[PATCH openEuler-1.0-LTS] net: ti: fix UAF in tlan_remove_one

11 Jun 2024

From: Pavel Skripkin <paskripkin@gmail.com>

stable inclusion
from stable-v4.19.199
commit a0a817b2d308fac090a05cbbe80988e073ac5193
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9S1ZJ
CVE: CVE-2021-47310

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

commit 0336f8ffece62f882ab3012820965a786a983f70 upstream.

priv is netdev private data and it cannot be
used after free_netdev() call. Using priv after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.

Fixes: 1e0a8b13d355 ("tlan: cancel work at remove path")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
---
 drivers/net/ethernet/ti/tlan.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/ti/tlan.c b/drivers/net/ethernet/ti/tlan.c
index 93d142867c2a..c6595b4ff55a 100644
--- a/drivers/net/ethernet/ti/tlan.c
+++ b/drivers/net/ethernet/ti/tlan.c
@@ -312,9 +312,8 @@ static void tlan_remove_one(struct pci_dev *pdev)
 	pci_release_regions(pdev);
 #endif
 
-	free_netdev(dev);
-
 	cancel_work_sync(&priv->tlan_tqueue);
+	free_netdev(dev);
 }
 
 static void tlan_start(struct net_device *dev)
-- 
2.25.1

    

Liu Shixin

patchwork bot

tags

participants (2)