CVE-2026-43276

In the Linux kernel, the following vulnerability has been resolved:

net: mana: Fix double destroy_workqueue on service rescan PCI path

While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path.

When manaservreset() calls managdsuspend(), managdcleanup() destroys gc->servicewq. If the subsequent managdresume() fails with -ETIMEDOUT or -EPROTO, the code falls through to manaservrescan() which triggers pcistopandremovebusdevice(). This invokes the PCI .remove callback (managdremove), which calls managdcleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->servicewq in managd_cleanup() and setting it to NULL after destruction.

Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] managdcleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] managdremove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pcideviceremove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] deviceremove+0x46/0x70 [Sat Feb 21 18:53:48 2026] devicereleasedriverinternal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] devicereleasedriver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pcistopbusdevice+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pcistopandremovebusdevice+0x13/0x30 [Sat Feb 21 18:53:48 2026] manadoservice+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] manaservfunc+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] processonework+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfxworkerthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfxkthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] retfrom_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfxkthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] retfromforkasm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK>