Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3787052pxv; Mon, 19 Jul 2021 08:44:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZFYB+x/39iwjz/vUlf2JRi72nhXEDRIu2E/qBvdm24/aID81qz/E5Ysok11hsBouaZveV X-Received: by 2002:aa7:d8c6:: with SMTP id k6mr35380565eds.374.1626709457858; Mon, 19 Jul 2021 08:44:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626709457; cv=none; d=google.com; s=arc-20160816; b=R28x1Go3YEm6H3cIoEvsm5L6JS6fA85vE8OikOZdIozvZ+YJcPkK9Bu72BFW5xkfsO aYQVLEjKbVgVnSPQ6SDrIkwk2TOFkIlccknMTWSH5KEMs3EL4Nu7wqZXO1Z/0x/DIudE wmx8K2Zplm4Te7z03CGKJlhqbh38YfOjVXfASSaOTLo8NzJD/bheJPOVzmX+tQAvZCzT 6NgPCRs5WZ3oYU8qk2T5RNNL+yV1svr7p5PER5TRCLlYyIHhWjvfK+2xoXn0h3BytouT o0yJNCLh9Pjk+F8wl6a1v2sTludzYXAenjHB2/pxLVKyrssedoSgT4uWQzYi3N2MqxKS w/iQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=EjnO7uWY2QFsgputb4rQ1nbyrewMWh8Up5tv0Rp42O4=; b=V/Di8aeW7pHCfHedfOicW5OjXJG4aoAaNfJ5xXKv0ducrtzYLbej9IjP8aOzIiHrZg y81GegOJ0a1tfU9mrUCTbTePjAu42An/352zsLri9MNJzu0nzyM7/JQxcX0u4CBVdZ2z sbQ9tThVGPk0nZkyV8+uBc31y5K6l9pYLp7z/En3KLJJXDr135iNElOmhl/sMEPXy4U3 KoK4/tYLjwjmstIUMHPbdo6PCgMOjd332b2irq+SMN3K2lf7aDLQ5nZ5XESNYJ7blWt1 OoS6Z6DwA8CpwqlZVjAfZL/IjUkfxXWHQYN5v1DNZxohc5/Adzn9RMXvySCgH/SCM0w2 F3kw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bYRoh1A1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b1si22310830edx.272.2021.07.19.08.43.54; Mon, 19 Jul 2021 08:44:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bYRoh1A1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345345AbhGSPBc (ORCPT + 99 others); Mon, 19 Jul 2021 11:01:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:56372 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245732AbhGSOj0 (ORCPT ); Mon, 19 Jul 2021 10:39:26 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 613C9611ED; Mon, 19 Jul 2021 15:18:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626707934; bh=41LjCZkoFw8j9KodFlAdJLBRM03BI3Og3dUoeeKipZA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bYRoh1A1w2kStG8gD/wgmt4A7qATvfHgYFMFUzXgabTxkghIl0wT/w5iXO/5uYY91 PGsVWLgj50uIfuE+6jHGM5HyTijrGrTVFJzwA5eMxkK0548VjlP1cSB8nFWF5/7dr9 H3Tjdio3nGfMOy+KndldFzcOt0WweSpD2pIJpRFU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , "David S. Miller" , Sasha Levin Subject: [PATCH 4.14 107/315] net: ethernet: aeroflex: fix UAF in greth_of_remove Date: Mon, 19 Jul 2021 16:49:56 +0200 Message-Id: <20210719144946.392340113@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144942.861561397@linuxfoundation.org> References: <20210719144942.861561397@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ] static int greth_of_remove(struct platform_device *of_dev) { ... struct greth_private *greth = netdev_priv(ndev); ... unregister_netdev(ndev); free_netdev(ndev); of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); ... } greth is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing greth pointer. So, fix it by moving free_netdev() after of_iounmap() call. Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/aeroflex/greth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c index 4309be3724ad..a20e95b39cf7 100644 --- a/drivers/net/ethernet/aeroflex/greth.c +++ b/drivers/net/ethernet/aeroflex/greth.c @@ -1546,10 +1546,11 @@ static int greth_of_remove(struct platform_device *of_dev) mdiobus_unregister(greth->mdio); unregister_netdev(ndev); - free_netdev(ndev); of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); + free_netdev(ndev); + return 0; } -- 2.30.2