fp is netdev private data and it cannot be
used after free_netdev() call. Using fp after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() after error message.
Fixes: 61414f5ec983 ("FDDI: defza: Add support for DEC FDDIcontroller 700
TURBOchannel adapter")
Signed-off-by: Pavel Skripkin <[email protected]>
---
drivers/net/fddi/defza.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/fddi/defza.c b/drivers/net/fddi/defza.c
index 14f07050b6b1..0de2c4552f5e 100644
--- a/drivers/net/fddi/defza.c
+++ b/drivers/net/fddi/defza.c
@@ -1504,9 +1504,8 @@ static int fza_probe(struct device *bdev)
release_mem_region(start, len);
err_out_kfree:
- free_netdev(dev);
-
pr_err("%s: initialization failure, aborting!\n", fp->name);
+ free_netdev(dev);
return ret;
}
--
2.32.0
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Tue, 13 Jul 2021 13:58:53 +0300 you wrote:
> fp is netdev private data and it cannot be
> used after free_netdev() call. Using fp after free_netdev()
> can cause UAF bug. Fix it by moving free_netdev() after error message.
>
> Fixes: 61414f5ec983 ("FDDI: defza: Add support for DEC FDDIcontroller 700
> TURBOchannel adapter")
> Signed-off-by: Pavel Skripkin <[email protected]>
>
> [...]
Here is the summary with links:
- net: fddi: fix UAF in fza_probe
https://git.kernel.org/netdev/net/c/deb7178eb940
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
On Tue, 13 Jul 2021, Pavel Skripkin wrote:
> fp is netdev private data and it cannot be
> used after free_netdev() call. Using fp after free_netdev()
> can cause UAF bug. Fix it by moving free_netdev() after error message.
Can you justify the lines for a better layout? The paragraph looks odd
to me in its current form.
> Fixes: 61414f5ec983 ("FDDI: defza: Add support for DEC FDDIcontroller 700
> TURBOchannel adapter")
> Signed-off-by: Pavel Skripkin <[email protected]>
Otherwise LGTM. And a good catch, thank you!
Reviewed-by: Maciej W. Rozycki <[email protected]>
Maciej