Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5952095pxb;
        Mon, 14 Feb 2022 11:31:55 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxgEN6w+PhevUosPlRwpxbTlJVIvH6GQ8f1wjNup9fBysU3EjXlaxtpX2A6zIkBprycIhaX
X-Received: by 2002:aa7:8394:: with SMTP id u20mr552364pfm.85.1644867115184;
        Mon, 14 Feb 2022 11:31:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1644867115; cv=none;
        d=google.com; s=arc-20160816;
        b=XQlG6V1mz1k5ptdz9Zk7eUaNIljSgelqDUy4J+pUauMVbJwkk0iINSJpJi0a4hqs2j
         rk6+AFhRXzV1aK3xauMrqKSlkDCR7hsgPFGWWpGL8Ldcp92V7QvBtZa81koYQYGCeWqf
         Fz3H/oEl7wBTEh+gQd+9R7DwxFkhsebcFE5JR18Dozkq4hrYtxDAU8tiLCNyJnk2KZBd
         eJAN0z3HoPbYTfOS885XL3Ufyp79ryEjWnKewkJoJN3vq/gRMlYeYT1Z0AGy89O6IpCM
         mHocY/+iGzuElDwpeAawF2g4S/MMPvsXEJEwn7+GqGn6c34O3b26Cu3txqqa3HMkCIdP
         VN2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=al6PD1NsPcmqP6UWX2QHrAGgaYDw8CPLQaKGdmPTDm4=;
        b=ENe9XnKACC/OO3Mm87ac7mTOtnNSWdl+Fm5vFG2RR6Ey7IdUe4LNGhlfCwjdIm7j2g
         WnEvDgmuncZ5yo+tNWfBSoj5ZhO0qcAswfaTDA/G0AbsLjd360mOK3xU5CmAQ5V4cf1j
         98x3zp4mzdNmnN+Fpz0fu5GKIbUGgzGRSwm2W3F6Lgw0hooZXr1UYFZMSeYbDy0GEBP1
         TrIuW1FmJVXKoqu22CytzKNIEEidJbDn2vTS0QdZHhEpJAhI7xcYXIIw8gwoK4s2PnmA
         qx1AHGbUflFFgR/TUUBoTlDPKOHB1GqcbD4H2X0jx7UVQXkc7Sph3d1xaKsGzfnwQ+8F
         cMEg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Vl4MQTyh;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id n14si11820721plc.385.2022.02.14.11.31.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Feb 2022 11:31:55 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Vl4MQTyh;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id A62DF2AD4;
	Mon, 14 Feb 2022 11:20:18 -0800 (PST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231646AbiBNJyp (ORCPT <rfc822;andrew.melo@gmail.com>
        + 99 others); Mon, 14 Feb 2022 04:54:45 -0500
Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:60738 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344190AbiBNJve (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Feb 2022 04:51:34 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADA3A69481;
        Mon, 14 Feb 2022 01:42:37 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 36D58B80DA9;
        Mon, 14 Feb 2022 09:42:36 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6AA4BC340F0;
        Mon, 14 Feb 2022 09:42:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1644831755;
        bh=wtFwdW9jsRjiSqdfyCsgNjsrqeSzJXPvR8e564Zrr1g=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Vl4MQTyh644652cWTFXtffQjbokiwSC+Oncy1Au7ZJeWSyVoFYMMwDobLCWyBYu+1
         V+MfkQT2MUyS3H/asTQhAEtc85KrCSHyo/Q5gsBUMkS40K2hUeHatGVg86Qh4AUCWF
         4ZbQxjbA1Fpzamqs/qpESbnWAtctUUCV5zwHBiwY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Rafael Richter <rafael.richter@gin.de>,
        Vladimir Oltean <vladimir.oltean@nxp.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 086/116] net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
Date:   Mon, 14 Feb 2022 10:26:25 +0100
Message-Id: <20220214092501.737937599@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220214092458.668376521@linuxfoundation.org>
References: <20220214092458.668376521@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 51a04ebf21122d5c76a716ecd9bfc33ea44b2b39 ]

Since struct mv88e6xxx_mdio_bus *mdio_bus is the bus->priv of something
allocated with mdiobus_alloc_size(), this means that mdiobus_free(bus)
will free the memory backing the mdio_bus as well. Therefore, the
mdio_bus->list element is freed memory, but we continue to iterate
through the list of MDIO buses using that list element.

To fix this, use the proper list iterator that handles element deletion
by keeping a copy of the list element next pointer.

Fixes: f53a2ce893b2 ("net: dsa: mv88e6xxx: don't use devres for mdiobus")
Reported-by: Rafael Richter <rafael.richter@gin.de>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://lore.kernel.org/r/20220210174017.3271099-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/mv88e6xxx/chip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index 9b451b820d7a6..1992be77522ac 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -3122,10 +3122,10 @@ static int mv88e6xxx_mdio_register(struct mv88e6xxx_chip *chip,
 static void mv88e6xxx_mdios_unregister(struct mv88e6xxx_chip *chip)
 
 {
-	struct mv88e6xxx_mdio_bus *mdio_bus;
+	struct mv88e6xxx_mdio_bus *mdio_bus, *p;
 	struct mii_bus *bus;
 
-	list_for_each_entry(mdio_bus, &chip->mdios, list) {
+	list_for_each_entry_safe(mdio_bus, p, &chip->mdios, list) {
 		bus = mdio_bus->bus;
 
 		if (!mdio_bus->external)
-- 
2.34.1