diff mbox series

[1/2] net: fec: fix use-after-free in fec_drv_remove

Message ID 25ad9ae695546c0ce23edb25cb2a67575cbda26b.1628091954.git.paskripkin@gmail.com (mailing list archive)
State Accepted
Commit 44712965bf12ae1758cec4de53816ed4b914ca1a
Delegated to: Netdev Maintainers
Headers show
Series net: fix use-after-free bugs | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 14 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success Link

Commit Message

Pavel Skripkin Aug. 4, 2021, 3:51 p.m. UTC
Smatch says:
	drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
	drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);

Since fep pointer is netdev private data, accessing it after free_netdev()
call can cause use-after-free bug. Fix it by moving free_netdev() call at
the end of the function

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 drivers/net/ethernet/freescale/fec_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Joakim Zhang Aug. 5, 2021, 2:24 a.m. UTC | #1
> -----Original Message-----
> From: Pavel Skripkin <paskripkin@gmail.com>
> Sent: 2021年8月4日 23:52
> To: davem@davemloft.net; kuba@kernel.org; Joakim Zhang
> <qiangqing.zhang@nxp.com>; hslester96@gmail.com; fugang.duan@nxp.com
> Cc: dan.carpenter@oracle.com; netdev@vger.kernel.org;
> linux-kernel@vger.kernel.org; Pavel Skripkin <paskripkin@gmail.com>
> Subject: [PATCH 1/2] net: fec: fix use-after-free in fec_drv_remove
> 
> Smatch says:
> 	drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error:
> Using fep after free_{netdev,candev}(ndev);
> 	drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error:
> Using fep after free_{netdev,candev}(ndev);
> 
> Since fep pointer is netdev private data, accessing it after free_netdev() call can
> cause use-after-free bug. Fix it by moving free_netdev() call at the end of the
> function
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
Thanks.

Reviewed-by: Joakim Zhang <qiangqing.zhang@nxp.com>

Best Regards,
Joakim Zhang
diff mbox series

Patch

diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 8aea707a65a7..7e4c4980ced7 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -3843,13 +3843,13 @@  fec_drv_remove(struct platform_device *pdev)
 	if (of_phy_is_fixed_link(np))
 		of_phy_deregister_fixed_link(np);
 	of_node_put(fep->phy_node);
-	free_netdev(ndev);
 
 	clk_disable_unprepare(fep->clk_ahb);
 	clk_disable_unprepare(fep->clk_ipg);
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 
+	free_netdev(ndev);
 	return 0;
 }