[PATCH v1] net: macb: fix use after free on rmmod

From: Tong Zhang <ztong0001@gmail.com>
To: Nicolas Ferre <nicolas.ferre@microchip.com>,
	Claudiu Beznea <claudiu.beznea@microchip.com>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Tong Zhang <ztong0001@gmail.com>
Subject: [PATCH v1] net: macb: fix use after free on rmmod
Date: Tue,  7 Sep 2021 13:29:58 -0700	[thread overview]
Message-ID: <20210907202958.692166-1-ztong0001@gmail.com> (raw)

plat_dev->dev->platform_data is released by platform_device_unregister(),
use of pclk and hclk is use after free. This patch keeps a copy to fix
the issue.

[   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
[   31.275563] Freed by task 306:
[   30.276782]  platform_device_release+0x25/0x80

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
---
 drivers/net/ethernet/cadence/macb_pci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c
index 8b7b59908a1a..4dd0cec2e542 100644
--- a/drivers/net/ethernet/cadence/macb_pci.c
+++ b/drivers/net/ethernet/cadence/macb_pci.c
@@ -110,10 +110,12 @@ static void macb_remove(struct pci_dev *pdev)
 {
 	struct platform_device *plat_dev = pci_get_drvdata(pdev);
 	struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);
+	struct clk *pclk = plat_data->pclk;
+	struct clk *hclk = plat_data->hclk;
 
 	platform_device_unregister(plat_dev);
-	clk_unregister(plat_data->pclk);
-	clk_unregister(plat_data->hclk);
+	clk_unregister(pclk);
+	clk_unregister(hclk);
 }
 
 static const struct pci_device_id dev_id_table[] = {
-- 
2.25.1

