[PATCH] ptp: free ptp device pin descriptors properly

[PATCH] ptp: free ptp device pin descriptors properly

[Vladis Dronov]

There is a bug in ptp_clock_unregister(), where ptp_cleanup_pin_groups()
first frees ptp->pin_{,dev_}attr, but then posix_clock_unregister() needs
them to destroy a related sysfs device.

These functions can not be just swapped, as posix_clock_unregister() frees
ptp which is needed in the ptp_cleanup_pin_groups(). Fix this by calling
ptp_cleanup_pin_groups() in ptp_clock_release(), right before ptp is freed.

This makes this patch fix an UAF bug in a patch which fixes an UAF bug.

Reported-by: Antti Laakso <antti.laakso@intel.com>
Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev")
Link: https://lore.kernel.org/netdev/3d2bd09735dbdaf003585ca376b7c1e5b69a19bd.camel@intel.com/
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
 drivers/ptp/ptp_clock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 61fafe0374ce..b84f16bbd6f2 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -170,6 +170,7 @@ static void ptp_clock_release(struct device *dev)
 {
 	struct ptp_clock *ptp = container_of(dev, struct ptp_clock, dev);
 
+	ptp_cleanup_pin_groups(ptp);
 	mutex_destroy(&ptp->tsevq_mux);
 	mutex_destroy(&ptp->pincfg_mux);
 	ida_simple_remove(&ptp_clocks_map, ptp->index);
@@ -302,9 +303,8 @@ int ptp_clock_unregister(struct ptp_clock *ptp)
 	if (ptp->pps_source)
 		pps_unregister_source(ptp->pps_source);
 
-	ptp_cleanup_pin_groups(ptp);
-
 	posix_clock_unregister(&ptp->clock);
+
 	return 0;
 }
 EXPORT_SYMBOL(ptp_clock_unregister);
-- 
2.20.1

Re: [PATCH] ptp: free ptp device pin descriptors properly

[Richard Cochran]

On Mon, Jan 13, 2020 at 02:00:09PM +0100, Vladis Dronov wrote:
> There is a bug in ptp_clock_unregister(), where ptp_cleanup_pin_groups()
> first frees ptp->pin_{,dev_}attr, but then posix_clock_unregister() needs
> them to destroy a related sysfs device.
> 
> These functions can not be just swapped, as posix_clock_unregister() frees
> ptp which is needed in the ptp_cleanup_pin_groups(). Fix this by calling
> ptp_cleanup_pin_groups() in ptp_clock_release(), right before ptp is freed.
> 
> This makes this patch fix an UAF bug in a patch which fixes an UAF bug.
> 
> Reported-by: Antti Laakso <antti.laakso@intel.com>
> Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev")
> Link: https://lore.kernel.org/netdev/3d2bd09735dbdaf003585ca376b7c1e5b69a19bd.camel@intel.com/
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>

Acked-by: Richard Cochran <richardcochran@gmail.com>

Re: [PATCH] ptp: free ptp device pin descriptors properly

[David Miller]

From: Vladis Dronov <vdronov@redhat.com>
Date: Mon, 13 Jan 2020 14:00:09 +0100

> There is a bug in ptp_clock_unregister(), where ptp_cleanup_pin_groups()
> first frees ptp->pin_{,dev_}attr, but then posix_clock_unregister() needs
> them to destroy a related sysfs device.
> 
> These functions can not be just swapped, as posix_clock_unregister() frees
> ptp which is needed in the ptp_cleanup_pin_groups(). Fix this by calling
> ptp_cleanup_pin_groups() in ptp_clock_release(), right before ptp is freed.
> 
> This makes this patch fix an UAF bug in a patch which fixes an UAF bug.
> 
> Reported-by: Antti Laakso <antti.laakso@intel.com>
> Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev")
> Link: https://lore.kernel.org/netdev/3d2bd09735dbdaf003585ca376b7c1e5b69a19bd.camel@intel.com/
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>

Applied, thank you.