Re: [PATCH] net: mana: fix use-after-free in add_adev() error path
From: Simon Horman
Date: Thu Mar 19 2026 - 14:19:43 EST
On Wed, Mar 18, 2026 at 11:40:41PM +0800, Guangshuo Li wrote:
> If auxiliary_device_add() fails, add_adev() calls
> auxiliary_device_uninit(adev), whose release callback adev_release()
> frees the containing struct mana_adev.
>
> The current error path then falls through to init_fail and accesses
> adev->id. Since adev is embedded in struct mana_adev, this may lead
> to a use-after-free.
It isn't clear to me how the use-after-free manifests.
Could you elaborate?
>
> Fix it by storing the allocated auxiliary device id in a local
> variable and using that saved id in the cleanup path after
> auxiliary_device_uninit().
>
> Fixes: a69839d4327d ("net: mana: Add support for auxiliary device")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
As a bug fix for code present in the net tree, this patch
should be targeted at that tree like this.
Subject: [PATCH net] ...
And it should apply to that tree.
As it is the CI tries to apply this patch to the default tree, net-next.
Which fails. So there is no further CI performed.
> ---
> drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
> index 1ad154f9db1a..70d71594c599 100644
> --- a/drivers/net/ethernet/microsoft/mana/mana_en.c
> +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
> @@ -3362,6 +3362,7 @@ static int add_adev(struct gdma_dev *gd, const char *name)
> {
> struct auxiliary_device *adev;
> struct mana_adev *madev;
> + int id;
> int ret;
Please preserve reverse xmas tree order for local variables - longest line
to shortest.
>
> madev = kzalloc(sizeof(*madev), GFP_KERNEL);
...
--
pw-bot: changes-requested