From patchwork Wed Sep 27 11:18:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arvind Yadav X-Patchwork-Id: 819098 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MkdhsPgK"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3y2Fj60CsVz9t16 for ; Wed, 27 Sep 2017 21:19:53 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752494AbdI0LTh (ORCPT ); Wed, 27 Sep 2017 07:19:37 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:38025 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752038AbdI0LTf (ORCPT ); Wed, 27 Sep 2017 07:19:35 -0400 Received: by mail-pf0-f196.google.com with SMTP id a7so6580215pfj.5; Wed, 27 Sep 2017 04:19:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=MEGVZ7RPXgomPF2+IgYzKAjsEOqq7L2t1zvdDBY7bUY=; b=MkdhsPgKzF+Kxv0cx9gjp412shUjpqGremi3S4+ieK/SUMKAmrRK8rndyJEMOZaj+V ApsrB7frsjwqSgM/2D2QGedcluDZvBJgITjeS/1LLvBlE1EFeTpzMrwHOHa27RQ0Yh/j crPAvcTumYp6lwuEGD2ZDON3qPkR8y/9PTB5zeb1kcbpzW/quwlilUD3/W4Atr1VwJdZ jJXLK323IslfpTreYNM/M/yDaKVVlKCgE7a3iNYtmAyqDmgipGuXeoF8PU1BfNzo8iaf f856vxL2/SA2d+vhlgVQ3AlIybMMzjY9CNFK8YNnw9u4BQ6x7gJv3B9kKhmJRrM26g2t EYAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=MEGVZ7RPXgomPF2+IgYzKAjsEOqq7L2t1zvdDBY7bUY=; b=RZ8bPouzdepnALk4uV7PWA/2HOtPgZW577UX5WZC3NKnsvwBKfw/bWOE4ndP5FM7fA C2TfM1XsG6BV3FrxOKsIzj5HzkhO0BvdGYIuPp8KsV3my3JBSqLToG+GHD43Q1zzvy5z AiRdGi3057LN7MFqaJeUHX0WURq9lXgpqgRcUw/5ghPRQeRue2DGSXdc7BuphK8HRDdu rFY+8UET3c1uJlqPLOaO2mQFN4zl15WtP7uu1vb7BeO2vFDOXn8yfEs07zskiBMGFwIx H8/9IiET0sjPGFI5nOnO8YiCpzBOUsf66hPP5wgobce17EnfeV87ftT3z6+COjyiCfg2 2r+Q== X-Gm-Message-State: AHPjjUgkWn0HxRFrJSRbc742gXXPN5imVDXlF/vuu9huwFzQaWnXDmNs ruLAXLgwr81KlupNpbfey4c= X-Google-Smtp-Source: AOwi7QBlOA0i6/M+ykwxrhXHkOoaCvgp2GL307oE7xcJSHI8Kx4CXO0jedJZRJNOZ7r3824SjZzUeQ== X-Received: by 10.98.13.151 with SMTP id 23mr1040929pfn.39.1506511174649; Wed, 27 Sep 2017 04:19:34 -0700 (PDT) Received: from symbol-HP-Z420-Workstation.zebra.lan ([223.31.70.102]) by smtp.googlemail.com with ESMTPSA id s187sm19545149pgb.82.2017.09.27.04.19.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 27 Sep 2017 04:19:33 -0700 (PDT) From: Arvind Yadav To: davem@davemloft.net, woojung.huh@microchip.com, UNGLinuxDriver@microchip.com, netdev@vger.kernel.org, andreyknvl@google.com, kcc@google.com, dvyukov@google.com, Nisar.Sayed@microchip.com Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com Subject: [RFT] lan78xx: FIX use-after-free in lan78xx_write_reg Date: Wed, 27 Sep 2017 16:48:24 +0530 Message-Id: X-Mailer: git-send-email 1.9.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org We are not releasing 'buf' memory on failure or disconnect a device. Adding 'u8 *buf' as part of 'lan78xx_net' structure to make proper handle for 'buf'. Now releasing 'buf' memory on failure. It's allocate first in lan78xx_probe() and it should be freed last in lan78xx_disconnect(). Signed-off-by: Arvind Yadav --- drivers/net/usb/lan78xx.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index b99a7fb..e653982 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -402,6 +402,7 @@ struct lan78xx_net { struct statstage stats; struct irq_domain_data domain_data; + u8 *buf; }; /* define external phy id */ @@ -3470,6 +3471,9 @@ static void lan78xx_disconnect(struct usb_interface *intf) usb_scuttle_anchored_urbs(&dev->deferred); + kfree(dev->buf); + dev->buf = NULL; + lan78xx_unbind(dev, intf); usb_kill_urb(dev->urb_intr); @@ -3520,7 +3524,6 @@ static int lan78xx_probe(struct usb_interface *intf, int ret; unsigned maxp; unsigned period; - u8 *buf = NULL; udev = interface_to_usbdev(intf); udev = usb_get_dev(udev); @@ -3588,16 +3591,15 @@ static int lan78xx_probe(struct usb_interface *intf, period = dev->ep_intr->desc.bInterval; maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0); - buf = kmalloc(maxp, GFP_KERNEL); - if (buf) { + dev->buf = kmalloc(maxp, GFP_KERNEL); + if (dev->buf) { dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL); if (!dev->urb_intr) { ret = -ENOMEM; - kfree(buf); goto out3; } else { usb_fill_int_urb(dev->urb_intr, dev->udev, - dev->pipe_intr, buf, maxp, + dev->pipe_intr, dev->buf, maxp, intr_complete, dev, period); } } @@ -3626,6 +3628,8 @@ static int lan78xx_probe(struct usb_interface *intf, return 0; out3: + kfree(dev->buf); + dev->buf = NULL; lan78xx_unbind(dev, intf); out2: free_netdev(netdev);