From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com [209.85.219.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6508D282F23
	for <linux-kernel@vger.kernel.org>; Thu,  7 May 2026 15:35:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.52
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778168132; cv=none; b=OUC6rG9mJJW01IQtkhAnaahitgJif+cLqyVWqBZ67mo8mW4GnOUqP43GEPnzyfyK77au3fkx0cCCMaN3ZbP8ORAD92ZaqUp6Dw4ohrbP2OC4eCyCFpiW6XQ6AzTnnPpRKtJzUHpE0hefEUDNS0Aqe/Lh1xpFWykl2e6GJbFHBpw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778168132; c=relaxed/simple;
	bh=Pf3cEONmceo9EAPIZp1eVwPY624ZEYL8N3t3BTs37aU=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=a0xo/KInnmHT6N/as09iuKm8bvDoqZcKEYbsyyvjz6O0E1SWFqQIUcVTRpSIm9X3mhLQdp04f6zsapgmbDBZmQlruw3SHnEJlMJEQp6vWbBLOXDCoOuIFTtVmXO9dKd+XdnF+eqBvdh2f7v1FZCMFgasuR6Gk4N0tJSYKodEHZE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hZCfRbnZ; arc=none smtp.client-ip=209.85.219.52
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hZCfRbnZ"
Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-8b4000e51fdso9712606d6.1
        for <linux-kernel@vger.kernel.org>; Thu, 07 May 2026 08:35:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778168128; x=1778772928; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=QCGA1ZpwQj/GZHpiJE1rMqROq1Bndf3dTrA4o7QgiSI=;
        b=hZCfRbnZTzbhkugEH7npCsS/Lu+0i3JSfjt0JsvrTyzeerLxNgbGdII/E0BX54Yio8
         06btZy4oBfGKAaATqwUraSilSXkwd2YjGNhGbHdgjrEo1O9pRFeObzG7BdSJc9gLDym+
         Y/9rt5f1F8Viu1jXL7qkdAtDV7SF0rNgV3gyUfMcFXdzlupGLuf+SeX8sQcAAy+I8b7W
         xPKun1c72J/mf+ZPXjXCTH1qCGxGPlm0f7zxDyBo1mwD94kykg4P4PsSbgT4U8hfYraX
         Eb5k6uwhAPq4bL0/cU8SZkkoKxCOTT5V/BhhcULwLncEQ+mUPG3W0fn1jRY6/edHbziS
         bjFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778168128; x=1778772928;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QCGA1ZpwQj/GZHpiJE1rMqROq1Bndf3dTrA4o7QgiSI=;
        b=ey8RPS/Klj7QooNmPbATepew/VFthsEqhkAG+9NJMtUpx6GD6uUd/JMhauRWyaeDBd
         u9tmayzi2KVUerkDkXtg9jxcsy0Bg41JJ7BCwabSlIWuKbTuj2B0yip2I/YkWS13Lh8p
         O41Ot8ISs7inmjMLHDP8FJNLGmnUKBaVgCZ/Kypoa8Va+K7nRy2rhxRUpY1TJT0DItRV
         M5Vw8nsJ9zeEqC34iQgszXDFqF+ZyZ9tJv4LlYNIHDwd2pVuNmSOpQjHeqRTgyoT7KMT
         3vsWbYZivGVzxv4Sw61g9gnGWGk+Na4KofjiUq3U5qE1LdaiOZvXhe013hLmRI+s0im7
         w83A==
X-Forwarded-Encrypted: i=1; AFNElJ+IBQ7XyvAmzUs1HKZLyCUTaZwUoFplkBgIGafjQmv4tF9joxjWBq616yEOkF0fq+uvAic+LdOcJq06Sbs=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx2jurO5HryKBrg7qxcJMMdoL+G0Pjjdqd7OJn9h/EltxSyJD1V
	stJppyAk/mUgxj8EkJ+Q+LMUrgQx4j6YVXFILaSFlNE9xwVlu0zasjM8
X-Gm-Gg: AeBDietOndem7xLVaRnr01OEYX153dOe7cSj7EtaEVSIjdNxNdEgVEYJPSLtzP8fr+K
	flRkMt/L04mtBgV0yNvuB0rpgJ1hpAmIL4AOPFCa913gJrWwX3oQjX0FH//XxiHQ3lu9UsLBSD5
	Y+uigeL/y0OKad5waOfxxLdQu9OAuN5LnzYUfvNqM9MyuiTg/WeQ43DBiN+MFct0S38sjRAH2kE
	SlRvJF4KVQs84T3R29fwDMA94wBhBE1dJI9n9MMZ1ZZO55MSx2BSLooiSWDLvzJYm891knc/3S7
	BeuQxDf5BcqpWLQ4FcKV73P1yAhmHI7syzpocS/pSwolBczpHdMxCwpRpHvtCBgaGB9Ryz47cK3
	q30+7yWyhWr29MLYRIlCiqDOhn9N/Nye1MXNqhUQuiUrkmu4kk9ZywNyXRUZOfamIFAhMqU+DLS
	UJLuqn7GvPJiXOKdCUQBLPmP7bOzxKch+GPH2/WBfSgIEhA5CYxnlqnHBBR9gIAiwJoQ==
X-Received: by 2002:a05:6214:5901:b0:8ae:680c:81cf with SMTP id 6a1803df08f44-8bc43620490mr133080686d6.21.1778168128237;
        Thu, 07 May 2026 08:35:28 -0700 (PDT)
Received: from devvm29614.prn0.facebook.com ([2a03:2880:ff:70::])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b53c6b8092sm228462556d6.34.2026.05.07.08.35.26
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 07 May 2026 08:35:27 -0700 (PDT)
Date: Thu, 7 May 2026 08:35:21 -0700
From: Bobby Eshleman <bobbyeshleman@gmail.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
	Alexander Duyck <alexanderduyck@fb.com>, kernel-team@meta.com,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Russell King <linux@armlinux.org.uk>, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Bobby Eshleman <bobbyeshleman@meta.com>
Subject: Re: [PATCH net v2] eth: fbnic: fix double-free of PCS on phylink
 creation failure
Message-ID: <afyxOaFhFzEKDK//@devvm29614.prn0.facebook.com>
References: <20260504-fbnic-pcs-fix-v2-1-de45192821d9@meta.com>
 <6cec0c03-5bdc-4131-9899-bc5c77fba198@redhat.com>
 <20260507072453.5eec7051@kernel.org>
 <20260507072954.263ae8dd@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20260507072954.263ae8dd@kernel.org>

On Thu, May 07, 2026 at 07:29:54AM -0700, Jakub Kicinski wrote:
> On Thu, 7 May 2026 07:24:53 -0700 Jakub Kicinski wrote:
> > On Thu, 7 May 2026 12:34:24 +0200 Paolo Abeni wrote:
> > > > Clearing fbd->netdev to NULL avoids UAF in init_failure_mode where
> > > > callers guard by checking !fbd->netdev, such as fbnic_mdio_read_pmd().
> > > > These callers remain active even after a failed probe, so fdb->netdev
> > > > still needs to be cleared.
> > > > 
> > > > Fixes: d0fe7104c795 ("fbnic: Replace use of internal PCS w/ Designware XPCS")
> > > > Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com>    
> > > 
> > > Note that sashiko-gemini spotted a pre-existing issue:
> > > 
> > > https://sashiko.dev/#/patchset/20260504-fbnic-pcs-fix-v2-1-de45192821d9%40meta.com
> > > 
> > > does not block this patch but could deserve a follow-up.  
> > 
> > fbd is a devlink priv, not netdev priv, touching it after free_netdev()
> > is perfectly fine. I wish Gemini tried a *little* harder instead of
> > guessing :| Sorry for not commenting earlier.
> 
> Ugh, not enough coffee. It's complaining about MDIO reads, I think
> that's valid.

It is, but I think the race pre-exists.

static int
fbnic_mdio_read_pmd(struct fbnic_dev *fbd, int addr, int regnum)
[...]
	if (fbd->netdev) {
		fbn = netdev_priv(fbd->netdev);
		if (fbn->aui < FBNIC_AUI_UNKNOWN)
			aui = fbn->aui;
	}


Definitely possible that ->netdev gets freed concurrently with
fbd->netdev evaluating to true... but fbnic_netdev_free() faces the same
race.

I'm open to fixing this all at once, if preferred. Probably need to look
at some of the other fbnic_net ptr guards too.

Best,
Bobby