9ptnd9Mi+NGHpg9JRRaT4B DMQ9eVRHyKiVaORZPTIeNYM3JfYidWstHmMnh+c4wbkMRxB2En2d6r9/0UZyNzGNGNA== X-Received: by 2002:a05:600c:871b:b0:483:709e:f238 with SMTP id 5b1f17b1804b1-48e51f4652fmr124504015e9.29.1778150066547; Thu, 07 May 2026 03:34:26 -0700 (PDT) X-Received: by 2002:a05:600c:871b:b0:483:709e:f238 with SMTP id 5b1f17b1804b1-48e51f4652fmr124503325e9.29.1778150065969; Thu, 07 May 2026 03:34:25 -0700 (PDT) Received: from [192.168.88.32] ([150.228.93.82]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45052a48b23sm20028528f8f.14.2026.05.07.03.34.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 May 2026 03:34:25 -0700 (PDT) Message-ID: <6cec0c03-5bdc-4131-9899-bc5c77fba198@redhat.com> Date: Thu, 7 May 2026 12:34:24 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net v2] eth: fbnic: fix double-free of PCS on phylink creation failure To: Bobby Eshleman , Alexander Duyck , Jakub Kicinski , kernel-team@meta.com, Andrew Lunn , "David S. Miller" , Eric Dumazet , Russell King Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Bobby Eshleman References: <20260504-fbnic-pcs-fix-v2-1-de45192821d9@meta.com> Content-Language: en-US From: Paolo Abeni In-Reply-To: <20260504-fbnic-pcs-fix-v2-1-de45192821d9@meta.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 5/5/26 3:42 AM, Bobby Eshleman wrote: > From: Bobby Eshleman > > fbnic_phylink_create() stores the newly allocated PCS in fbn->pcs and > then calls phylink_create(). When phylink_create() fails, the error path > correctly destroys the PCS via xpcs_destroy_pcs(), but the caller, > fbnic_netdev_alloc(), responds by invoking fbnic_netdev_free() which > calls fbnic_phylink_destroy(). That function finds fbn->pcs non-NULL and > calls xpcs_destroy_pcs() a second time on the already-freed object, > triggering a refcount underflow use-after-free: > > [ 1.934973] fbnic 0000:01:00.0: Failed to create Phylink interface, err: -22 > [ 1.935103] ------------[ cut here ]------------ > [ 1.935179] refcount_t: underflow; use-after-free. > [ 1.935252] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x59/0x90, CPU#0: swapper/0/1 > [ 1.935389] Modules linked in: > [ 1.935484] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-virtme-04244-g1f5ffc672165-dirty #1 PREEMPT(lazy) > [ 1.935661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 > [ 1.935826] RIP: 0010:refcount_warn_saturate+0x59/0x90 > [ 1.935931] Code: 44 48 8d 3d 49 f9 a7 01 67 48 0f b9 3a e9 bf 1e 96 00 48 8d 3d 48 f9 a7 01 67 48 0f b9 3a c3 cc cc cc cc 48 8d 3d 47 f9 a7 01 <67> 48 0f b9 3a c3 cc cc cc cc 48 8d 3d 46 f9 a7 01 67 48 0f b9 3a > [ 1.936274] RSP: 0000:ffffd0d440013c58 EFLAGS: 00010246 > [ 1.936376] RAX: 0000000000000000 RBX: ffff8f39c188c278 RCX: 000000000000002b > [ 1.936524] RDX: ffff8f39c004f000 RSI: 0000000000000003 RDI: ffffffff96abab00 > [ 1.936692] RBP: ffff8f39c188c240 R08: ffffffff96988e88 R09: 00000000ffffdfff > [ 1.936835] R10: ffffffff96878ea0 R11: 0000000000000187 R12: 0000000000000000 > [ 1.936970] R13: ffff8f39c0cef0c8 R14: ffff8f39c1ac01c0 R15: 0000000000000000 > [ 1.937114] FS: 0000000000000000(0000) GS:ffff8f3ba08b4000(0000) knlGS:0000000000000000 > [ 1.937273] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 1.937382] CR2: ffff8f3b3ffff000 CR3: 0000000172642001 CR4: 0000000000372ef0 > [ 1.937540] Call Trace: > [ 1.937619] > [ 1.937698] xpcs_destroy_pcs+0x25/0x40 > [ 1.937783] fbnic_netdev_alloc+0x1e5/0x200 > [ 1.937859] fbnic_probe+0x230/0x370 > [ 1.937939] local_pci_probe+0x3e/0x90 > [ 1.938013] pci_device_probe+0xbb/0x1e0 > [ 1.938091] ? sysfs_do_create_link_sd+0x6d/0xe0 > [ 1.938188] really_probe+0xc1/0x2b0 > [ 1.938282] __driver_probe_device+0x73/0x120 > [ 1.938371] driver_probe_device+0x1e/0xe0 > [ 1.938466] __driver_attach+0x8d/0x190 > [ 1.938560] ? __pfx___driver_attach+0x10/0x10 > [ 1.938663] bus_for_each_dev+0x7b/0xd0 > [ 1.938758] bus_add_driver+0xe8/0x210 > [ 1.938854] driver_register+0x60/0x120 > [ 1.938929] ? __pfx_fbnic_init_module+0x10/0x10 > [ 1.939026] fbnic_init_module+0x25/0x60 > [ 1.939109] do_one_initcall+0x49/0x220 > [ 1.939202] ? rdinit_setup+0x20/0x40 > [ 1.939304] kernel_init_freeable+0x1b0/0x310 > [ 1.939449] ? __pfx_kernel_init+0x10/0x10 > [ 1.939560] kernel_init+0x1a/0x1c0 > [ 1.939640] ret_from_fork+0x1ed/0x240 > [ 1.939730] ? __pfx_kernel_init+0x10/0x10 > [ 1.939805] ret_from_fork_asm+0x1a/0x30 > [ 1.939886] > [ 1.939927] ---[ end trace 0000000000000000 ]--- > [ 1.940184] fbnic 0000:01:00.0: Netdev allocation failed > > Instead of calling fbnic_phylink_destroy(), the prior initialization of > netdev should just be unrolled with free_netdev() and clearing > fbd->netdev. > > Clearing fbd->netdev to NULL avoids UAF in init_failure_mode where > callers guard by checking !fbd->netdev, such as fbnic_mdio_read_pmd(). > These callers remain active even after a failed probe, so fdb->netdev > still needs to be cleared. > > Fixes: d0fe7104c795 ("fbnic: Replace use of internal PCS w/ Designware XPCS") > Signed-off-by: Bobby Eshleman Note that sashiko-gemini spotted a pre-existing issue: https://sashiko.dev/#/patchset/20260504-fbnic-pcs-fix-v2-1-de45192821d9%40meta.com does not block this patch but could deserve a follow-up. Thanks, Paolo