Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2729041pxv; Mon, 12 Jul 2021 00:04:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxRQ7XsZaKGWfnSAz7eIHs4FcPdo+/eyLtj33zDPLPdvk0M+HVqNxv410YvkB+MRvhy/+VD X-Received: by 2002:a05:6602:2bdc:: with SMTP id s28mr23732123iov.70.1626073442934; Mon, 12 Jul 2021 00:04:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626073442; cv=none; d=google.com; s=arc-20160816; b=NbPXCo5X+OPG0i/nDgUOZeHlWgo+mUwUui7QkjCNa1/ZKr8Z7JJ3UG17T7ytzlOZiN zUaV01/zFqkwz83aS8r5X+1D1m47urXR8ZZ5HUSK2Tl75yE/zt+lGCbUVIWmfmacydFG M87oS6vFdc1kiw3iEQCoHHyPeSgB4EOPnFq/bNfO7DArZl/gbA0Jy32VorKG9KLCJNCZ um596jR4ka+GHAjgh4AMHyq1KHk79fHMXJ7Mou6RMQa2X44KVX0XPmJbe+yL7agHXyK1 93fCGLPYy7WSLb/I5/Vvox+nP1TREWiO3boaha1aR1qkoNwlTR3GjAjtC1jc3LJhbrkV LUmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=p+D5OeF+afHIHqGdD2eCSjnpECTus0YNf4E93JUDFec=; b=AF+2F2XcD4C2RQGeshg3pax3JqaPqLw9fp6COEq1BFV/tETgiGl4HjYQ3enLdh/m5a fzExhIS5BPAAnFUq4IDYmmkmEjJkKl1RlbHtnvKaCZgl5/AHex8FG+pwcEqhMIK+BN/s kcucpL7STL/8zGxx3INjl2JmDSuEDRQZ3VmANqeIe9aK2DTQ2yZyhXTa2G7969W/2Hav tPu9YpsqQu6iX8CfTvA/CguKja2qs/rpd0SwUCP0lcFSaHh4ECZS5mBC6zomL1PcH9gU YOcKLDdrIK3jqfgVSNgeCJKvIU9O8Ud0OjAO0l3hyR+x4uC7B1umu9b5tInfv/twQtTl IVyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=t1sXGgT0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m19si18056008jav.63.2021.07.12.00.03.50; Mon, 12 Jul 2021 00:04:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=t1sXGgT0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241558AbhGLHDy (ORCPT + 99 others); Mon, 12 Jul 2021 03:03:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:44976 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237943AbhGLGqr (ORCPT ); Mon, 12 Jul 2021 02:46:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 680326113A; Mon, 12 Jul 2021 06:42:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626072139; bh=easLhoSpdHPweHz9NCe+8HiANKFsHD4QA0BvtHtT0VM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=t1sXGgT0Ahx4WvUdMmnTgjbkvlWGbTmhheAuqGji4siE/DEFBZTEV9Y7fzRvnp8eW jkwIhL9aUThNTafihmf1A8ZP/eZGF/Vb6XY5Gbs5jLDw2MP7ISK5X7b9tiF62yABv2 Hxwe+rtFRL3i5limj8yJBMWVxdOtd2cWNDLF+Y0U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 370/593] net: ethernet: aeroflex: fix UAF in greth_of_remove Date: Mon, 12 Jul 2021 08:08:50 +0200 Message-Id: <20210712060927.391496588@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060843.180606720@linuxfoundation.org> References: <20210712060843.180606720@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ] static int greth_of_remove(struct platform_device *of_dev) { ... struct greth_private *greth = netdev_priv(ndev); ... unregister_netdev(ndev); free_netdev(ndev); of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); ... } greth is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing greth pointer. So, fix it by moving free_netdev() after of_iounmap() call. Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/aeroflex/greth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c index 9c5891bbfe61..f4f50b3a472e 100644 --- a/drivers/net/ethernet/aeroflex/greth.c +++ b/drivers/net/ethernet/aeroflex/greth.c @@ -1539,10 +1539,11 @@ static int greth_of_remove(struct platform_device *of_dev) mdiobus_unregister(greth->mdio); unregister_netdev(ndev); - free_netdev(ndev); of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); + free_netdev(ndev); + return 0; } -- 2.30.2