Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5952095pxb; Mon, 14 Feb 2022 11:31:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJxgEN6w+PhevUosPlRwpxbTlJVIvH6GQ8f1wjNup9fBysU3EjXlaxtpX2A6zIkBprycIhaX X-Received: by 2002:aa7:8394:: with SMTP id u20mr552364pfm.85.1644867115184; Mon, 14 Feb 2022 11:31:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644867115; cv=none; d=google.com; s=arc-20160816; b=XQlG6V1mz1k5ptdz9Zk7eUaNIljSgelqDUy4J+pUauMVbJwkk0iINSJpJi0a4hqs2j rk6+AFhRXzV1aK3xauMrqKSlkDCR7hsgPFGWWpGL8Ldcp92V7QvBtZa81koYQYGCeWqf Fz3H/oEl7wBTEh+gQd+9R7DwxFkhsebcFE5JR18Dozkq4hrYtxDAU8tiLCNyJnk2KZBd eJAN0z3HoPbYTfOS885XL3Ufyp79ryEjWnKewkJoJN3vq/gRMlYeYT1Z0AGy89O6IpCM mHocY/+iGzuElDwpeAawF2g4S/MMPvsXEJEwn7+GqGn6c34O3b26Cu3txqqa3HMkCIdP VN2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=al6PD1NsPcmqP6UWX2QHrAGgaYDw8CPLQaKGdmPTDm4=; b=ENe9XnKACC/OO3Mm87ac7mTOtnNSWdl+Fm5vFG2RR6Ey7IdUe4LNGhlfCwjdIm7j2g WnEvDgmuncZ5yo+tNWfBSoj5ZhO0qcAswfaTDA/G0AbsLjd360mOK3xU5CmAQ5V4cf1j 98x3zp4mzdNmnN+Fpz0fu5GKIbUGgzGRSwm2W3F6Lgw0hooZXr1UYFZMSeYbDy0GEBP1 TrIuW1FmJVXKoqu22CytzKNIEEidJbDn2vTS0QdZHhEpJAhI7xcYXIIw8gwoK4s2PnmA qx1AHGbUflFFgR/TUUBoTlDPKOHB1GqcbD4H2X0jx7UVQXkc7Sph3d1xaKsGzfnwQ+8F cMEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Vl4MQTyh; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id n14si11820721plc.385.2022.02.14.11.31.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 11:31:55 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Vl4MQTyh; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A62DF2AD4; Mon, 14 Feb 2022 11:20:18 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231646AbiBNJyp (ORCPT + 99 others); Mon, 14 Feb 2022 04:54:45 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:60738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344190AbiBNJve (ORCPT ); Mon, 14 Feb 2022 04:51:34 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADA3A69481; Mon, 14 Feb 2022 01:42:37 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 36D58B80DA9; Mon, 14 Feb 2022 09:42:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6AA4BC340F0; Mon, 14 Feb 2022 09:42:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1644831755; bh=wtFwdW9jsRjiSqdfyCsgNjsrqeSzJXPvR8e564Zrr1g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Vl4MQTyh644652cWTFXtffQjbokiwSC+Oncy1Au7ZJeWSyVoFYMMwDobLCWyBYu+1 V+MfkQT2MUyS3H/asTQhAEtc85KrCSHyo/Q5gsBUMkS40K2hUeHatGVg86Qh4AUCWF 4ZbQxjbA1Fpzamqs/qpESbnWAtctUUCV5zwHBiwY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Rafael Richter , Vladimir Oltean , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.10 086/116] net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister Date: Mon, 14 Feb 2022 10:26:25 +0100 Message-Id: <20220214092501.737937599@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220214092458.668376521@linuxfoundation.org> References: <20220214092458.668376521@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vladimir Oltean [ Upstream commit 51a04ebf21122d5c76a716ecd9bfc33ea44b2b39 ] Since struct mv88e6xxx_mdio_bus *mdio_bus is the bus->priv of something allocated with mdiobus_alloc_size(), this means that mdiobus_free(bus) will free the memory backing the mdio_bus as well. Therefore, the mdio_bus->list element is freed memory, but we continue to iterate through the list of MDIO buses using that list element. To fix this, use the proper list iterator that handles element deletion by keeping a copy of the list element next pointer. Fixes: f53a2ce893b2 ("net: dsa: mv88e6xxx: don't use devres for mdiobus") Reported-by: Rafael Richter Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220210174017.3271099-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/dsa/mv88e6xxx/chip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c index 9b451b820d7a6..1992be77522ac 100644 --- a/drivers/net/dsa/mv88e6xxx/chip.c +++ b/drivers/net/dsa/mv88e6xxx/chip.c @@ -3122,10 +3122,10 @@ static int mv88e6xxx_mdio_register(struct mv88e6xxx_chip *chip, static void mv88e6xxx_mdios_unregister(struct mv88e6xxx_chip *chip) { - struct mv88e6xxx_mdio_bus *mdio_bus; + struct mv88e6xxx_mdio_bus *mdio_bus, *p; struct mii_bus *bus; - list_for_each_entry(mdio_bus, &chip->mdios, list) { + list_for_each_entry_safe(mdio_bus, p, &chip->mdios, list) { bus = mdio_bus->bus; if (!mdio_bus->external) -- 2.34.1