From nobody Sat Apr 4 01:49:05 2026 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 502D5286415 for ; Sat, 21 Mar 2026 05:39:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774071580; cv=none; b=eFne2HY+ft6dB8HitXmV6KHcRLr/gdM2D95/d8vLy2xKPP4i+FAlLs2/Q8YpCASFXORnZ0va1lEdd3iNOLXpUZzneuZNHjlZbWBlTAca8OGFjLVOT7E+g3QqZJTYADQ1NdFx3Z4eXVMezDipbGPVejqCZIa6sczwZN872jIndXo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774071580; c=relaxed/simple; bh=HYPV5+I8fH/ypfF2AgO784OuRVVErSIU/yP/DXliX8E=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gXXyD1rGOtVcbPZNRWsqmz2z9mekgN8Yydxcct9dcmxE1oO2iLJSRkABncmF+LzBe1hvlMSP83kzithbH6kLD7n+CvW5Cio6C/E2fCHkeAM80iR6n5WPWIOIxgYh4daa4m9zZhMm0rEFFw3mVyQ6pnivQwp+NbWzJhkLsScWOLo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l5RgWuaK; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l5RgWuaK" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-35a1f549e7eso751512a91.0 for ; Fri, 20 Mar 2026 22:39:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774071578; x=1774676378; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=7vLQwDdr1oGsaR2KdQZstZjQxIdivEgvuuhjfe9IBVw=; b=l5RgWuaK8nGr3MfLf5HRHrRqSweWoTQ8Fd263KKjtuQHl2Wme/pUs7mA0CyvAoxWVP nHRs4Crn7SJRVgFIfRJv2uaZOMYYNoj3oe2RO+A21NBQnsYQF1Qt0CHn7d6PSbX+4ehj pQktXM6ZvoJzfClFxPCfiGfgrpELfntjKNKMfiqihB8Ul5g2O4yyNOPmyXN7g72JcOPa g9AgZwZ0utmhAv/7CCNDlL/jH9+O/ahYBLwGdTDzpNlJnOc3mGz1vSz7DlNMFQHEPr+/ r0skttNVEivTtfXdtjbdsWoXV4hL9C2qWY9cBeYtT9pmzZcESjYv7Nt+DLCAr7IWzds3 ssvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774071578; x=1774676378; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7vLQwDdr1oGsaR2KdQZstZjQxIdivEgvuuhjfe9IBVw=; b=nVZaoJ9+4MhLE2iKC0ZDTUrFp0eO4b0Dzpg4D9IMEH0ujBwAnGBMTjH07iaj274TLy pPhfu3nmNb5jaADt/Rwc3grPgQe8JZ4FqGyRN+DomJApE7AvAlPf8GftWFeMZ9YTQJh2 sSDwfR/f0zGUsw5LZRuQ/c+ZIfFNamhQmxdyZwJYWnI+3NALD6tWeNkNngfAMlrHvZ56 P2Zip74Y/lNXPNVo8hgXzXYfKzmK5/t92YWWXh1UDAdIncm3aHyT/GmMOXTWee0cLogL Q3rPsMxz+oly6ajG+crUCosHp/NDoK03nXSFzKhK42PUv6qoQy0ZCeGkIRhwMY1K01ZY rj4g== X-Forwarded-Encrypted: i=1; AJvYcCVUh6LdUeqwfnFIR+8YJgY7gnOoGPlliSlqiqUz9+a+fpjbl0iueRhml2J69VDbP9cRbbpF823Jm0ahNzg=@vger.kernel.org X-Gm-Message-State: AOJu0Yxi5uBYkJLXUzXVlGUrxc/swJxFs5Wsq6BoggiRMsnD+SvPEI5e a4beKOcnrIG5ACBhrh+tH8ZERIlmcfuqpe3VRZsv3novV2OcJWrxDEno X-Gm-Gg: ATEYQzw2bVkAuRxAUvRQr6i1Oo7KbgjmXdLRygbaUCDl8lDoO4kvP/Kwlh2sqRZZwkL Qy0CH1uqjFiKmjffRCJ93XG5NViTkJsBBS07VV/gjrHYOmomvzrAI6kgKuxyKaCR6SqqaWlOrsa uXJCH4ZF5jDYZW8p4obQVAd2T6DFEzOtg+lEm0Tqsv9MeVAVKbmVClcBTRE27jC7PnyzmolhTsv WJ+WzCMqN+eacypj70r2mj4zl22p/Qd1F36BftMibqGiPJsuwvQ9F6WxbzDA0EQauOHE9G7ft35 fTtsNuTk/y9uabnEbPEq0SJMpYInKnvv4uRGJGX2eLIukuSUzjVkUETELXLcpHljp50jClEDhAl ByOKGEIU9rdaKj0RMpBd+HN2gVtkxmtkArd1ZEl8sD7jdTVgrwbZguY133/t0IJCo93PwOY/uB7 CqP6vcFvsQx4NGxOWWSjm+ X-Received: by 2002:a17:90b:2884:b0:359:f77f:8cff with SMTP id 98e67ed59e1d1-35bd2c9b202mr4116462a91.19.1774071577781; Fri, 20 Mar 2026 22:39:37 -0700 (PDT) Received: from lgs.. ([223.80.110.53]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35bd36bc5desm1294856a91.13.2026.03.20.22.39.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Mar 2026 22:39:37 -0700 (PDT) From: Guangshuo Li To: "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Long Li , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Saurabh Sengar , Erni Sri Satya Vennela , Shradha Gupta , Aditya Garg , Dipayaan Roy , Shiraz Saleem , Leon Romanovsky , linux-hyperv@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH net v2] net: mana: fix use-after-free in add_adev() error path Date: Sat, 21 Mar 2026 13:39:18 +0800 Message-ID: <20260321053918.791068-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set to adev_release(), which frees the containing struct mana_adev. Since adev is embedded in struct mana_adev, the subsequent fall-through to init_fail and access to adev->id may result in a use-after-free. Fix this by saving the allocated auxiliary device id in a local variable before calling auxiliary_device_add(), and use that saved id in the cleanup path after auxiliary_device_uninit(). Fixes: a69839d4327d ("net: mana: Add support for auxiliary device") Cc: stable@vger.kernel.org Reviewed-by: Long Li Signed-off-by: Guangshuo Li --- v2: - explain the UAF in more detail - retarget to net - preserve reverse xmas tree order for local variables drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/et= hernet/microsoft/mana/mana_en.c index 1ad154f9db1a..70d71594c599 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -3362,6 +3362,7 @@ static int add_adev(struct gdma_dev *gd, const char *= name) { struct auxiliary_device *adev; struct mana_adev *madev; + int id; int ret; =20 madev =3D kzalloc(sizeof(*madev), GFP_KERNEL); @@ -3372,7 +3373,8 @@ static int add_adev(struct gdma_dev *gd, const char *= name) ret =3D mana_adev_idx_alloc(); if (ret < 0) goto idx_fail; - adev->id =3D ret; + id =3D ret; + adev->id =3D id; =20 adev->name =3D name; adev->dev.parent =3D gd->gdma_context->dev; @@ -3398,7 +3400,7 @@ static int add_adev(struct gdma_dev *gd, const char *= name) auxiliary_device_uninit(adev); =20 init_fail: - mana_adev_idx_free(adev->id); + mana_adev_idx_free(id); =20 idx_fail: kfree(madev); --=20 2.43.0