Re: [PATCH net] net: mana: Fix use-after-free in mana_hwc_destroy_channel() by re-ordering teardown

Wed, 11 Mar 2026 11:53:35 -0700 

On Mon, Mar 09, 2026 at 11:21:38AM -0700, Dipayaan Roy wrote:
> A potential race condition exists in mana_hwc_destroy_channel() where
> hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
> Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
> handler to dereference freed memory, leading to a use-after-free or
> NULL pointer dereference in mana_hwc_handle_resp().
> 
> mana_smc_teardown_hwc() signals the hardware to stop but does not
> synchronize against IRQ handlers already executing on other CPUs. The
> IRQ synchronization only happens in mana_hwc_destroy_cq() via
> mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
> after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
> can dereference freed caller_ctx (and rxq->msg_buf) in
> mana_hwc_handle_resp().
> 
> Fix this by reordering teardown to reverse-of-creation order: destroy
> the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
> ensures all in-flight interrupt handlers complete before the memory they
> access is freed.
> 
> Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network 
> Adapter (MANA)")
> Reviewed-by: Haiyang Zhang <[email protected]>
> Signed-off-by: Dipayaan Roy <[email protected]>
> ---
>  drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c 
> b/drivers/net/ethernet/microsoft/mana/hw_channel.c
> index 91975bdb5686..dbbde0fa57e7 100644
> --- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
> +++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
> @@ -814,9 +814,6 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
>               gc->max_num_cqs = 0;
>       }
>  
> -     kfree(hwc->caller_ctx);
> -     hwc->caller_ctx = NULL;
> -
>       if (hwc->txq)
>               mana_hwc_destroy_wq(hwc, hwc->txq);
>  
> @@ -826,6 +823,9 @@ void mana_hwc_destroy_channel(struct gdma_context *gc)
>       if (hwc->cq)
>               mana_hwc_destroy_cq(hwc->gdma_dev->gdma_context, hwc->cq);
>  
> +     kfree(hwc->caller_ctx);
> +     hwc->caller_ctx = NULL;
> +
>       mana_gd_free_res_map(&hwc->inflight_msg_res);
>  
>       hwc->num_inflight_msg = 0;
> -- 
> 2.43.0
>
Hi,
I am sending a v2 as I missed adding Stephen.

Thank you.

Reply via email to