From nobody Mon Apr  6 17:26:37 2026
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 33D4833121C
	for <linux-kernel@vger.kernel.org>; Wed, 18 Mar 2026 15:41:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773848463; cv=none;
 b=F+GvDS6HUR/MxaKBlgxpkzr45TQ+oOxgLtVaIcTdDK799fGhxji9YFGVQO50SsSv1ecaayyPMgMPgCe/q6JbZ1osc2b5fQGKax3lZfp0yhuF0RICs2SQyi4YVoJJ/u7DKKunFCuoaVX5r4q0O49nKyWt326CzaJRZl6IuJEz+9M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773848463; c=relaxed/simple;
	bh=KxCg9HM2B8Sqb5kfUOUvgEPx1OUj+gKVqH0z2u8OunQ=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=uIHmU30t5rskOfIA/9+LMYBDcDwDYuwDyRXIV44tWbAz3cBDcygcfuEdP20kHtq4RwLOsEo7UQ+h0hcBaCqbc8lkCHlZLwvhM9EXxjuyn/oyW441GIAmPJuKyOEwY/GNOaiJ4a5frWde05Tsbpl0kNCBQIjLfVpsvjBbUbRanWg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=bYIVxUZr; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="bYIVxUZr"
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-2b04fc8851cso41222925ad.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 18 Mar 2026 08:40:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1773848459; x=1774453259;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=9y+pNa6bjnkhcSISFIIKI60hKR4+nSBy2ZBJr+2i9Is=;
        b=bYIVxUZr09EzR3Cu7oZttNU4TSOCLtAOzoOtqE8W3vUUxi62s39Qd/lpcHaD0mh3b7
         evw3Y6erkX+UeuFiUVaDISglwS1NByfWCmJgGAIJt/tVyHEwXfiI79d2gKYQCAGlYLQS
         0U9Pgy8TYXesYyT4H11l+/TVFofs2oL6QYKHjQS8hrYWUqSgK4JXm1xp6wquZlyOuAqf
         Ntqj1HTwfVRGWSp92cu9aggcGfhoA3jx73hKVGGrlLEV0CspkjzEsr4B6MOthohDQyTG
         oMSVTmrRStg2Ph9I9M3WlVbVQs19rdKjOT8FGV3QNJeaWEBUxPaqyRwZSAgUcdYEIln7
         KYwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773848459; x=1774453259;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9y+pNa6bjnkhcSISFIIKI60hKR4+nSBy2ZBJr+2i9Is=;
        b=iPhiRMN2n8qR93pzkBqgnJylr+DpRo8WHTqWis2wX0m5UU7+Lvh3WvtWc+pnnT6KVC
         EHSr+8QoQzG84ysV4QowNJRseFVmOgPmOl8Ru0gyjkvPn9AKXyhM2tfk9KDdfy+u3jf1
         uUC/3Qtf4yu0dliZzaSrovYWpxufu0uLEDdeS5VH69/kPdPuue118hv6M/FExfrLiqGk
         pfxsnZAVz8guJNRyHvoskLXUtq2k1tvkzCJmJSo3EsEyMnYbzouwOVpXJ0AQ5b99k0fQ
         xeNVFZH8FzaJYKrmitXXX1jEaBN5p4gu9YAVdEZjZrhsycQUR6XSs3mje7bfIuBV416V
         OMdg==
X-Forwarded-Encrypted: i=1;
 AJvYcCVqWjVaj4z/EkAG05ncg0jXGcSKNQi6bMRqqEZhHAYWpX3usC3frdW3p/BA1YdMBKdEIzXU1tnegVH6PqU=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxz0TuCW4vLo5tYUTILeXXl+PSz7Pun3JO3a7pldsrGYNR2oCUD
	Qz6fJ0SV2JMM0rjW7xdRAFB8x/jJO9F2wC0emPoiJV/Oj5SNeI+AMEWU
X-Gm-Gg: ATEYQzzFJXMmTwj+/BPW35NNatvnBaMAEXwlpwFECC8vIXr5ngX9Cj1wEIbHgyAnD49
	boqvoc5St7T2csvnwobj/2mPjD9Z3zGDkb6ewSlyUtBvgznUsNcpfA+8CptMhnLzp3DStgjin4N
	2Bnu9AY3x5B4lBdDogWgWe//HeMOyN74OqIFCSJkU9aZJ/DDAxXMjmQ9PrAwYq4gz2kjGy6pkbG
	pXwsiA5AlVc+Vqjth/QmR7OdOOJq1+QenHJ4FMjF2RMUq9mBXRkY3/rPbxBb2hVi+qeDQIfbMY4
	ZVa3maEqLWA8vHAq1ChN00OmTDEABtN5CLuUNq/vlUE0+mA9VpoVoeUbNg/z7RNz97Em5EfQxM8
	ai8ZTvNfR+eidooSKlnKYRslxRlPz1sGPu43K0b9rvrPpd1HUW6VNY6Le3C0xMjT3ZK+GQyMsnB
	VdPLfFyvf8j1mg9A==
X-Received: by 2002:a17:903:2f0c:b0:2ae:4847:cace with SMTP id
 d9443c01a7336-2b06e3ca490mr40674705ad.28.1773848459371;
        Wed, 18 Mar 2026 08:40:59 -0700 (PDT)
Received: from lgs.. ([36.255.193.30])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b06e431c1asm31772365ad.24.2026.03.18.08.40.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 18 Mar 2026 08:40:58 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: "K. Y. Srinivasan" <kys@microsoft.com>,
	Haiyang Zhang <haiyangz@microsoft.com>,
	Wei Liu <wei.liu@kernel.org>,
	Dexuan Cui <decui@microsoft.com>,
	Long Li <longli@microsoft.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Saurabh Sengar <ssengar@linux.microsoft.com>,
	Erni Sri Satya Vennela <ernis@linux.microsoft.com>,
	Shradha Gupta <shradhagupta@linux.microsoft.com>,
	Dipayaan Roy <dipayanroy@linux.microsoft.com>,
	Aditya Garg <gargaditya@linux.microsoft.com>,
	Shiraz Saleem <shirazsaleem@microsoft.com>,
	Leon Romanovsky <leon@kernel.org>,
	linux-hyperv@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH] net: mana: fix use-after-free in add_adev() error path
Date: Wed, 18 Mar 2026 23:40:41 +0800
Message-ID: <20260318154041.638747-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

If auxiliary_device_add() fails, add_adev() calls
auxiliary_device_uninit(adev), whose release callback adev_release()
frees the containing struct mana_adev.

The current error path then falls through to init_fail and accesses
adev->id. Since adev is embedded in struct mana_adev, this may lead
to a use-after-free.

Fix it by storing the allocated auxiliary device id in a local
variable and using that saved id in the cleanup path after
auxiliary_device_uninit().

Fixes: a69839d4327d ("net: mana: Add support for auxiliary device")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Hardik Garg <hargar@linux.microsoft.com>
---
 drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/et=
hernet/microsoft/mana/mana_en.c
index 1ad154f9db1a..70d71594c599 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3362,6 +3362,7 @@ static int add_adev(struct gdma_dev *gd, const char *=
name)
 {
 	struct auxiliary_device *adev;
 	struct mana_adev *madev;
+	int id;
 	int ret;
=20
 	madev =3D kzalloc(sizeof(*madev), GFP_KERNEL);
@@ -3372,7 +3373,8 @@ static int add_adev(struct gdma_dev *gd, const char *=
name)
 	ret =3D mana_adev_idx_alloc();
 	if (ret < 0)
 		goto idx_fail;
-	adev->id =3D ret;
+	id =3D ret;
+	adev->id =3D id;
=20
 	adev->name =3D name;
 	adev->dev.parent =3D gd->gdma_context->dev;
@@ -3398,7 +3400,7 @@ static int add_adev(struct gdma_dev *gd, const char *=
name)
 	auxiliary_device_uninit(adev);
=20
 init_fail:
-	mana_adev_idx_free(adev->id);
+	mana_adev_idx_free(id);
=20
 idx_fail:
 	kfree(madev);
--=20
2.43.0