* [PATCH] net: mana: fix use-after-free in add_adev() error path
@ 2026-03-18 15:40 Guangshuo Li
2026-03-19 18:18 ` Simon Horman
2026-03-21 0:54 ` [EXTERNAL] " Long Li
0 siblings, 2 replies; 3+ messages in thread
From: Guangshuo Li @ 2026-03-18 15:40 UTC (permalink / raw)
To: K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui, Long Li,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Saurabh Sengar, Erni Sri Satya Vennela,
Shradha Gupta, Dipayaan Roy, Aditya Garg, Shiraz Saleem,
Leon Romanovsky, linux-hyperv, netdev, linux-kernel
Cc: Guangshuo Li, stable
If auxiliary_device_add() fails, add_adev() calls
auxiliary_device_uninit(adev), whose release callback adev_release()
frees the containing struct mana_adev.
The current error path then falls through to init_fail and accesses
adev->id. Since adev is embedded in struct mana_adev, this may lead
to a use-after-free.
Fix it by storing the allocated auxiliary device id in a local
variable and using that saved id in the cleanup path after
auxiliary_device_uninit().
Fixes: a69839d4327d ("net: mana: Add support for auxiliary device")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 1ad154f9db1a..70d71594c599 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3362,6 +3362,7 @@ static int add_adev(struct gdma_dev *gd, const char *name)
{
struct auxiliary_device *adev;
struct mana_adev *madev;
+ int id;
int ret;
madev = kzalloc(sizeof(*madev), GFP_KERNEL);
@@ -3372,7 +3373,8 @@ static int add_adev(struct gdma_dev *gd, const char *name)
ret = mana_adev_idx_alloc();
if (ret < 0)
goto idx_fail;
- adev->id = ret;
+ id = ret;
+ adev->id = id;
adev->name = name;
adev->dev.parent = gd->gdma_context->dev;
@@ -3398,7 +3400,7 @@ static int add_adev(struct gdma_dev *gd, const char *name)
auxiliary_device_uninit(adev);
init_fail:
- mana_adev_idx_free(adev->id);
+ mana_adev_idx_free(id);
idx_fail:
kfree(madev);
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] net: mana: fix use-after-free in add_adev() error path
2026-03-18 15:40 [PATCH] net: mana: fix use-after-free in add_adev() error path Guangshuo Li
@ 2026-03-19 18:18 ` Simon Horman
2026-03-21 0:54 ` [EXTERNAL] " Long Li
1 sibling, 0 replies; 3+ messages in thread
From: Simon Horman @ 2026-03-19 18:18 UTC (permalink / raw)
To: Guangshuo Li
Cc: K. Y. Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui, Long Li,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Saurabh Sengar, Erni Sri Satya Vennela,
Shradha Gupta, Dipayaan Roy, Aditya Garg, Shiraz Saleem,
Leon Romanovsky, linux-hyperv, netdev, linux-kernel, stable
On Wed, Mar 18, 2026 at 11:40:41PM +0800, Guangshuo Li wrote:
> If auxiliary_device_add() fails, add_adev() calls
> auxiliary_device_uninit(adev), whose release callback adev_release()
> frees the containing struct mana_adev.
>
> The current error path then falls through to init_fail and accesses
> adev->id. Since adev is embedded in struct mana_adev, this may lead
> to a use-after-free.
It isn't clear to me how the use-after-free manifests.
Could you elaborate?
>
> Fix it by storing the allocated auxiliary device id in a local
> variable and using that saved id in the cleanup path after
> auxiliary_device_uninit().
>
> Fixes: a69839d4327d ("net: mana: Add support for auxiliary device")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
As a bug fix for code present in the net tree, this patch
should be targeted at that tree like this.
Subject: [PATCH net] ...
And it should apply to that tree.
As it is the CI tries to apply this patch to the default tree, net-next.
Which fails. So there is no further CI performed.
> ---
> drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
> index 1ad154f9db1a..70d71594c599 100644
> --- a/drivers/net/ethernet/microsoft/mana/mana_en.c
> +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
> @@ -3362,6 +3362,7 @@ static int add_adev(struct gdma_dev *gd, const char *name)
> {
> struct auxiliary_device *adev;
> struct mana_adev *madev;
> + int id;
> int ret;
Please preserve reverse xmas tree order for local variables - longest line
to shortest.
>
> madev = kzalloc(sizeof(*madev), GFP_KERNEL);
...
--
pw-bot: changes-requested
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: [EXTERNAL] [PATCH] net: mana: fix use-after-free in add_adev() error path
2026-03-18 15:40 [PATCH] net: mana: fix use-after-free in add_adev() error path Guangshuo Li
2026-03-19 18:18 ` Simon Horman
@ 2026-03-21 0:54 ` Long Li
1 sibling, 0 replies; 3+ messages in thread
From: Long Li @ 2026-03-21 0:54 UTC (permalink / raw)
To: Guangshuo Li, KY Srinivasan, Haiyang Zhang, Wei Liu, Dexuan Cui,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Saurabh Sengar, Erni Sri Satya Vennela,
Shradha Gupta, Dipayaan Roy, Aditya Garg, Shiraz Saleem,
Leon Romanovsky, linux-hyperv@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org
> If auxiliary_device_add() fails, add_adev() calls auxiliary_device_uninit(adev),
> whose release callback adev_release() frees the containing struct mana_adev.
>
> The current error path then falls through to init_fail and accesses
> adev->id. Since adev is embedded in struct mana_adev, this may lead
> to a use-after-free.
>
> Fix it by storing the allocated auxiliary device id in a local variable and using that
> saved id in the cleanup path after auxiliary_device_uninit().
>
> Fixes: a69839d4327d ("net: mana: Add support for auxiliary device")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Long Li <longli@microsoft.com>
Thank you.
> ---
> drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c
> b/drivers/net/ethernet/microsoft/mana/mana_en.c
> index 1ad154f9db1a..70d71594c599 100644
> --- a/drivers/net/ethernet/microsoft/mana/mana_en.c
> +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
> @@ -3362,6 +3362,7 @@ static int add_adev(struct gdma_dev *gd, const char
> *name) {
> struct auxiliary_device *adev;
> struct mana_adev *madev;
> + int id;
> int ret;
>
> madev = kzalloc(sizeof(*madev), GFP_KERNEL); @@ -3372,7 +3373,8 @@
> static int add_adev(struct gdma_dev *gd, const char *name)
> ret = mana_adev_idx_alloc();
> if (ret < 0)
> goto idx_fail;
> - adev->id = ret;
> + id = ret;
> + adev->id = id;
>
> adev->name = name;
> adev->dev.parent = gd->gdma_context->dev; @@ -3398,7 +3400,7 @@
> static int add_adev(struct gdma_dev *gd, const char *name)
> auxiliary_device_uninit(adev);
>
> init_fail:
> - mana_adev_idx_free(adev->id);
> + mana_adev_idx_free(id);
>
> idx_fail:
> kfree(madev);
> --
> 2.43.0
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-21 0:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-18 15:40 [PATCH] net: mana: fix use-after-free in add_adev() error path Guangshuo Li
2026-03-19 18:18 ` Simon Horman
2026-03-21 0:54 ` [EXTERNAL] " Long Li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox