net: qcom/emac: fix UAF in emac_remove

Message ID	20210709142418.453-1-paskripkin@gmail.com
State	New
Headers	show Return-Path: <netdev-owner@kernel.org> From: Pavel Skripkin <paskripkin@gmail.com> To: timur@kernel.org, davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Pavel Skripkin <paskripkin@gmail.com> Subject: [PATCH] net: qcom/emac: fix UAF in emac_remove Date: Fri, 9 Jul 2021 17:24:18 +0300 Message-Id: <20210709142418.453-1-paskripkin@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	net: qcom/emac: fix UAF in emac_remove \| expand net: qcom/emac: fix UAF in emac_remove

Message ID

20210709142418.453-1-paskripkin@gmail.com

State

New

Headers

From: Pavel Skripkin <paskripkin@gmail.com>
To: timur@kernel.org, davem@davemloft.net, kuba@kernel.org
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Pavel Skripkin <paskripkin@gmail.com>
Subject: [PATCH] net: qcom/emac: fix UAF in emac_remove
Date: Fri,  9 Jul 2021 17:24:18 +0300
Message-Id: <20210709142418.453-1-paskripkin@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

net: qcom/emac: fix UAF in emac_remove | expand

Commit Message

Pavel Skripkin July 9, 2021, 2:24 p.m. UTC

adpt is netdev private data and it cannot be
used after free_netdev() call. Using adpt after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.

Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 drivers/net/ethernet/qualcomm/emac/emac.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Timur Tabi July 10, 2021, 5:02 a.m. UTC | #1

On Fri, Jul 9, 2021 at 9:24 AM Pavel Skripkin <paskripkin@gmail.com> wrote:
>
> adpt is netdev private data and it cannot be
> used after free_netdev() call. Using adpt after free_netdev()
> can cause UAF bug. Fix it by moving free_netdev() at the end of the
> function.

Please spell out what "UAF" means, thanks.  If you fix that, then

Acked-by: Timur Tabi <timur@kernel.org>

Thanks.

Pavel Skripkin July 10, 2021, 6:57 a.m. UTC | #2

On Sat, 10 Jul 2021 00:02:26 -0500
Timur Tabi <timur@kernel.org> wrote:

> On Fri, Jul 9, 2021 at 9:24 AM Pavel Skripkin <paskripkin@gmail.com>
> wrote:
> >
> > adpt is netdev private data and it cannot be
> > used after free_netdev() call. Using adpt after free_netdev()
> > can cause UAF bug. Fix it by moving free_netdev() at the end of the
> > function.
> 
> Please spell out what "UAF" means, thanks.  If you fix that, then
> 
> Acked-by: Timur Tabi <timur@kernel.org>
> 
> Thanks.

Hi, Timur!

Thank you for feedback. 


David has already applied this pacth. So, should I send v2 or maybe
revert + v2? I haven't been in such situations yet :)




With regards,
Pavel Skripkin

diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c
index 8543bf3c3484..ad655f0a4965 100644
--- a/drivers/net/ethernet/qualcomm/emac/emac.c
+++ b/drivers/net/ethernet/qualcomm/emac/emac.c
@@ -735,12 +735,13 @@  static int emac_remove(struct platform_device *pdev)
 
 	put_device(&adpt->phydev->mdio.dev);
 	mdiobus_unregister(adpt->mii_bus);
-	free_netdev(netdev);
 
 	if (adpt->phy.digital)
 		iounmap(adpt->phy.digital);
 	iounmap(adpt->phy.base);
 
+	free_netdev(netdev);
+
 	return 0;
 }

net: qcom/emac: fix UAF in emac_remove

Commit Message

Comments

Patch