On 3/18/2026 8:40 AM, Guangshuo Li wrote:
> If auxiliary_device_add() fails, add_adev() calls
> auxiliary_device_uninit(adev), whose release callback adev_release()
> frees the containing struct mana_adev.
>
> The current error path then falls through to init_fail and accesses
> adev->id. Since adev is embedded in struct mana_adev, this may lead
> to a use-after-free.
>
> Fix it by storing the allocated auxiliary device id in a local
> variable and using that saved id in the cleanup path after
> auxiliary_device_uninit().
>
> Fixes: a69839d4327d ("net: mana: Add support for auxiliary device")
> Cc: [email protected]
> Signed-off-by: Guangshuo Li <[email protected]>
> ---
> drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c
> b/drivers/net/ethernet/microsoft/mana/mana_en.c
> index 1ad154f9db1a..70d71594c599 100644
> --- a/drivers/net/ethernet/microsoft/mana/mana_en.c
> +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
> @@ -3362,6 +3362,7 @@ static int add_adev(struct gdma_dev *gd, const char
> *name)
> {
> struct auxiliary_device *adev;
> struct mana_adev *madev;
> + int id;
> int ret;
>
> madev = kzalloc(sizeof(*madev), GFP_KERNEL);
> @@ -3372,7 +3373,8 @@ static int add_adev(struct gdma_dev *gd, const char
> *name)
> ret = mana_adev_idx_alloc();
> if (ret < 0)
> goto idx_fail;
> - adev->id = ret;
> + id = ret;
> + adev->id = id;
>
> adev->name = name;
> adev->dev.parent = gd->gdma_context->dev;
> @@ -3398,7 +3400,7 @@ static int add_adev(struct gdma_dev *gd, const char
> *name)
> auxiliary_device_uninit(adev);
>
> init_fail:
> - mana_adev_idx_free(adev->id);
> + mana_adev_idx_free(id);
>
> idx_fail:
> kfree(madev);
Reviewed-by: Hardik Garg <[email protected]>
Thanks,
Hardik
