Re: [PATCH] net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove

From: Pavel Skripkin
Date: Tue Nov 16 2021 - 00:48:28 EST

On 11/16/21 04:27, Jakub Kicinski wrote:
I'd ignore that path, it's just special casing that's supposed to keep
the driver-visible API sane. Nobody should be touching netdev past
free_netdev(). Actually if you can it'd be interesting to add checks
for using whatever netdev_priv(ndev) returned past free_netdev(ndev).

Most UAFs that come to mind from the past were people doing something

struct my_priv *mine = netdev_priv(ndev);


free(mine->bla); /* UAF, free_netdev() frees the priv */

I've implemented this checker couple of months ago. The latest smatch (v1.72) should warn about this type of bugs. All reported bugs are fixed already :)

My checker warns about using priv pointer after free_netdev() and free_candev() calls. There are a few more wrappers like free_sja1000dev(), so it worth to add them to check list too. Will add them today later

Important thing, that there are complex situations like

struct priv *priv = get_priv_from_smth(smth);


and for now I have no idea how to handle it (ex: ems_usb_disconnect).

With regards,
Pavel Skripkin