mbox series

[0/2] net: fix use-after-free bugs

Message ID cover.1628091954.git.paskripkin@gmail.com
Headers show
Series net: fix use-after-free bugs | expand

Message

Pavel Skripkin Aug. 4, 2021, 3:48 p.m. UTC
I've added new checker to smatch yesterday. It warns about using
netdev_priv() pointer after free_{netdev,candev}() call. I hope, it will
get into next smatch release.

Some of the reported bugs are fixed and upstreamed already, but Dan ran new
smatch with allmodconfig and found 2 more. Big thanks to Dan for doing it,
because I totally forgot to do it.

Pavel Skripkin (2):
  net: fec: fix use-after-free in fec_drv_remove
  net: vxge: fix use-after-free in vxge_device_unregister

 drivers/net/ethernet/freescale/fec_main.c      | 2 +-
 drivers/net/ethernet/neterion/vxge/vxge-main.c | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

Comments

Joakim Zhang Aug. 5, 2021, 2:24 a.m. UTC | #1
> -----Original Message-----

> From: Pavel Skripkin <paskripkin@gmail.com>

> Sent: 2021年8月4日 23:52

> To: davem@davemloft.net; kuba@kernel.org; Joakim Zhang

> <qiangqing.zhang@nxp.com>; hslester96@gmail.com; fugang.duan@nxp.com

> Cc: dan.carpenter@oracle.com; netdev@vger.kernel.org;

> linux-kernel@vger.kernel.org; Pavel Skripkin <paskripkin@gmail.com>

> Subject: [PATCH 1/2] net: fec: fix use-after-free in fec_drv_remove

> 

> Smatch says:

> 	drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error:

> Using fep after free_{netdev,candev}(ndev);

> 	drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error:

> Using fep after free_{netdev,candev}(ndev);

> 

> Since fep pointer is netdev private data, accessing it after free_netdev() call can

> cause use-after-free bug. Fix it by moving free_netdev() call at the end of the

> function

> 

> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

> Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")

> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>

> ---

Thanks.

Reviewed-by: Joakim Zhang <qiangqing.zhang@nxp.com>


Best Regards,
Joakim Zhang
patchwork-bot+netdevbpf@kernel.org Aug. 5, 2021, 2:50 p.m. UTC | #2
Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Wed,  4 Aug 2021 18:48:57 +0300 you wrote:
> I've added new checker to smatch yesterday. It warns about using

> netdev_priv() pointer after free_{netdev,candev}() call. I hope, it will

> get into next smatch release.

> 

> Some of the reported bugs are fixed and upstreamed already, but Dan ran new

> smatch with allmodconfig and found 2 more. Big thanks to Dan for doing it,

> because I totally forgot to do it.

> 

> [...]


Here is the summary with links:
  - [1/2] net: fec: fix use-after-free in fec_drv_remove
    https://git.kernel.org/netdev/net/c/44712965bf12
  - [2/2] net: vxge: fix use-after-free in vxge_device_unregister
    https://git.kernel.org/netdev/net/c/942e560a3d38

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html