diff mbox series

[v2] net: macb: fix use after free on rmmod

Message ID 20210908190232.573178-1-ztong0001@gmail.com (mailing list archive)
State Accepted
Commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8
Delegated to: Netdev Maintainers
Headers show
Series [v2] net: macb: fix use after free on rmmod | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cc_maintainers success CCed 5 of 5 maintainers
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 2 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 0
netdev/header_inline success Link

Commit Message

Tong Zhang Sept. 8, 2021, 7:02 p.m. UTC
plat_dev->dev->platform_data is released by platform_device_unregister(),
use of pclk and hclk is a use-after-free. Since device unregister won't
need a clk device we adjust the function call sequence to fix this issue.

[   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
[   31.275563] Freed by task 306:
[   30.276782]  platform_device_release+0x25/0x80

Suggested-by: Nicolas Ferre <Nicolas.Ferre@microchip.com>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
---
v2: switch lines to fix the issue instead

 drivers/net/ethernet/cadence/macb_pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Nicolas Ferre Sept. 9, 2021, 7:53 a.m. UTC | #1
On 08/09/2021 at 21:02, Tong Zhang wrote:
> EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe
> 
> plat_dev->dev->platform_data is released by platform_device_unregister(),
> use of pclk and hclk is a use-after-free. Since device unregister won't
> need a clk device we adjust the function call sequence to fix this issue.
> 
> [   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
> [   31.275563] Freed by task 306:
> [   30.276782]  platform_device_release+0x25/0x80
> 
> Suggested-by: Nicolas Ferre <Nicolas.Ferre@microchip.com>
> Signed-off-by: Tong Zhang <ztong0001@gmail.com>

Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>

Thanks Tong Zhang.
Regards,
   Nicolas

> ---
> v2: switch lines to fix the issue instead
> 
>   drivers/net/ethernet/cadence/macb_pci.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c
> index 8b7b59908a1a..f66d22de5168 100644
> --- a/drivers/net/ethernet/cadence/macb_pci.c
> +++ b/drivers/net/ethernet/cadence/macb_pci.c
> @@ -111,9 +111,9 @@ static void macb_remove(struct pci_dev *pdev)
>          struct platform_device *plat_dev = pci_get_drvdata(pdev);
>          struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);
> 
> -       platform_device_unregister(plat_dev);
>          clk_unregister(plat_data->pclk);
>          clk_unregister(plat_data->hclk);
> +       platform_device_unregister(plat_dev);
>   }
> 
>   static const struct pci_device_id dev_id_table[] = {
> --
> 2.25.1
>
patchwork-bot+netdevbpf@kernel.org Sept. 9, 2021, 10 a.m. UTC | #2
Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Wed,  8 Sep 2021 12:02:32 -0700 you wrote:
> plat_dev->dev->platform_data is released by platform_device_unregister(),
> use of pclk and hclk is a use-after-free. Since device unregister won't
> need a clk device we adjust the function call sequence to fix this issue.
> 
> [   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
> [   31.275563] Freed by task 306:
> [   30.276782]  platform_device_release+0x25/0x80
> 
> [...]

Here is the summary with links:
  - [v2] net: macb: fix use after free on rmmod
    https://git.kernel.org/netdev/net/c/d82d5303c4c5

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c
index 8b7b59908a1a..f66d22de5168 100644
--- a/drivers/net/ethernet/cadence/macb_pci.c
+++ b/drivers/net/ethernet/cadence/macb_pci.c
@@ -111,9 +111,9 @@  static void macb_remove(struct pci_dev *pdev)
 	struct platform_device *plat_dev = pci_get_drvdata(pdev);
 	struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);
 
-	platform_device_unregister(plat_dev);
 	clk_unregister(plat_data->pclk);
 	clk_unregister(plat_data->hclk);
+	platform_device_unregister(plat_dev);
 }
 
 static const struct pci_device_id dev_id_table[] = {