From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754134AbdCBOkL (ORCPT <rfc822;w@1wt.eu>);
        Thu, 2 Mar 2017 09:40:11 -0500
Received: from mail-cys01nam02on0097.outbound.protection.outlook.com ([104.47.37.97]:27488
        "EHLO NAM02-CY1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1754066AbdCBOj2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 Mar 2017 09:39:28 -0500
From: Dexuan Cui <decui@microsoft.com>
To: David Miller <davem@davemloft.net>, netdev <netdev@vger.kernel.org>,
        Stephen Hemminger <sthemmin@microsoft.com>,
        KY Srinivasan <kys@microsoft.com>,
        Haiyang Zhang <haiyangz@microsoft.com>
CC: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "driverdev-devel@linuxdriverproject.org" 
        <driverdev-devel@linuxdriverproject.org>
Subject: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()
Thread-Topic: [PATCH] netvsc: fix use-after-free in netvsc_change_mtu()
Thread-Index: AdKTU6vRERPyREOVSV22ds3xs/Sw0Q==
Date: Thu, 2 Mar 2017 13:00:53 +0000
Message-ID: <MWHPR03MB266949159A2BCA01B5EBB778BF280@MWHPR03MB2669.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: davemloft.net; dkim=none (message not signed)
 header.d=none;davemloft.net; dmarc=none action=none
 header.from=microsoft.com;
x-originating-ip: [167.220.255.28]
x-ms-office365-filtering-correlation-id: 66ef4f32-5898-4bc0-80b2-08d4616c28bc
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081);SRVR:MWHPR03MB2495;
x-microsoft-exchange-diagnostics: 1;MWHPR03MB2495;7:gPObncNyceFRExmCoB7HCtwh6+PR0DhV68IbH2tQt4nkMULpoNjmyN2GvLW6rKrexja0JX4fpfQNRoWJwy/60E9DJBDsItNtAXIZ0BU0nNCKPvl3sFSKHqks6XRJNjX2+1FDg9oaRcylTuVUNv4VDn/SD34KqGqTFo+vTxbF6pPY6ALrOkVU8yyZ7EpFgolaR+rIltUKEOwFDhWA5c/BhSW6MCyuIn3HU0gHHZWRZwWZXOenCJu9oIE93zT4oc+MdTWJZCiEmzKQD5rn2rab97VkN+D3KCGhtPhon1ukdRexN03rWoj5AuU6DGAAEYlsgC3wBWJt1PlpupkRk6Y1YZ/9RzGS3UE9AnqZ7+sNnR8=
x-microsoft-antispam-prvs: <MWHPR03MB2495D836027EA3A64E658F24BF280@MWHPR03MB2495.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123558025)(20161123564025)(20161123560025)(20161123562025)(6072148);SRVR:MWHPR03MB2495;BCL:0;PCL:0;RULEID:;SRVR:MWHPR03MB2495;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(7916002)(39840400002)(39450400003)(39850400002)(39410400002)(39860400002)(2906002)(33656002)(5660300001)(3846002)(86362001)(86612001)(102836003)(6116002)(66066001)(230783001)(189998001)(54356999)(50986999)(7736002)(305945005)(2421001)(7696004)(38730400002)(8676002)(3280700002)(74316002)(81166006)(4326008)(2900100001)(122556002)(8936002)(5005710100001)(10290500002)(54906002)(53936002)(55016002)(9686003)(8990500004)(99286003)(25786008)(77096006)(6636002)(6436002)(3660700001)(6506006)(92566002);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHPR03MB2495;H:MWHPR03MB2669.namprd03.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2017 13:00:53.1465
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR03MB2495
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v22EeMTr032719

'nvdev' is freed in rndis_filter_device_remove -> netvsc_device_remove ->
free_netvsc_device, so we mustn't access it, before it's re-created in
rndis_filter_device_add -> netvsc_device_add.

Signed-off-by: Dexuan Cui <decui@microsoft.com>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
---
 drivers/net/hyperv/netvsc_drv.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index 2d3cdb0..bc05c89 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -859,15 +859,22 @@ static int netvsc_change_mtu(struct net_device *ndev, int mtu)
 	if (ret)
 		goto out;
 
+	memset(&device_info, 0, sizeof(device_info));
+	device_info.ring_size = ring_size;
+	device_info.num_chn = nvdev->num_chn;
+	device_info.max_num_vrss_chns = nvdev->num_chn;
+
 	ndevctx->start_remove = true;
 	rndis_filter_device_remove(hdev, nvdev);
 
+	/* 'nvdev' has been freed in rndis_filter_device_remove() ->
+	 * netvsc_device_remove () -> free_netvsc_device().
+	 * We mustn't access it before it's re-created in
+	 * rndis_filter_device_add() -> netvsc_device_add().
+	 */
+
 	ndev->mtu = mtu;
 
-	memset(&device_info, 0, sizeof(device_info));
-	device_info.ring_size = ring_size;
-	device_info.num_chn = nvdev->num_chn;
-	device_info.max_num_vrss_chns = nvdev->num_chn;
 	rndis_filter_device_add(hdev, &device_info);
 
 out:
-- 
2.7.4