From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: Li Yang <leoyang.li@nxp.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>
Cc: Zhao Qiang <qiang.zhao@nxp.com>,
Vladimir Oltean <vladimir.oltean@nxp.com>,
Rasmus Villemoes <rasmus.villemoes@prevas.dk>,
netdev@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 11/20] ethernet: ucc_geth: fix use-after-free in ucc_geth_remove()
Date: Sat, 5 Dec 2020 20:17:34 +0100 [thread overview]
Message-ID: <20201205191744.7847-12-rasmus.villemoes@prevas.dk> (raw)
In-Reply-To: <20201205191744.7847-1-rasmus.villemoes@prevas.dk>
ugeth is the netdiv_priv() part of the netdevice. Accessing the memory
pointed to by ugeth (such as done by ucc_geth_memclean() and the two
of_node_puts) after free_netdev() is thus use-after-free.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
drivers/net/ethernet/freescale/ucc_geth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/ucc_geth.c b/drivers/net/ethernet/freescale/ucc_geth.c
index b132fcfc7c17..ba911d05d36d 100644
--- a/drivers/net/ethernet/freescale/ucc_geth.c
+++ b/drivers/net/ethernet/freescale/ucc_geth.c
@@ -3895,13 +3895,13 @@ static int ucc_geth_remove(struct platform_device* ofdev)
struct ucc_geth_private *ugeth = netdev_priv(dev);
struct device_node *np = ofdev->dev.of_node;
- unregister_netdev(dev);
- free_netdev(dev);
ucc_geth_memclean(ugeth);
if (of_phy_is_fixed_link(np))
of_phy_deregister_fixed_link(np);
of_node_put(ugeth->ug_info->tbi_node);
of_node_put(ugeth->ug_info->phy_node);
+ unregister_netdev(dev);
+ free_netdev(dev);
return 0;
}
--
2.23.0
next prev parent reply other threads:[~2020-12-05 19:20 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-05 19:17 [PATCH 00/20] ethernet: ucc_geth: assorted fixes and simplifications Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 01/20] ethernet: ucc_geth: set dev->max_mtu to 1518 Rasmus Villemoes
2020-12-10 1:25 ` Andrew Lunn
2021-01-05 14:17 ` Joakim Tjernlund
2021-01-05 14:33 ` Andrew Lunn
2021-01-05 14:44 ` Joakim Tjernlund
2021-01-05 14:54 ` Andrew Lunn
2020-12-05 19:17 ` [PATCH 02/20] ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram Rasmus Villemoes
2020-12-08 19:14 ` Li Yang
2020-12-08 20:12 ` Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 03/20] ethernet: ucc_geth: remove unused read of temoder field Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 04/20] soc: fsl: qe: make cpm_muram_offset take a const void* argument Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 05/20] soc: fsl: qe: store muram_vbase as a void pointer instead of u8 Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 06/20] soc: fsl: qe: add cpm_muram_free_addr() helper Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 07/20] ethernet: ucc_geth: use qe_muram_free_addr() Rasmus Villemoes
2020-12-10 1:36 ` Andrew Lunn
2020-12-05 19:17 ` [PATCH 08/20] ethernet: ucc_geth: remove unnecessary memset_io() calls Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 09/20] ethernet: ucc_geth: replace kmalloc+memset by kzalloc Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 10/20] ethernet: ucc_geth: remove {rx,tx}_glbl_pram_offset from struct ucc_geth_private Rasmus Villemoes
2020-12-05 19:17 ` Rasmus Villemoes [this message]
2020-12-05 20:48 ` [PATCH 11/20] ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() Jakub Kicinski
2020-12-05 21:04 ` Rasmus Villemoes
2020-12-05 21:19 ` Jakub Kicinski
2020-12-05 21:35 ` Rasmus Villemoes
2020-12-05 21:50 ` Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 12/20] ethernet: ucc_geth: factor out parsing of {rx,tx}-clock{,-name} properties Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 13/20] ethernet: ucc_geth: constify ugeth_primary_info Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 14/20] ethernet: ucc_geth: don't statically allocate eight ucc_geth_info Rasmus Villemoes
2020-12-08 15:13 ` Christophe Leroy
2020-12-08 21:17 ` Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 15/20] ethernet: ucc_geth: use UCC_GETH_{RX,TX}_BD_RING_ALIGNMENT macros directly Rasmus Villemoes
2020-12-08 15:14 ` [PATCH 15/20] ethernet: ucc_geth: use UCC_GETH_{RX, TX}_BD_RING_ALIGNMENT " Christophe Leroy
2020-12-05 19:17 ` [PATCH 16/20] ethernet: ucc_geth: remove bd_mem_part and all associated code Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 17/20] ethernet: ucc_geth: replace kmalloc_array()+for loop by kcalloc() Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 18/20] ethernet: ucc_geth: add helper to replace repeated switch statements Rasmus Villemoes
2020-12-08 15:21 ` Christophe Leroy
2020-12-08 20:55 ` Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 19/20] ethernet: ucc_geth: inform the compiler that numQueues is always 1 Rasmus Villemoes
2020-12-05 19:17 ` [PATCH 20/20] ethernet: ucc_geth: simplify rx/tx allocations Rasmus Villemoes
2020-12-05 20:53 ` [PATCH 00/20] ethernet: ucc_geth: assorted fixes and simplifications Jakub Kicinski
2020-12-05 21:11 ` Rasmus Villemoes
2020-12-05 21:27 ` Jakub Kicinski
2020-12-05 21:36 ` Rasmus Villemoes
2020-12-10 7:52 ` Rasmus Villemoes
2020-12-08 3:07 ` Qiang Zhao
2020-12-08 8:13 ` Rasmus Villemoes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201205191744.7847-12-rasmus.villemoes@prevas.dk \
--to=rasmus.villemoes@prevas.dk \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=leoyang.li@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=netdev@vger.kernel.org \
--cc=qiang.zhao@nxp.com \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).