Message ID | 20210908190232.573178-1-ztong0001@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | d82d5303c4c539db86588ffb5dc5b26c3f1513e8 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [v2] net: macb: fix use after free on rmmod | expand |
Context | Check | Description |
---|---|---|
netdev/cover_letter | success | Link |
netdev/fixes_present | success | Link |
netdev/patch_count | success | Link |
netdev/tree_selection | success | Guessed tree name to be net-next |
netdev/subject_prefix | warning | Target tree name not specified in the subject |
netdev/cc_maintainers | success | CCed 5 of 5 maintainers |
netdev/source_inline | success | Was 0 now: 0 |
netdev/verify_signedoff | success | Link |
netdev/module_param | success | Was 0 now: 0 |
netdev/build_32bit | success | Errors and warnings before: 2 this patch: 0 |
netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
netdev/verify_fixes | success | Link |
netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 10 lines checked |
netdev/build_allmodconfig_warn | success | Errors and warnings before: 2 this patch: 0 |
netdev/header_inline | success | Link |
On 08/09/2021 at 21:02, Tong Zhang wrote: > EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe > > plat_dev->dev->platform_data is released by platform_device_unregister(), > use of pclk and hclk is a use-after-free. Since device unregister won't > need a clk device we adjust the function call sequence to fix this issue. > > [ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] > [ 31.275563] Freed by task 306: > [ 30.276782] platform_device_release+0x25/0x80 > > Suggested-by: Nicolas Ferre <Nicolas.Ferre@microchip.com> > Signed-off-by: Tong Zhang <ztong0001@gmail.com> Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com> Thanks Tong Zhang. Regards, Nicolas > --- > v2: switch lines to fix the issue instead > > drivers/net/ethernet/cadence/macb_pci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c > index 8b7b59908a1a..f66d22de5168 100644 > --- a/drivers/net/ethernet/cadence/macb_pci.c > +++ b/drivers/net/ethernet/cadence/macb_pci.c > @@ -111,9 +111,9 @@ static void macb_remove(struct pci_dev *pdev) > struct platform_device *plat_dev = pci_get_drvdata(pdev); > struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); > > - platform_device_unregister(plat_dev); > clk_unregister(plat_data->pclk); > clk_unregister(plat_data->hclk); > + platform_device_unregister(plat_dev); > } > > static const struct pci_device_id dev_id_table[] = { > -- > 2.25.1 >
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Wed, 8 Sep 2021 12:02:32 -0700 you wrote: > plat_dev->dev->platform_data is released by platform_device_unregister(), > use of pclk and hclk is a use-after-free. Since device unregister won't > need a clk device we adjust the function call sequence to fix this issue. > > [ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] > [ 31.275563] Freed by task 306: > [ 30.276782] platform_device_release+0x25/0x80 > > [...] Here is the summary with links: - [v2] net: macb: fix use after free on rmmod https://git.kernel.org/netdev/net/c/d82d5303c4c5 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c index 8b7b59908a1a..f66d22de5168 100644 --- a/drivers/net/ethernet/cadence/macb_pci.c +++ b/drivers/net/ethernet/cadence/macb_pci.c @@ -111,9 +111,9 @@ static void macb_remove(struct pci_dev *pdev) struct platform_device *plat_dev = pci_get_drvdata(pdev); struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); - platform_device_unregister(plat_dev); clk_unregister(plat_data->pclk); clk_unregister(plat_data->hclk); + platform_device_unregister(plat_dev); } static const struct pci_device_id dev_id_table[] = {
plat_dev->dev->platform_data is released by platform_device_unregister(), use of pclk and hclk is a use-after-free. Since device unregister won't need a clk device we adjust the function call sequence to fix this issue. [ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] [ 31.275563] Freed by task 306: [ 30.276782] platform_device_release+0x25/0x80 Suggested-by: Nicolas Ferre <Nicolas.Ferre@microchip.com> Signed-off-by: Tong Zhang <ztong0001@gmail.com> --- v2: switch lines to fix the issue instead drivers/net/ethernet/cadence/macb_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)