Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751276AbdFEC5v (ORCPT ); Sun, 4 Jun 2017 22:57:51 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:55254 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751212AbdFEC5r (ORCPT ); Sun, 4 Jun 2017 22:57:47 -0400 Date: Sun, 04 Jun 2017 22:57:40 -0400 (EDT) Message-Id: <20170604.225740.1710058828586611741.davem@davemloft.net> To: f.fainelli@gmail.com Cc: netdev@vger.kernel.org, andrew@lunn.ch, vivien.didelot@savoirfairelinux.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH net] net: dsa: Fix stale cpu_switch reference after unbind then bind From: David Miller In-Reply-To: <20170603050523.27014-1-f.fainelli@gmail.com> References: <20170603050523.27014-1-f.fainelli@gmail.com> X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Sun, 04 Jun 2017 19:16:08 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1040 Lines: 22 From: Florian Fainelli Date: Fri, 2 Jun 2017 22:05:23 -0700 > Commit 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]") > replaced the use of dst->ds[0] with dst->cpu_switch since that is > functionally equivalent, however, we can now run into an use after free > scenario after unbinding then rebinding the switch driver. > > The use after free happens because we do correctly initialize > dst->cpu_switch the first time we probe in dsa_cpu_parse(), then we > unbind the driver: dsa_dst_unapply() is called, and we rebind again. > dst->cpu_switch now points to a freed "ds" structure, and so when we > finally dereference it in dsa_cpu_port_ethtool_setup(), we oops. > > To fix this, simply set dst->cpu_switch to NULL in dsa_dst_unapply() > which guarantees that we always correctly re-assign dst->cpu_switch in > dsa_cpu_parse(). > > Fixes: 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]") > Signed-off-by: Florian Fainelli Applied and queued up for -stable, thanks.