priv is netdev private data and it cannot be
used after free_netdev() call. Using priv after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.
Fixes: 1e0a8b13d355 ("tlan: cancel work at remove path")
Signed-off-by: Pavel Skripkin <[email protected]>
---
drivers/net/ethernet/ti/tlan.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/ti/tlan.c b/drivers/net/ethernet/ti/tlan.c
index 0b2ce4bdc2c3..e0cb713193ea 100644
--- a/drivers/net/ethernet/ti/tlan.c
+++ b/drivers/net/ethernet/ti/tlan.c
@@ -313,9 +313,8 @@ static void tlan_remove_one(struct pci_dev *pdev)
pci_release_regions(pdev);
#endif
- free_netdev(dev);
-
cancel_work_sync(&priv->tlan_tqueue);
+ free_netdev(dev);
}
static void tlan_start(struct net_device *dev)
--
2.32.0
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Fri, 9 Jul 2021 17:58:29 +0300 you wrote:
> priv is netdev private data and it cannot be
> used after free_netdev() call. Using priv after free_netdev()
> can cause UAF bug. Fix it by moving free_netdev() at the end of the
> function.
>
> Fixes: 1e0a8b13d355 ("tlan: cancel work at remove path")
> Signed-off-by: Pavel Skripkin <[email protected]>
>
> [...]
Here is the summary with links:
- net: ti: fix UAF in tlan_remove_one
https://git.kernel.org/netdev/net/c/0336f8ffece6
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html