github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-13 00:28:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
593dfd40a9
linux/drivers
History
Bobby Eshleman 593dfd40a9 eth: fbnic: fix double-free of PCS on phylink creation failure 
fbnic_phylink_create() stores the newly allocated PCS in fbn->pcs and
then calls phylink_create(). When phylink_create() fails, the error path
correctly destroys the PCS via xpcs_destroy_pcs(), but the caller,
fbnic_netdev_alloc(), responds by invoking fbnic_netdev_free() which
calls fbnic_phylink_destroy(). That function finds fbn->pcs non-NULL and
calls xpcs_destroy_pcs() a second time on the already-freed object,
triggering a refcount underflow use-after-free:

[   1.934973] fbnic 0000:01:00.0: Failed to create Phylink interface, err: -22
[   1.935103] ------------[ cut here ]------------
[   1.935179] refcount_t: underflow; use-after-free.
[   1.935252] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x59/0x90, CPU#0: swapper/0/1
[   1.935389] Modules linked in:
[   1.935484] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-virtme-04244-g1f5ffc672165-dirty #1 PREEMPT(lazy)
[   1.935661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[   1.935826] RIP: 0010:refcount_warn_saturate+0x59/0x90
[   1.935931] Code: 44 48 8d 3d 49 f9 a7 01 67 48 0f b9 3a e9 bf 1e 96 00 48 8d 3d 48 f9 a7 01 67 48 0f b9 3a c3 cc cc cc cc 48 8d 3d 47 f9 a7 01 <67> 48 0f b9 3a c3 cc cc cc cc 48 8d 3d 46 f9 a7 01 67 48 0f b9 3a
[   1.936274] RSP: 0000:ffffd0d440013c58 EFLAGS: 00010246
[   1.936376] RAX: 0000000000000000 RBX: ffff8f39c188c278 RCX: 000000000000002b
[   1.936524] RDX: ffff8f39c004f000 RSI: 0000000000000003 RDI: ffffffff96abab00
[   1.936692] RBP: ffff8f39c188c240 R08: ffffffff96988e88 R09: 00000000ffffdfff
[   1.936835] R10: ffffffff96878ea0 R11: 0000000000000187 R12: 0000000000000000
[   1.936970] R13: ffff8f39c0cef0c8 R14: ffff8f39c1ac01c0 R15: 0000000000000000
[   1.937114] FS:  0000000000000000(0000) GS:ffff8f3ba08b4000(0000) knlGS:0000000000000000
[   1.937273] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   1.937382] CR2: ffff8f3b3ffff000 CR3: 0000000172642001 CR4: 0000000000372ef0
[   1.937540] Call Trace:
[   1.937619]  <TASK>
[   1.937698]  xpcs_destroy_pcs+0x25/0x40
[   1.937783]  fbnic_netdev_alloc+0x1e5/0x200
[   1.937859]  fbnic_probe+0x230/0x370
[   1.937939]  local_pci_probe+0x3e/0x90
[   1.938013]  pci_device_probe+0xbb/0x1e0
[   1.938091]  ? sysfs_do_create_link_sd+0x6d/0xe0
[   1.938188]  really_probe+0xc1/0x2b0
[   1.938282]  __driver_probe_device+0x73/0x120
[   1.938371]  driver_probe_device+0x1e/0xe0
[   1.938466]  __driver_attach+0x8d/0x190
[   1.938560]  ? __pfx___driver_attach+0x10/0x10
[   1.938663]  bus_for_each_dev+0x7b/0xd0
[   1.938758]  bus_add_driver+0xe8/0x210
[   1.938854]  driver_register+0x60/0x120
[   1.938929]  ? __pfx_fbnic_init_module+0x10/0x10
[   1.939026]  fbnic_init_module+0x25/0x60
[   1.939109]  do_one_initcall+0x49/0x220
[   1.939202]  ? rdinit_setup+0x20/0x40
[   1.939304]  kernel_init_freeable+0x1b0/0x310
[   1.939449]  ? __pfx_kernel_init+0x10/0x10
[   1.939560]  kernel_init+0x1a/0x1c0
[   1.939640]  ret_from_fork+0x1ed/0x240
[   1.939730]  ? __pfx_kernel_init+0x10/0x10
[   1.939805]  ret_from_fork_asm+0x1a/0x30
[   1.939886]  </TASK>
[   1.939927] ---[ end trace 0000000000000000 ]---
[   1.940184] fbnic 0000:01:00.0: Netdev allocation failed

Instead of calling fbnic_phylink_destroy(), the prior initialization of
netdev should just be unrolled with free_netdev() and clearing
fbd->netdev.

Clearing fbd->netdev to NULL avoids UAF in init_failure_mode where
callers guard by checking !fbd->netdev, such as fbnic_mdio_read_pmd().
These callers remain active even after a failed probe, so fdb->netdev
still needs to be cleared.

Fixes: d0fe7104c7 ("fbnic: Replace use of internal PCS w/ Designware XPCS")
Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com>
Link: https://patch.msgid.link/20260504-fbnic-pcs-fix-v2-1-de45192821d9@meta.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-07 12:34:42 +02:00
..
accel drm for v7.1-rc1 2026-04-15 08:45:00 -07:00
accessibility
acpi ACPI support fixes for 7.1-rc1 2026-04-23 12:29:22 -07:00
amba
android Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
ata ata: pata_parport: switch to dynamic root device 2026-04-27 11:38:16 +02:00
atm net: remove unused ATM protocols and legacy ATM device drivers 2026-04-23 12:21:14 -07:00
auxdisplay
base regmap: Fixes for v7.1 2026-04-24 12:11:26 -07:00
bcma
block block-7.1-20260424 2026-04-24 15:06:55 -07:00
bluetooth Bluetooth: virtio_bt: validate rx pkt_type header length 2026-05-06 16:22:33 -04:00
bus Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
cache
cdrom
cdx
char Here are the accumulated fixes for 7.1-rc1 and a single structural worth of 2026-04-25 16:20:52 -07:00
clk One more fix for the merge window to avoid a boot hang on 2026-04-26 14:03:20 -07:00
clocksource
comedi Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
connector
counter Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
cpufreq Devicetree updates for v7.1: 2026-04-17 14:09:02 -07:00
cpuidle powerpc updates for 7.1 2026-04-14 17:10:15 -07:00
crypto crypto: ccp - copy IV using skcipher ivsize 2026-04-16 17:37:03 +08:00
cxl CXL changes for v7.1 2026-04-17 15:52:58 -07:00
dax dax changes for 7.1 2026-04-21 14:12:01 -07:00
dca
devfreq PM / devfreq: tegra30-devfreq: add support for Tegra114 2026-04-04 03:15:39 +09:00
dibs
dio
dma dmaengine updates for v7.1 2026-04-17 10:29:01 -07:00
dma-buf drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
dpll dpll: export __dpll_pin_change_ntf() for use under dpll_lock 2026-04-30 11:37:39 +02:00
edac - Add new AMD MCA bank names and types to the MCA code, preceded by a clean 2026-04-14 15:32:39 -07:00
eisa
extcon
firewire
firmware LoongArch changes for v7.1 2026-04-24 09:54:45 -07:00
fpga
fsi
fwctl fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal 2026-04-10 11:21:06 -03:00
gnss
gpib Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
gpio gpio fixes for v7.1-rc1 2026-04-24 11:59:46 -07:00
gpu drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
greybus greybus: gb-beagleplay: bound bootloader receive buffering 2026-04-02 15:55:09 +02:00
hid Input updates for v7.1-rc0 2026-04-22 18:36:40 -07:00
hsi HSI: omap_ssi_port: remove depends on ARM 2026-04-02 22:33:44 +02:00
hte hte: tegra194: Add Tegra264 GTE support 2026-04-12 23:29:31 -07:00
hv drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
hwmon hwmon updates for 7.1 2026-04-15 14:37:32 -07:00
hwspinlock hwspinlock: u8500: delete driver 2026-04-06 09:43:18 -05:00
hwtracing Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
i2c i2c-host for v7.1, part 2 2026-04-20 00:03:38 +02:00
i3c i3c: mipi-i3c-hci: fix IBI payload length calculation for final status 2026-04-12 22:06:02 +02:00
idle
iio Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
infiniband SCSI misc on 20260421 2026-04-21 08:22:18 -07:00
input Input updates for v7.1-rc0 2026-04-22 18:36:40 -07:00
interconnect This pull request contains the interconnect changes for the 7.1-rc1 2026-04-07 10:06:50 +02:00
iommu dma-mapping updates for Linux 7.0: 2026-04-17 11:12:42 -07:00
ipack
irqchip Arm: 2026-04-17 07:18:03 -07:00
leds leds: class: Make led_remove_lookup() NULL-aware 2026-04-09 13:49:19 +01:00
macintosh
mailbox mailbox: mailbox-test: make data_ready a per-instance variable 2026-04-18 13:10:14 -05:00
mcb
md - fix metadata corruption in dm-thin 2026-04-27 16:33:23 -07:00
media rpmsg updates for v7.1 2026-04-17 14:18:55 -07:00
memory dma-mapping updates for Linux 7.0: 2026-04-17 11:12:42 -07:00
memstick
message
mfd MFD for v7.1 2026-04-20 11:31:01 -07:00
misc Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
mmc mmc: sdhci-msm: Fix the wrapped key handling 2026-04-10 10:29:58 +02:00
most most: usb: Use kzalloc_objs for endpoint address array 2026-04-02 17:06:09 +02:00
mtd * MTD changes 2026-04-17 17:57:04 -07:00
mux Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
net eth: fbnic: fix double-free of PCS on phylink creation failure 2026-05-07 12:34:42 +02:00
nfc NFC: trf7970a: Ignore antenna noise when checking for RF field 2026-04-27 18:00:43 -07:00
ntb pci-v7.1-changes 2026-04-15 14:41:21 -07:00
nubus
nvdimm vfs-7.1-rc1.integrity 2026-04-13 10:40:26 -07:00
nvme for-7.1/io_uring-20260411 2026-04-13 16:22:30 -07:00
nvmem Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
of memblock: updates for 7.0-rc1 2026-04-18 11:29:14 -07:00
opp
parisc parisc: led: fix reference leak on failed device registration 2026-04-17 15:46:46 +02:00
parport parport: Remove completed item from to-do list 2026-04-02 17:05:56 +02:00
pci LoongArch changes for v7.1 2026-04-24 09:54:45 -07:00
pcmcia PCMCIA fixes and cleanups for v7.1 2026-04-23 11:22:16 -07:00
peci
perf arm64 updates for 7.1: 2026-04-14 16:48:56 -07:00
phy phy-for-7.1 2026-04-17 10:22:08 -07:00
pinctrl Pin control changes for the v7.1 kernel cycle: 2026-04-18 16:59:09 -07:00
platform platform-drivers-x86 for v7.1-1 2026-04-20 12:02:24 -07:00
pmdomain pmdomain: qcom: rpmhpd: Add power domains for Hawi SoC 2026-04-08 12:01:37 +02:00
pnp
power USB / Thunderbolt changes for 7.1-rc1 2026-04-19 08:47:40 -07:00
powercap powercap: intel_rapl: Consolidate PL4 and PMU support flags into rapl_defaults 2026-04-01 16:03:05 +02:00
pps pps: change pps_class to a const struct 2026-04-02 16:33:00 +02:00
ps3
ptp
pwm pwm: Two driver fixes 2026-04-23 08:37:07 -07:00
rapidio
ras
regulator regulator: Fix for v7.1 2026-04-24 13:06:25 -07:00
remoteproc rpmsg updates for v7.1 2026-04-17 14:18:55 -07:00
resctrl arm64 updates for 7.1 (second round): 2026-04-20 16:46:22 -07:00
reset soc: late changes for 7.1 2026-04-23 08:57:24 -07:00
rpmsg rpmsg: Constify buffer passed to send API 2026-04-06 09:37:51 -05:00
rtc RTC for 7.1 2026-04-25 16:39:03 -07:00
s390 s390 updates for 7.1 merge window 2026-04-22 11:13:45 -07:00
sbus
scsi SCSI misc on 20260421 2026-04-21 08:22:18 -07:00
sh
siox
slimbus
soc rpmsg updates for v7.1 2026-04-17 14:18:55 -07:00
soundwire soundwire updates for 7.1 2026-04-17 10:16:53 -07:00
spi spi: Fixes for v7.1 2026-04-24 13:16:36 -07:00
spmi
ssb
staging Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
target SCSI misc on 20260421 2026-04-21 08:22:18 -07:00
tc
tee soc: drivers for 7.1 2026-04-16 20:34:34 -07:00
thermal bitmap updates for v7.1 2026-04-14 08:55:18 -07:00
thunderbolt thunderbolt: Changes for v7.1 merge window 2026-04-10 13:10:28 +02:00
tty TTY/Serial changes for 7.1-rc1 2026-04-19 08:44:41 -07:00
ufs scsi: ufs: core: Disable timestamp for Kioxia THGJFJT0E25BAIP 2026-04-08 22:27:16 -04:00
uio uio: replace deprecated mmap hook with mmap_prepare in uio_info 2026-04-05 13:53:44 -07:00
usb SCSI misc on 20260421 2026-04-21 08:22:18 -07:00
vdpa vdpa: use generic driver_override infrastructure 2026-04-04 00:47:50 +02:00
vfio vfio/cdx: Consolidate MSI configured state onto cdx_irqs 2026-04-21 12:01:22 -06:00
vhost Including fixes from Netfilter. 2026-04-23 16:50:42 -07:00
video fbdev: hgafb: Request memory region before ioremap 2026-04-22 17:02:55 +02:00
virt tsm for 7.1 2026-04-26 09:51:29 -07:00
virtio mm.git review status for linus..mm-stable 2026-04-15 12:59:16 -07:00
w1 w1: ds2490: drop redundant device reference 2026-04-03 10:55:12 +02:00
watchdog watchdog: ni903x_wdt: Convert to a platform driver 2026-04-07 21:06:59 +02:00
xen xen/privcmd: fix double free via VMA splitting 2026-04-23 15:32:59 +02:00
zorro
Kconfig net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00
Makefile net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00