[v1] net: macb: fix use after free on rmmod

plat_dev->dev->platform_data is released by platform_device_unregister(),
use of pclk and hclk is use after free. This patch keeps a copy to fix
the issue.

[   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
[   31.275563] Freed by task 306:
[   30.276782]  platform_device_release+0x25/0x80

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
---
 drivers/net/ethernet/cadence/macb_pci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

On 07/09/2021 at 22:29, Tong Zhang wrote:
> plat_dev->dev->platform_data is released by platform_device_unregister(),

> use of pclk and hclk is use after free. This patch keeps a copy to fix

> the issue.

> 

> [   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]

> [   31.275563] Freed by task 306:

> [   30.276782]  platform_device_release+0x25/0x80

> 

> Signed-off-by: Tong Zhang <ztong0001@gmail.com>

> ---

>   drivers/net/ethernet/cadence/macb_pci.c | 6 ++++--

>   1 file changed, 4 insertions(+), 2 deletions(-)

> 

> diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c

> index 8b7b59908a1a..4dd0cec2e542 100644

> --- a/drivers/net/ethernet/cadence/macb_pci.c

> +++ b/drivers/net/ethernet/cadence/macb_pci.c

> @@ -110,10 +110,12 @@ static void macb_remove(struct pci_dev *pdev)

>   {

>          struct platform_device *plat_dev = pci_get_drvdata(pdev);

>          struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);

> +       struct clk *pclk = plat_data->pclk;

> +       struct clk *hclk = plat_data->hclk;

> 

>          platform_device_unregister(plat_dev);

> -       clk_unregister(plat_data->pclk);

> -       clk_unregister(plat_data->hclk);

> +       clk_unregister(pclk);

> +       clk_unregister(hclk);


NACK, I  would prefer that you switch lines and do clock clk unregister 
before: this way we avoid the problem and I think that you don't need 
clocks for unregistering the platform device anyway.

Please change accordingly or tell me what could go bad.

Regards,
   Nicolas


>   }

> 

>   static const struct pci_device_id dev_id_table[] = {

> --

> 2.25.1

> 



-- 
Nicolas Ferre

Thanks Nicolas, sent a v2 as suggested.
- Tong

On Wed, Sep 8, 2021 at 12:27 AM <Nicolas.Ferre@microchip.com> wrote:
>

> On 07/09/2021 at 22:29, Tong Zhang wrote:

> > plat_dev->dev->platform_data is released by platform_device_unregister(),

> > use of pclk and hclk is use after free. This patch keeps a copy to fix

> > the issue.

> >

> > [   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]

> > [   31.275563] Freed by task 306:

> > [   30.276782]  platform_device_release+0x25/0x80

> >

> > Signed-off-by: Tong Zhang <ztong0001@gmail.com>

> > ---

> >   drivers/net/ethernet/cadence/macb_pci.c | 6 ++++--

> >   1 file changed, 4 insertions(+), 2 deletions(-)

> >

> > diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c

> > index 8b7b59908a1a..4dd0cec2e542 100644

> > --- a/drivers/net/ethernet/cadence/macb_pci.c

> > +++ b/drivers/net/ethernet/cadence/macb_pci.c

> > @@ -110,10 +110,12 @@ static void macb_remove(struct pci_dev *pdev)

> >   {

> >          struct platform_device *plat_dev = pci_get_drvdata(pdev);

> >          struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);

> > +       struct clk *pclk = plat_data->pclk;

> > +       struct clk *hclk = plat_data->hclk;

> >

> >          platform_device_unregister(plat_dev);

> > -       clk_unregister(plat_data->pclk);

> > -       clk_unregister(plat_data->hclk);

> > +       clk_unregister(pclk);

> > +       clk_unregister(hclk);

>

> NACK, I  would prefer that you switch lines and do clock clk unregister

> before: this way we avoid the problem and I think that you don't need

> clocks for unregistering the platform device anyway.

>

> Please change accordingly or tell me what could go bad.

>

> Regards,

>    Nicolas

>

>

> >   }

> >

> >   static const struct pci_device_id dev_id_table[] = {

> > --

> > 2.25.1

> >

>

>

> --

> Nicolas Ferre

On 08/09/2021 at 21:02, Tong Zhang wrote:
> EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe

> 

> plat_dev->dev->platform_data is released by platform_device_unregister(),

> use of pclk and hclk is a use-after-free. Since device unregister won't

> need a clk device we adjust the function call sequence to fix this issue.

> 

> [   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]

> [   31.275563] Freed by task 306:

> [   30.276782]  platform_device_release+0x25/0x80

> 

> Suggested-by: Nicolas Ferre <Nicolas.Ferre@microchip.com>

> Signed-off-by: Tong Zhang <ztong0001@gmail.com>


Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>


Thanks Tong Zhang.
Regards,
   Nicolas

> ---

> v2: switch lines to fix the issue instead

> 

>   drivers/net/ethernet/cadence/macb_pci.c | 2 +-

>   1 file changed, 1 insertion(+), 1 deletion(-)

> 

> diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c

> index 8b7b59908a1a..f66d22de5168 100644

> --- a/drivers/net/ethernet/cadence/macb_pci.c

> +++ b/drivers/net/ethernet/cadence/macb_pci.c

> @@ -111,9 +111,9 @@ static void macb_remove(struct pci_dev *pdev)

>          struct platform_device *plat_dev = pci_get_drvdata(pdev);

>          struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);

> 

> -       platform_device_unregister(plat_dev);

>          clk_unregister(plat_data->pclk);

>          clk_unregister(plat_data->hclk);

> +       platform_device_unregister(plat_dev);

>   }

> 

>   static const struct pci_device_id dev_id_table[] = {

> --

> 2.25.1

> 



-- 
Nicolas Ferre