Re: [PATCH v1] net: macb: fix use after free on rmmod

[Tong Zhang <ztong0001@gmail.com>]

Thanks Nicolas, sent a v2 as suggested.
- Tong

On Wed, Sep 8, 2021 at 12:27 AM <Nicolas.Ferre@microchip.com> wrote:
>
> On 07/09/2021 at 22:29, Tong Zhang wrote:
> > plat_dev->dev->platform_data is released by platform_device_unregister(),
> > use of pclk and hclk is use after free. This patch keeps a copy to fix
> > the issue.
> >
> > [   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
> > [   31.275563] Freed by task 306:
> > [   30.276782]  platform_device_release+0x25/0x80
> >
> > Signed-off-by: Tong Zhang <ztong0001@gmail.com>
> > ---
> >   drivers/net/ethernet/cadence/macb_pci.c | 6 ++++--
> >   1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c
> > index 8b7b59908a1a..4dd0cec2e542 100644
> > --- a/drivers/net/ethernet/cadence/macb_pci.c
> > +++ b/drivers/net/ethernet/cadence/macb_pci.c
> > @@ -110,10 +110,12 @@ static void macb_remove(struct pci_dev *pdev)
> >   {
> >          struct platform_device *plat_dev = pci_get_drvdata(pdev);
> >          struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);
> > +       struct clk *pclk = plat_data->pclk;
> > +       struct clk *hclk = plat_data->hclk;
> >
> >          platform_device_unregister(plat_dev);
> > -       clk_unregister(plat_data->pclk);
> > -       clk_unregister(plat_data->hclk);
> > +       clk_unregister(pclk);
> > +       clk_unregister(hclk);
>
> NACK, I  would prefer that you switch lines and do clock clk unregister
> before: this way we avoid the problem and I think that you don't need
> clocks for unregistering the platform device anyway.
>
> Please change accordingly or tell me what could go bad.
>
> Regards,
>    Nicolas
>
>
> >   }
> >
> >   static const struct pci_device_id dev_id_table[] = {
> > --
> > 2.25.1
> >
>
>
> --
> Nicolas Ferre