Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3555948pxp; Tue, 8 Mar 2022 17:21:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJw5LxiEQ7U5ydeiOannU1aE4dSq5XUqYkgyA5DEp/PpBV6y7gINUO7cVVVRUbjh4SfYvdu8 X-Received: by 2002:a63:be0c:0:b0:373:9f38:928e with SMTP id l12-20020a63be0c000000b003739f38928emr16290258pgf.241.1646788906122; Tue, 08 Mar 2022 17:21:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646788906; cv=none; d=google.com; s=arc-20160816; b=o0JIfXqdtKb7Re4IQZJS1hd1CrX2Zm777xNv+eWD8VbJh41T4ntNoNCUkr7BSITAHi RejN0or1oo4Sj+Zrfh6GMG4J7oml8tvr49ifyBn7U14TXiwJlgCDVdjw3t03+Bj3wxhw OGx6R5H4YoK0gqO6/JZNpddsK3qz9Up+c/oBW7ba4Q7SVzY2EPQ/vGn9uQg/XjRgASg1 6DdXjMSGbQx/EoaHXj2AQey6qDKpSvssEsUiUR8EBePsXsgDsSiw1hJXRs2zonx0u9tb /i0YygUFRT0lL6QRUAQVG8NpZbClWTvJv66ADs61q3Zo3bDLzrYZcTTDcffZ6L+gxl9C X5Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=FR44sW/93AnOynT8YortolDQmhxdwDJugx6homStZRM=; b=RxKFWNudkFjQPtkIVrUNx5Jw9811nT75CJwnr+ccDR1Gzg23WO+QQjoyGASOu3uwpi u9TGvLeKdUCwFViNNQKRS3yGK7eq70zXZZf2/SGmC8bi3jdKK30yJoU43sDgmU4Ky7nM qBNbP+DAbp0yMEMx8gfXQTX3IZ3ZeTd5HA/RTcErUISrnrDRz72adv69C4w/YnUyIbgA YmOVoNJPFVBr68F0Iey//cJbcAFNiFAk+SRNRrG3bGGhzv2znxPz2LqLWndkKihpXo4d 4UdlBiaFq3gvh4OTDWQH7e5XcXXa0FBuN4UIpvaQ2nbYpj9PgbVmdyEh56bH8Jh1erO/ UV9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=OC0XVlzJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id lk11-20020a17090b33cb00b001bf35af02a6si4341769pjb.0.2022.03.08.17.21.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Mar 2022 17:21:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=OC0XVlzJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 70970190C3F; Tue, 8 Mar 2022 16:14:44 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346317AbiCHLLo (ORCPT + 99 others); Tue, 8 Mar 2022 06:11:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346321AbiCHLLe (ORCPT ); Tue, 8 Mar 2022 06:11:34 -0500 Received: from mail-m971.mail.163.com (mail-m971.mail.163.com [123.126.97.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2509C45060; Tue, 8 Mar 2022 03:10:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=FR44s W/93AnOynT8YortolDQmhxdwDJugx6homStZRM=; b=OC0XVlzJrZvmckrxWWt6v VMkhI8LQVYi2rUmTr1nw5HXOjZ7Ag3bjbYdrjrS4mh1r6hSknOB5P6zTE5BF9vzI 8YS9rCFwAXqRvENwZrdt+s7jK3Lsb5wHr4RaocN2bV3/QJxqA73WzuJ0WFqNIIrQ brqB8Q5sMZy7emoDnvXjvY= Received: from localhost.localdomain (unknown [218.106.182.227]) by smtp1 (Coremail) with SMTP id GdxpCgAHV3CPOSdiEZZBCg--.8441S4; Tue, 08 Mar 2022 19:10:17 +0800 (CST) From: Jianglei Nie To: davem@davemloft.net, kuba@kernel.org, caihuoqing@baidu.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jianglei Nie Subject: [PATCH] net: arc_emac: Fix use after free in arc_mdio_probe() Date: Tue, 8 Mar 2022 19:10:05 +0800 Message-Id: <20220308111005.4953-1-niejianglei2021@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: GdxpCgAHV3CPOSdiEZZBCg--.8441S4 X-Coremail-Antispam: 1Uf129KBjvJXoW7Kr43CrWxXrWrKw4UZry5urg_yoW8XrW8pa yDu3srC3s2vw4jgw4kAay8Z343tayrJry09FyIvw4Yq3Wavr1fCrW7KFWDuw1UKFsYkF1a yan7Za4rAF98Jw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zR4E_iUUUUU= X-Originating-IP: [218.106.182.227] X-CM-SenderInfo: xqlhyxxdqjzvrlsqjii6rwjhhfrp/1tbiPhm9jFxBqhITpQAAsF X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free the "bus". But bus->name is still used in the next line, which will lead to a use after free. We can fix it by putting the bus->name in a local variable and then use the name in the error message without referring to bus to avoid the uaf. Signed-off-by: Jianglei Nie --- drivers/net/ethernet/arc/emac_mdio.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c index 9acf589b1178..33fd63d227ef 100644 --- a/drivers/net/ethernet/arc/emac_mdio.c +++ b/drivers/net/ethernet/arc/emac_mdio.c @@ -134,6 +134,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) struct device_node *np = priv->dev->of_node; struct mii_bus *bus; int error; + const char *name = "Synopsys MII Bus"; bus = mdiobus_alloc(); if (!bus) @@ -142,7 +143,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) priv->bus = bus; bus->priv = priv; bus->parent = priv->dev; - bus->name = "Synopsys MII Bus"; + bus->name = name; bus->read = &arc_mdio_read; bus->write = &arc_mdio_write; bus->reset = &arc_mdio_reset; @@ -167,7 +168,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) if (error) { mdiobus_free(bus); return dev_err_probe(priv->dev, error, - "cannot register MDIO bus %s\n", bus->name); + "cannot register MDIO bus %s\n", name); } return 0; -- 2.25.1