From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx3.molgen.mpg.de (mx3.molgen.mpg.de [141.14.17.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB28B2DCBF4; Tue, 14 Apr 2026 06:55:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=141.14.17.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776149739; cv=none; b=a9CLwyRrnjKGCobKMSukUTknreclRzAr1X6jUye4OCeXfr401u9WmliOKreLip9dg2PY0VuoqHtfGxV7CPc/k6zxzBIpTSH7Z3AnCy5hWtQMFvBG/IsS2/94uv46jEIExHS3kcAtee18UGPqQzbRD7h2qpqN/vZGOddkmwT5eag= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776149739; c=relaxed/simple; bh=P0B2p6l5ufYG8pdbcjeSe9t2EgGMbl5gsQRwqpdh+Yc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=nf4HSlhpbFdjly7GDHM/oK3mcsFkg9O1k1X6To7wSaRn4GoYY8IWL5nWEgdnap1o7uOSpusThPLi9x/sq5gYAQqDiR7i+FgeMiddHp9l7RVH1F9RAnHlln8pYS5x+EBqQtYlZI5jD/unM4z4B9hOBTT3EtKMPa3sb4IPn5ENs0k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=molgen.mpg.de; spf=pass smtp.mailfrom=molgen.mpg.de; arc=none smtp.client-ip=141.14.17.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=molgen.mpg.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=molgen.mpg.de Received: from [192.168.0.192] (ip5f5af0da.dynamic.kabel-deutschland.de [95.90.240.218]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pmenzel) by mx.molgen.mpg.de (Postfix) with ESMTPSA id EA7B24C2C37D56; Tue, 14 Apr 2026 08:54:55 +0200 (CEST) Message-ID: Date: Tue, 14 Apr 2026 08:54:55 +0200 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [Intel-wired-lan] [PATCH net] idpf: fix double free and use-after-free in aux device error paths To: Greg Kroah-Hartman Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Tony Nguyen , Przemek Kitszel , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , stable References: <2026041116-retail-bagginess-250f@gregkh> Content-Language: en-US From: Paul Menzel In-Reply-To: <2026041116-retail-bagginess-250f@gregkh> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Dear Greg, Thank you for the patch. Am 11.04.26 um 12:12 schrieb Greg Kroah-Hartman: > When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or > idpf_plug_core_aux_dev(), the err_aux_dev_add label calls > auxiliary_device_uninit() and falls through to err_aux_dev_init. The > uninit call will trigger put_device(), which invokes the release > callback (idpf_vport_adev_release / idpf_core_adev_release) that frees > iadev. The fall-through then reads adev->id from the freed iadev for > ida_free() and double-frees iadev with kfree(). > > Free the IDA slot and clear the back-pointer before uninit, while adev > is still valid, then return immediately. > > Commit 65637c3a1811 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev The commit hash is pasted twice. > deinitialization") fixed the same use-after-free in the matching unplug > path in this file but missed both probe error paths. > > Cc: Tony Nguyen > Cc: Przemek Kitszel > Cc: Andrew Lunn > Cc: "David S. Miller" > Cc: Eric Dumazet > Cc: Jakub Kicinski > Cc: Paolo Abeni > Cc: stable > Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy") > Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy") > Assisted-by: gregkh_clanker_t1000 > Signed-off-by: Greg Kroah-Hartman > --- > Note, these cleanup paths are messy, but I couldn't see a simpler way > without a lot more rework, so I choose the simple way :) > > drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c > index 7e4f4ac92653..b7d6b08fc89e 100644 > --- a/drivers/net/ethernet/intel/idpf/idpf_idc.c > +++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c > @@ -90,7 +90,10 @@ static int idpf_plug_vport_aux_dev(struct iidc_rdma_core_dev_info *cdev_info, > return 0; > > err_aux_dev_add: > + ida_free(&idpf_idc_ida, adev->id); > + vdev_info->adev = NULL; > auxiliary_device_uninit(adev); > + return ret; > err_aux_dev_init: > ida_free(&idpf_idc_ida, adev->id); > err_ida_alloc: > @@ -228,7 +231,10 @@ static int idpf_plug_core_aux_dev(struct iidc_rdma_core_dev_info *cdev_info) > return 0; > > err_aux_dev_add: > + ida_free(&idpf_idc_ida, adev->id); > + cdev_info->adev = NULL; > auxiliary_device_uninit(adev); > + return ret; > err_aux_dev_init: > ida_free(&idpf_idc_ida, adev->id); > err_ida_alloc: Reviewed-by: Paul Menzel gemini/gemini-3.1-pro-preview has two comments [1]. Maybe the driver developers could judge their relevance. Kind regards, Paul [1]: https://sashiko.dev/#/patchset/2026041116-retail-bagginess-250f%40gregkh