RE: [EXTERNAL] [PATCH] net: mana: fix use-after-free in add_adev() error path
From: Long Li <longli@microsoft.com>
Date: 2026-03-21 00:54:30
Also in:
linux-hyperv, lkml, stable
If auxiliary_device_add() fails, add_adev() calls auxiliary_device_uninit(adev),
whose release callback adev_release() frees the containing struct mana_adev.
The current error path then falls through to init_fail and accesses
adev->id. Since adev is embedded in struct mana_adev, this may lead
to a use-after-free.
Fix it by storing the allocated auxiliary device id in a local variable and using that
saved id in the cleanup path after auxiliary_device_uninit().
Fixes: a69839d4327d ("net: mana: Add support for auxiliary device")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <redacted>Reviewed-by: Long Li <longli@microsoft.com> Thank you.
quoted hunk ↗ jump to hunk
--- drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.cb/drivers/net/ethernet/microsoft/mana/mana_en.c index 1ad154f9db1a..70d71594c599 100644--- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c@@ -3362,6 +3362,7 @@ static int add_adev(struct gdma_dev *gd, const char*name) { struct auxiliary_device *adev; struct mana_adev *madev; + int id; int ret; madev = kzalloc(sizeof(*madev), GFP_KERNEL); @@ -3372,7 +3373,8 @@ static int add_adev(struct gdma_dev *gd, const char *name) ret = mana_adev_idx_alloc(); if (ret < 0) goto idx_fail; - adev->id = ret; + id = ret; + adev->id = id; adev->name = name; adev->dev.parent = gd->gdma_context->dev; @@ -3398,7 +3400,7 @@ static int add_adev(struct gdma_dev *gd, const char *name) auxiliary_device_uninit(adev); init_fail: - mana_adev_idx_free(adev->id); + mana_adev_idx_free(id); idx_fail: kfree(madev); -- 2.43.0