Re: [PATCH net] net: mana: Fall back to standard MTU when PF reports adapter_mtu of 0

Mon, 22 Jun 2026 02:34:02 -0700 

On Sat, Jun 20, 2026 at 05:54:06AM +0000, [email protected] wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
> to consider:
> 
> Pre-existing issues:
> - [High] Preexisting error handling bug in XDP set path leaves apc->bpf_prog 
> pointing to a freed BPF program, leading to a Use-After-Free/Double Free.
> --
> 
> commit 425f6bf5274f2172e13cdc649ea2288d8dc1ad72
> Author: Erni Sri Satya Vennela <[email protected]>
> 
> net: mana: Fall back to standard MTU when PF reports adapter_mtu of 0
> 
> This commit fixes a regression for older PF firmware versions by allowing
> an adapter_mtu of 0 to fall back to the standard ETH_FRAME_LEN. It also
> updates MTU bounds checks for XDP limits.
> 
> > diff --git a/drivers/net/ethernet/microsoft/mana/mana_bpf.c 
> > b/drivers/net/ethernet/microsoft/mana/mana_bpf.c
> > index b5e9bb184a1dd..53308e139cbe9 100644
> > --- a/drivers/net/ethernet/microsoft/mana/mana_bpf.c
> > +++ b/drivers/net/ethernet/microsoft/mana/mana_bpf.c
> > @@ -237,7 +237,8 @@ static int mana_xdp_set(struct net_device *ndev, struct 
> > bpf_prog *prog,
> >             bpf_prog_put(old_prog);
> >  
> >     if (prog)
> > -           ndev->max_mtu = MANA_XDP_MTU_MAX;
> > +           ndev->max_mtu = min_t(unsigned int, MANA_XDP_MTU_MAX,
> > +                                 gc->adapter_mtu - ETH_HLEN);
> 
> [Severity: High]
> This isn't a bug introduced by this patch, but while reviewing the changes
> to mana_xdp_set(), I noticed a pre-existing issue on an error path earlier
> in this function.
> 
> Earlier in mana_xdp_set(), the program is assigned:
> 
>     apc->bpf_prog = prog;
> 
> If the port is up, it then allocates rx buffers:
> 
>     err = mana_pre_alloc_rxbufs(apc, ndev->mtu, apc->num_queues);
>     if (err) {
>         ...
>         return err;
>     }
> 
> If mana_pre_alloc_rxbufs() fails, it returns directly rather than jumping
> to the err_dealloc_rxbuffs label. This bypasses the cleanup step that
> restores apc->bpf_prog = old_prog.
> 
> Since the networking core frees the bpf program on error, does this leave
> apc->bpf_prog pointing to a freed program?
> 
> If mana_xdp_set() is called again later, could fetching old_prog lead to a
> use-after-free or double-free when calling bpf_prog_put(old_prog)?
> 
> >     else
> >             ndev->max_mtu = gc->adapter_mtu - ETH_HLEN;
> >
> 
> -- 
> Sashiko AI review ยท 
> https://sashiko.dev/#/patchset/[email protected]?part=1

I'll take this up in a different patch.

Thankyou,
Vennela

Reply via email to