adpt is netdev private data and it cannot be
used after free_netdev() call. Using adpt after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.
Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev")
Signed-off-by: Pavel Skripkin <[email protected]>
---
drivers/net/ethernet/qualcomm/emac/emac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c
index 8543bf3c3484..ad655f0a4965 100644
--- a/drivers/net/ethernet/qualcomm/emac/emac.c
+++ b/drivers/net/ethernet/qualcomm/emac/emac.c
@@ -735,12 +735,13 @@ static int emac_remove(struct platform_device *pdev)
put_device(&adpt->phydev->mdio.dev);
mdiobus_unregister(adpt->mii_bus);
- free_netdev(netdev);
if (adpt->phy.digital)
iounmap(adpt->phy.digital);
iounmap(adpt->phy.base);
+ free_netdev(netdev);
+
return 0;
}
--
2.32.0
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Fri, 9 Jul 2021 17:24:18 +0300 you wrote:
> adpt is netdev private data and it cannot be
> used after free_netdev() call. Using adpt after free_netdev()
> can cause UAF bug. Fix it by moving free_netdev() at the end of the
> function.
>
> Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev")
> Signed-off-by: Pavel Skripkin <[email protected]>
>
> [...]
Here is the summary with links:
- net: qcom/emac: fix UAF in emac_remove
https://git.kernel.org/netdev/net/c/ad297cd2db89
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
On Fri, Jul 9, 2021 at 9:24 AM Pavel Skripkin <[email protected]> wrote:
>
> adpt is netdev private data and it cannot be
> used after free_netdev() call. Using adpt after free_netdev()
> can cause UAF bug. Fix it by moving free_netdev() at the end of the
> function.
Please spell out what "UAF" means, thanks. If you fix that, then
Acked-by: Timur Tabi <[email protected]>
Thanks.
On Sat, 10 Jul 2021 00:02:26 -0500
Timur Tabi <[email protected]> wrote:
> On Fri, Jul 9, 2021 at 9:24 AM Pavel Skripkin <[email protected]>
> wrote:
> >
> > adpt is netdev private data and it cannot be
> > used after free_netdev() call. Using adpt after free_netdev()
> > can cause UAF bug. Fix it by moving free_netdev() at the end of the
> > function.
>
> Please spell out what "UAF" means, thanks. If you fix that, then
>
> Acked-by: Timur Tabi <[email protected]>
>
> Thanks.
Hi, Timur!
Thank you for feedback.
David has already applied this pacth. So, should I send v2 or maybe
revert + v2? I haven't been in such situations yet :)
With regards,
Pavel Skripkin
On Sat, Jul 10, 2021 at 1:57 AM Pavel Skripkin <[email protected]> wrote:
> David has already applied this pacth. So, should I send v2 or maybe
> revert + v2? I haven't been in such situations yet :)
No, don't worry about it.