[PATCH] net: qcom/emac: fix UAF in emac_remove

From: Pavel Skripkin
Date: Fri Jul 09 2021 - 10:24:30 EST

Next message: Liam Beguin: "RE: [PATCH v1 2/4] iio: adc: ad7949: fix spi messages on non 14-bit controllers"
Previous message: Ming Lei: "Re: [bug report] iommu_dma_unmap_sg() is very slow then running IO from remote numa node"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH] net: qcom/emac: fix UAF in emac_remove"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

adpt is netdev private data and it cannot be
used after free_netdev() call. Using adpt after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.

Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev")
Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
---
drivers/net/ethernet/qualcomm/emac/emac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c
index 8543bf3c3484..ad655f0a4965 100644
--- a/drivers/net/ethernet/qualcomm/emac/emac.c
+++ b/drivers/net/ethernet/qualcomm/emac/emac.c
@@ -735,12 +735,13 @@ static int emac_remove(struct platform_device *pdev)

put_device(&adpt->phydev->mdio.dev);
mdiobus_unregister(adpt->mii_bus);
- free_netdev(netdev);

if (adpt->phy.digital)
iounmap(adpt->phy.digital);
iounmap(adpt->phy.base);

+ free_netdev(netdev);
+
return 0;
}

--
2.32.0

Next message: Liam Beguin: "RE: [PATCH v1 2/4] iio: adc: ad7949: fix spi messages on non 14-bit controllers"
Previous message: Ming Lei: "Re: [bug report] iommu_dma_unmap_sg() is very slow then running IO from remote numa node"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH] net: qcom/emac: fix UAF in emac_remove"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]