From nobody Sun Apr 5 18:11:19 2026 Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 804BE3B2FC6 for ; Mon, 23 Mar 2026 16:57:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774285071; cv=none; b=ckA/mcPdgzQqPLooFqxvwRBUVJIhkCovH8/Hh9MrvNHy+0dWtpHu5b125XYf2Ly+Y0wEA2tVLOiErWpVr2hQjuK67dLKRKJqpUTbJnfu7OBMwE7hbSfl5vFU29wfyRINgg9DMJA4/JEEh/0KWxsin6KAaB+iuERhp5ncR6S5W/E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774285071; c=relaxed/simple; bh=HaKS3N/t/8+2h/Pc8TJ2Vb22p+n4if8KpkCVDIHQAXY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=D4kz4qsGnrkXuEQdAQ7JT/+EEFB6omYLMKLi6LP9H1NbwA4PznG165S/1ECTcfQC2sujZlSq+EdJD5hsqYiQJQTe7tjU7K1bJzg76qvsq9tyR+VlYNhPhk0KKRUprs+7C3iFzgWqFw5K79mEl1jszHWHrGaD1BQij1KcZpE90b0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=W6gMHxuI; arc=none smtp.client-ip=209.85.216.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="W6gMHxuI" Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-35a1f3f07ebso1467564a91.3 for ; Mon, 23 Mar 2026 09:57:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774285070; x=1774889870; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=sZEofwQC58MPpqn9prf+xK4zUFx1LJf9Y6fgKZotzZc=; b=W6gMHxuINpmkk1y+5VslwAOuEjlg+NwOK1UUVjsCllKPuEMXqzhUzVruKjme8dM2Yo rFgEl2mCNsCHA2Uu0Dvi61vuKaxQvI9GPgWi8LuCBIAZMcYlkHOdZPuSGXVlUkX3xgjp 7qAwF0/jUACCQ98tU/HRb0UFLOtLxCIWg4M/0Ucxw5IqrJtXpniZB+fT/Ja/SssbIGRB b5RZF6Cay1HyKNELdvYQfR40MWxHwKzSAojPTAla6XvZBL0a3Ob7HFMJ0nRE688UF8T/ s6uLlt8ccaK4fvxjGxBpRkcs2ILreI6mzv34nBNMNMUxKy7dATRVq2w8MsZsxr3f4gp0 ShdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774285070; x=1774889870; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=sZEofwQC58MPpqn9prf+xK4zUFx1LJf9Y6fgKZotzZc=; b=FfAFaYc4B088NibC2sEem3PLWXY3TophFLJrvMaWJ6pBx1VVR2B3ERTbmBxlYzhjET OCM3+5xUIEjMzRQFt6ZXPjBMbOBFTjPFMEnn1zkKMohUX20rrL5st4/K6+WdaPZWG8x8 Fp0AxFT5HacQrl+rCyL3WYqkDyBV+fE/nyFxt8XHbNUzr8bT1+cMrToOK1A4Nn4qLmZ8 rkigxl8CApPTHb/avcZg8MQ0xzjHUi6quNjJG5WDu7oGuGefHtbjNzVNW4vXgOsLc3ye wTwCX+ga2z7lj+gjUgiEI34x8UzjyrTW0kj+AsInFU2i7ZVAYdTS3lsUeSHFMZOJB52m SQaw== X-Forwarded-Encrypted: i=1; AJvYcCXrQU1voFOxRrj7iK/6Sn++5L7bSwLpfG2BIdjUHnL+ejr0oYvLN9FD7gRKYYw7KircKlE7lmaL+u//0ec=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5mhstF2S/NSAKG6tTiHZtFxqPsaivN/pzE2Hf613vFUC8tEaa HC/iDtsBgPIFBesasC+0l8tU6qzOBaQGoWdbXyC3+T+Sn2nflHpG7TF4 X-Gm-Gg: ATEYQzxu5xxjjGwUkOG6Bnlc7CMNqsbaCMnbUpczYMANld6zdDhceI8yRiXNAKcfHWL /WIRa/tjPWgbm6aOOnhv0w0Xc6oNbJCRCNIJ4BDjJxUj2Ezd5/mTmO1LG4OnDlFXWOSlw7gWHny m5WOJRzi2yKd8u5/o//+VGskEl360ye75np8xLvRoHCkEf2aW218bnlI0wC4LNSV3+9ManiMhwa LsFSbXfuNKzQvoB/LQPHy4rfx+cvBLBRb61SVMzknRducce/ovgE8Z+7wlzgdRo/9gYV2HdfWDr OGOqtSDbJBn54d9XnGxnxLGTO8x1bJWkdUiRwZLTTnhBQny9q1Dn3mLPwX6P/GOxkU+PM6Ey/RA 1DK8ZNXDbUjRVhPw8og8EV5bgl1r88z/pJIeqERV4W1ZJsoijOUgXu8KCfINCwiUXeDUJ4Us3nt eBVgDMLp1tAGAoDCU= X-Received: by 2002:a17:90b:4a50:b0:359:fc88:fa99 with SMTP id 98e67ed59e1d1-35bd2d39c11mr10734530a91.26.1774285069752; Mon, 23 Mar 2026 09:57:49 -0700 (PDT) Received: from lgs.. ([199.182.234.55]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35bd4109c3bsm10185767a91.13.2026.03.23.09.57.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Mar 2026 09:57:49 -0700 (PDT) From: Guangshuo Li To: "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Long Li , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Erni Sri Satya Vennela , Dipayaan Roy , Aditya Garg , Shiraz Saleem , Kees Cook , Leon Romanovsky , linux-hyperv@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PPATCH net v3] net: mana: fix use-after-free in add_adev() error path Date: Tue, 24 Mar 2026 00:57:30 +0800 Message-ID: <20260323165730.945365-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set to adev_release(), which frees the containing struct mana_adev. Since adev is embedded in struct mana_adev, the subsequent fall-through to init_fail and access to adev->id may result in a use-after-free. Fix this by saving the allocated auxiliary device id in a local variable before calling auxiliary_device_add(), and use that saved id in the cleanup path after auxiliary_device_uninit(). Fixes: a69839d4327d ("net: mana: Add support for auxiliary device") Cc: stable@vger.kernel.org Reviewed-by: Long Li Signed-off-by: Guangshuo Li --- v2: - explain the UAF in more detail - retarget to net - preserve reverse xmas tree order for local variables v3: - rebase onto the current net tree drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/et= hernet/microsoft/mana/mana_en.c index 9017e806ecda..d03f42245ab8 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -3424,6 +3424,7 @@ static int add_adev(struct gdma_dev *gd, const char *= name) { struct auxiliary_device *adev; struct mana_adev *madev; + int id; int ret; =20 madev =3D kzalloc_obj(*madev); @@ -3434,7 +3435,8 @@ static int add_adev(struct gdma_dev *gd, const char *= name) ret =3D mana_adev_idx_alloc(); if (ret < 0) goto idx_fail; - adev->id =3D ret; + id =3D ret; + adev->id =3D id; =20 adev->name =3D name; adev->dev.parent =3D gd->gdma_context->dev; @@ -3460,7 +3462,7 @@ static int add_adev(struct gdma_dev *gd, const char *= name) auxiliary_device_uninit(adev); =20 init_fail: - mana_adev_idx_free(adev->id); + mana_adev_idx_free(id); =20 idx_fail: kfree(madev); --=20 2.43.0