* [PATCH net] net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
@ 2022-02-10 17:40 Vladimir Oltean
2022-02-10 20:00 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Vladimir Oltean @ 2022-02-10 17:40 UTC (permalink / raw)
To: netdev
Cc: Florian Fainelli, Andrew Lunn, Vivien Didelot, Vladimir Oltean,
David S. Miller, Jakub Kicinski, Rafael Richter, Daniel Klauer
Since struct mv88e6xxx_mdio_bus *mdio_bus is the bus->priv of something
allocated with mdiobus_alloc_size(), this means that mdiobus_free(bus)
will free the memory backing the mdio_bus as well. Therefore, the
mdio_bus->list element is freed memory, but we continue to iterate
through the list of MDIO buses using that list element.
To fix this, use the proper list iterator that handles element deletion
by keeping a copy of the list element next pointer.
Fixes: f53a2ce893b2 ("net: dsa: mv88e6xxx: don't use devres for mdiobus")
Reported-by: Rafael Richter <rafael.richter@gin.de>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
---
drivers/net/dsa/mv88e6xxx/chip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index 08311b5b9602..5344d0c0647e 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -3616,10 +3616,10 @@ static int mv88e6xxx_mdio_register(struct mv88e6xxx_chip *chip,
static void mv88e6xxx_mdios_unregister(struct mv88e6xxx_chip *chip)
{
- struct mv88e6xxx_mdio_bus *mdio_bus;
+ struct mv88e6xxx_mdio_bus *mdio_bus, *p;
struct mii_bus *bus;
- list_for_each_entry(mdio_bus, &chip->mdios, list) {
+ list_for_each_entry_safe(mdio_bus, p, &chip->mdios, list) {
bus = mdio_bus->bus;
if (!mdio_bus->external)
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
2022-02-10 17:40 [PATCH net] net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister Vladimir Oltean
@ 2022-02-10 20:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-02-10 20:00 UTC (permalink / raw)
To: Vladimir Oltean
Cc: netdev, f.fainelli, andrew, vivien.didelot, olteanv, davem, kuba,
rafael.richter, daniel.klauer
Hello:
This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 10 Feb 2022 19:40:17 +0200 you wrote:
> Since struct mv88e6xxx_mdio_bus *mdio_bus is the bus->priv of something
> allocated with mdiobus_alloc_size(), this means that mdiobus_free(bus)
> will free the memory backing the mdio_bus as well. Therefore, the
> mdio_bus->list element is freed memory, but we continue to iterate
> through the list of MDIO buses using that list element.
>
> To fix this, use the proper list iterator that handles element deletion
> by keeping a copy of the list element next pointer.
>
> [...]
Here is the summary with links:
- [net] net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
https://git.kernel.org/netdev/net/c/51a04ebf2112
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-10 20:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-10 17:40 [PATCH net] net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister Vladimir Oltean
2022-02-10 20:00 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.