Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751231AbdFCRwI (ORCPT ); Sat, 3 Jun 2017 13:52:08 -0400 Received: from mail.savoirfairelinux.com ([208.88.110.44]:56410 "EHLO mail.savoirfairelinux.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751154AbdFCRwG (ORCPT ); Sat, 3 Jun 2017 13:52:06 -0400 From: Vivien Didelot To: Florian Fainelli , netdev@vger.kernel.org Cc: Florian Fainelli , Andrew Lunn , "David S. Miller" , open list Subject: Re: [PATCH net] net: dsa: Fix stale cpu_switch reference after unbind then bind In-Reply-To: <20170603050523.27014-1-f.fainelli@gmail.com> References: <20170603050523.27014-1-f.fainelli@gmail.com> Date: Sat, 03 Jun 2017 13:50:01 -0400 Message-ID: <87r2z1c65y.fsf@weeman.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1062 Lines: 27 Hi Florian, Florian Fainelli writes: > Commit 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]") > replaced the use of dst->ds[0] with dst->cpu_switch since that is > functionally equivalent, however, we can now run into an use after free > scenario after unbinding then rebinding the switch driver. > > The use after free happens because we do correctly initialize > dst->cpu_switch the first time we probe in dsa_cpu_parse(), then we > unbind the driver: dsa_dst_unapply() is called, and we rebind again. > dst->cpu_switch now points to a freed "ds" structure, and so when we > finally dereference it in dsa_cpu_port_ethtool_setup(), we oops. > > To fix this, simply set dst->cpu_switch to NULL in dsa_dst_unapply() > which guarantees that we always correctly re-assign dst->cpu_switch in > dsa_cpu_parse(). > > Fixes: 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]") > Signed-off-by: Florian Fainelli Reviewed-by: Vivien Didelot Thanks! Vivien