| Message ID | 20210907202958.692166-1-ztong0001@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [v1] net: macb: fix use after free on rmmod | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 5 of 5 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 2 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 14 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 2 this patch: 0 |
| netdev/header_inline | success | Link |
On 07/09/2021 at 22:29, Tong Zhang wrote: > plat_dev->dev->platform_data is released by platform_device_unregister(), > use of pclk and hclk is use after free. This patch keeps a copy to fix > the issue. > > [ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] > [ 31.275563] Freed by task 306: > [ 30.276782] platform_device_release+0x25/0x80 > > Signed-off-by: Tong Zhang <ztong0001@gmail.com> > --- > drivers/net/ethernet/cadence/macb_pci.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c > index 8b7b59908a1a..4dd0cec2e542 100644 > --- a/drivers/net/ethernet/cadence/macb_pci.c > +++ b/drivers/net/ethernet/cadence/macb_pci.c > @@ -110,10 +110,12 @@ static void macb_remove(struct pci_dev *pdev) > { > struct platform_device *plat_dev = pci_get_drvdata(pdev); > struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); > + struct clk *pclk = plat_data->pclk; > + struct clk *hclk = plat_data->hclk; > > platform_device_unregister(plat_dev); > - clk_unregister(plat_data->pclk); > - clk_unregister(plat_data->hclk); > + clk_unregister(pclk); > + clk_unregister(hclk); NACK, I would prefer that you switch lines and do clock clk unregister before: this way we avoid the problem and I think that you don't need clocks for unregistering the platform device anyway. Please change accordingly or tell me what could go bad. Regards, Nicolas > } > > static const struct pci_device_id dev_id_table[] = { > -- > 2.25.1 >
Thanks Nicolas, sent a v2 as suggested. - Tong On Wed, Sep 8, 2021 at 12:27 AM <Nicolas.Ferre@microchip.com> wrote: > > On 07/09/2021 at 22:29, Tong Zhang wrote: > > plat_dev->dev->platform_data is released by platform_device_unregister(), > > use of pclk and hclk is use after free. This patch keeps a copy to fix > > the issue. > > > > [ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] > > [ 31.275563] Freed by task 306: > > [ 30.276782] platform_device_release+0x25/0x80 > > > > Signed-off-by: Tong Zhang <ztong0001@gmail.com> > > --- > > drivers/net/ethernet/cadence/macb_pci.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c > > index 8b7b59908a1a..4dd0cec2e542 100644 > > --- a/drivers/net/ethernet/cadence/macb_pci.c > > +++ b/drivers/net/ethernet/cadence/macb_pci.c > > @@ -110,10 +110,12 @@ static void macb_remove(struct pci_dev *pdev) > > { > > struct platform_device *plat_dev = pci_get_drvdata(pdev); > > struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); > > + struct clk *pclk = plat_data->pclk; > > + struct clk *hclk = plat_data->hclk; > > > > platform_device_unregister(plat_dev); > > - clk_unregister(plat_data->pclk); > > - clk_unregister(plat_data->hclk); > > + clk_unregister(pclk); > > + clk_unregister(hclk); > > NACK, I would prefer that you switch lines and do clock clk unregister > before: this way we avoid the problem and I think that you don't need > clocks for unregistering the platform device anyway. > > Please change accordingly or tell me what could go bad. > > Regards, > Nicolas > > > > } > > > > static const struct pci_device_id dev_id_table[] = { > > -- > > 2.25.1 > > > > > -- > Nicolas Ferre
diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c index 8b7b59908a1a..4dd0cec2e542 100644 --- a/drivers/net/ethernet/cadence/macb_pci.c +++ b/drivers/net/ethernet/cadence/macb_pci.c @@ -110,10 +110,12 @@ static void macb_remove(struct pci_dev *pdev) { struct platform_device *plat_dev = pci_get_drvdata(pdev); struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); + struct clk *pclk = plat_data->pclk; + struct clk *hclk = plat_data->hclk; platform_device_unregister(plat_dev); - clk_unregister(plat_data->pclk); - clk_unregister(plat_data->hclk); + clk_unregister(pclk); + clk_unregister(hclk); } static const struct pci_device_id dev_id_table[] = {
plat_dev->dev->platform_data is released by platform_device_unregister(), use of pclk and hclk is use after free. This patch keeps a copy to fix the issue. [ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] [ 31.275563] Freed by task 306: [ 30.276782] platform_device_release+0x25/0x80 Signed-off-by: Tong Zhang <ztong0001@gmail.com> --- drivers/net/ethernet/cadence/macb_pci.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)