[1/2] net: fec: fix use-after-free in fec_drv_remove

Message ID	25ad9ae695546c0ce23edb25cb2a67575cbda26b.1628091954.git.paskripkin@gmail.com (mailing list archive)
State	Accepted
Commit	44712965bf12ae1758cec4de53816ed4b914ca1a
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Pavel Skripkin <paskripkin@gmail.com> To: davem@davemloft.net, kuba@kernel.org, qiangqing.zhang@nxp.com, hslester96@gmail.com, fugang.duan@nxp.com Cc: dan.carpenter@oracle.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Pavel Skripkin <paskripkin@gmail.com> Subject: [PATCH 1/2] net: fec: fix use-after-free in fec_drv_remove Date: Wed, 4 Aug 2021 18:51:51 +0300 Message-Id: <25ad9ae695546c0ce23edb25cb2a67575cbda26b.1628091954.git.paskripkin@gmail.com> In-Reply-To: <cover.1628091954.git.paskripkin@gmail.com> References: <cover.1628091954.git.paskripkin@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	net: fix use-after-free bugs \| expand [0/2] net: fix use-after-free bugs [1/2] net: fec: fix use-after-free in fec_drv_remove [2/2] net: vxge: fix use-after-free in vxge_device_unregister

Message ID

25ad9ae695546c0ce23edb25cb2a67575cbda26b.1628091954.git.paskripkin@gmail.com (mailing list archive)

State

Accepted

Commit

44712965bf12ae1758cec4de53816ed4b914ca1a

Delegated to:

Netdev Maintainers

Headers

show

Return-Path: <netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E8C52C4338F
	for <netdev@archiver.kernel.org>; Wed,  4 Aug 2021 15:52:12 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id C97BA60FC4
	for <netdev@archiver.kernel.org>; Wed,  4 Aug 2021 15:52:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239548AbhHDPwX (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Wed, 4 Aug 2021 11:52:23 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46210 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233230AbhHDPwW (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 4 Aug 2021 11:52:22 -0400
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com
 [IPv6:2a00:1450:4864:20::131])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06CBDC0613D5;
        Wed,  4 Aug 2021 08:52:09 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id c24so1966453lfi.11;
        Wed, 04 Aug 2021 08:52:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=LOerQFZ0jK8/gKUx7F6VWzq+EmsyF6Mh3+2EWyBwV7k=;
        b=WxflTTjBUcRlekTmCCDw38zuvU4FNXPHhQjcZ7jbxeVORh5S85vqOYRllxyWYgS7Zg
         vxfaf3QBRh7yOO5gxN76nvOiaGtXeh7K2QCJH/C7098CRiVup0TXdyJodFhPctFSclmt
         2JDdCpe3Kskg1PwPo9Ksiad01ocnHZn96FE+FvEglegL60NCXxi3JR05VOwZvGI7iZ8X
         VN5VJKQoXegCc28K4oTADbzUUpUtS1Yjfb59hOpZxnn859XaLVQ7wPHjqu4qi19GKQJD
         an9ocK/KzADhJZdapLbWtE7BbaEfhkU+m0p8QXxmE6d5T5gR3xTHJGS8C+Jl1pNXgCZ2
         AIjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=LOerQFZ0jK8/gKUx7F6VWzq+EmsyF6Mh3+2EWyBwV7k=;
        b=RdmF9CJcMqLAOMuo2d1eiacyg1qvT3M72rFpiAchQcLj9crAUpX9YOfYrGi7CINHY9
         jnbpzUqgNR6wMaq+/jURMxiB5nRsSsvyLQJEZNydV6pQFUhU6h3S9VJbnu8SbH0Akak+
         j0m53eDeg3eDazq/EIgHiKF6EAzk1iGb7FoGm7erEy2oUfHT7OP3n820OOJplCqjNMQ2
         AQvn7Yl7v8ROGx0PjCBq8bBX0MxkxIrS4bImZkIATYxxbh8fr2iOHGsW0DUBf8KuFbA4
         8LG7NFfXT6wAOVx8Ox8HDX2wxIpFoOKmPoZr3sveVK3Lx+mYQEHQnxk62i7CtU6QEQ4K
         1IWA==
X-Gm-Message-State: AOAM533v7sRQJwwurneXZBpESGk1b9BBJJPQJoG+dKj3J/j7dSexrujx
        auTXJo5jUsqNWmnReCOZD5k=
X-Google-Smtp-Source: 
 ABdhPJzsrxxqWvViyKle7Uk8+V1sK5RIVOnDfRgeJB9MD8pBmOEK6S3CmL9y00EWnS5fH33BS3UbeQ==
X-Received: by 2002:a05:6512:3b89:: with SMTP id
 g9mr21267607lfv.96.1628092327374;
        Wed, 04 Aug 2021 08:52:07 -0700 (PDT)
Received: from localhost.localdomain ([94.103.226.235])
        by smtp.gmail.com with ESMTPSA id o8sm231658lfu.25.2021.08.04.08.52.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 04 Aug 2021 08:52:06 -0700 (PDT)
From: Pavel Skripkin <paskripkin@gmail.com>
To: davem@davemloft.net, kuba@kernel.org, qiangqing.zhang@nxp.com,
        hslester96@gmail.com, fugang.duan@nxp.com
Cc: dan.carpenter@oracle.com, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, Pavel Skripkin <paskripkin@gmail.com>
Subject: [PATCH 1/2] net: fec: fix use-after-free in fec_drv_remove
Date: Wed,  4 Aug 2021 18:51:51 +0300
Message-Id: 
 <25ad9ae695546c0ce23edb25cb2a67575cbda26b.1628091954.git.paskripkin@gmail.com>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <cover.1628091954.git.paskripkin@gmail.com>
References: <cover.1628091954.git.paskripkin@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
X-Patchwork-Delegate: kuba@kernel.org

Series

net: fix use-after-free bugs | expand

Checks

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/subject_prefix	warning	Target tree name not specified in the subject
netdev/cc_maintainers	success	CCed 6 of 6 maintainers
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	success	Link
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 14 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/header_inline	success	Link

Context

Check

Description

netdev/cover_letter

success

Link

netdev/fixes_present

success

Link

netdev/patch_count

success

Link

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/subject_prefix

warning

Target tree name not specified in the subject

netdev/cc_maintainers

success

CCed 6 of 6 maintainers

netdev/source_inline

success

Was 0 now: 0

netdev/verify_signedoff

success

Link

netdev/module_param

success

Was 0 now: 0

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/verify_fixes

success

Link

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 14 lines checked

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/header_inline

success

Link

Commit Message

Pavel Skripkin Aug. 4, 2021, 3:51 p.m. UTC

Smatch says:
	drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
	drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);

Since fep pointer is netdev private data, accessing it after free_netdev()
call can cause use-after-free bug. Fix it by moving free_netdev() call at
the end of the function

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 drivers/net/ethernet/freescale/fec_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Joakim Zhang Aug. 5, 2021, 2:24 a.m. UTC | #1

> -----Original Message-----
> From: Pavel Skripkin <paskripkin@gmail.com>
> Sent: 2021年8月4日 23:52
> To: davem@davemloft.net; kuba@kernel.org; Joakim Zhang
> <qiangqing.zhang@nxp.com>; hslester96@gmail.com; fugang.duan@nxp.com
> Cc: dan.carpenter@oracle.com; netdev@vger.kernel.org;
> linux-kernel@vger.kernel.org; Pavel Skripkin <paskripkin@gmail.com>
> Subject: [PATCH 1/2] net: fec: fix use-after-free in fec_drv_remove
> 
> Smatch says:
> 	drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error:
> Using fep after free_{netdev,candev}(ndev);
> 	drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error:
> Using fep after free_{netdev,candev}(ndev);
> 
> Since fep pointer is netdev private data, accessing it after free_netdev() call can
> cause use-after-free bug. Fix it by moving free_netdev() call at the end of the
> function
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
Thanks.

Reviewed-by: Joakim Zhang <qiangqing.zhang@nxp.com>

Best Regards,
Joakim Zhang

diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 8aea707a65a7..7e4c4980ced7 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -3843,13 +3843,13 @@  fec_drv_remove(struct platform_device *pdev)
 	if (of_phy_is_fixed_link(np))
 		of_phy_deregister_fixed_link(np);
 	of_node_put(fep->phy_node);
-	free_netdev(ndev);
 
 	clk_disable_unprepare(fep->clk_ahb);
 	clk_disable_unprepare(fep->clk_ipg);
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 
+	free_netdev(ndev);
 	return 0;
 }