| Message ID | 20210709142418.453-1-paskripkin@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | ad297cd2db8953e2202970e9504cab247b6c7cb4 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net: qcom/emac: fix UAF in emac_remove | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 4 of 4 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 14 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Fri, 9 Jul 2021 17:24:18 +0300 you wrote: > adpt is netdev private data and it cannot be > used after free_netdev() call. Using adpt after free_netdev() > can cause UAF bug. Fix it by moving free_netdev() at the end of the > function. > > Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev") > Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> > > [...] Here is the summary with links: - net: qcom/emac: fix UAF in emac_remove https://git.kernel.org/netdev/net/c/ad297cd2db89 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
On Fri, Jul 9, 2021 at 9:24 AM Pavel Skripkin <paskripkin@gmail.com> wrote: > > adpt is netdev private data and it cannot be > used after free_netdev() call. Using adpt after free_netdev() > can cause UAF bug. Fix it by moving free_netdev() at the end of the > function. Please spell out what "UAF" means, thanks. If you fix that, then Acked-by: Timur Tabi <timur@kernel.org> Thanks.
On Sat, 10 Jul 2021 00:02:26 -0500 Timur Tabi <timur@kernel.org> wrote: > On Fri, Jul 9, 2021 at 9:24 AM Pavel Skripkin <paskripkin@gmail.com> > wrote: > > > > adpt is netdev private data and it cannot be > > used after free_netdev() call. Using adpt after free_netdev() > > can cause UAF bug. Fix it by moving free_netdev() at the end of the > > function. > > Please spell out what "UAF" means, thanks. If you fix that, then > > Acked-by: Timur Tabi <timur@kernel.org> > > Thanks. Hi, Timur! Thank you for feedback. David has already applied this pacth. So, should I send v2 or maybe revert + v2? I haven't been in such situations yet :) With regards, Pavel Skripkin
On Sat, Jul 10, 2021 at 1:57 AM Pavel Skripkin <paskripkin@gmail.com> wrote: > David has already applied this pacth. So, should I send v2 or maybe > revert + v2? I haven't been in such situations yet :) No, don't worry about it.
diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c index 8543bf3c3484..ad655f0a4965 100644 --- a/drivers/net/ethernet/qualcomm/emac/emac.c +++ b/drivers/net/ethernet/qualcomm/emac/emac.c @@ -735,12 +735,13 @@ static int emac_remove(struct platform_device *pdev) put_device(&adpt->phydev->mdio.dev); mdiobus_unregister(adpt->mii_bus); - free_netdev(netdev); if (adpt->phy.digital) iounmap(adpt->phy.digital); iounmap(adpt->phy.base); + free_netdev(netdev); + return 0; }
adpt is netdev private data and it cannot be used after free_netdev() call. Using adpt after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev") Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- drivers/net/ethernet/qualcomm/emac/emac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)