Patch "net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 13 Feb 2022 00:55:28 -0500

This is a note to let you know that I've just added the patch titled

    net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-dsa-mv88e6xxx-fix-use-after-free-in-mv88e6xxx_md.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2fca6387daa71fec07bf74b010e352df2e215966
Author: Vladimir Oltean <vladimir.oltean@xxxxxxx>
Date:   Thu Feb 10 19:40:17 2022 +0200

    net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister
    
    [ Upstream commit 51a04ebf21122d5c76a716ecd9bfc33ea44b2b39 ]
    
    Since struct mv88e6xxx_mdio_bus *mdio_bus is the bus->priv of something
    allocated with mdiobus_alloc_size(), this means that mdiobus_free(bus)
    will free the memory backing the mdio_bus as well. Therefore, the
    mdio_bus->list element is freed memory, but we continue to iterate
    through the list of MDIO buses using that list element.
    
    To fix this, use the proper list iterator that handles element deletion
    by keeping a copy of the list element next pointer.
    
    Fixes: f53a2ce893b2 ("net: dsa: mv88e6xxx: don't use devres for mdiobus")
    Reported-by: Rafael Richter <rafael.richter@xxxxxx>
    Signed-off-by: Vladimir Oltean <vladimir.oltean@xxxxxxx>
    Link: https://lore.kernel.org/r/20220210174017.3271099-1-vladimir.oltean@xxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index 9b451b820d7a6..1992be77522ac 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -3122,10 +3122,10 @@ static int mv88e6xxx_mdio_register(struct mv88e6xxx_chip *chip,
 static void mv88e6xxx_mdios_unregister(struct mv88e6xxx_chip *chip)
 
 {
-	struct mv88e6xxx_mdio_bus *mdio_bus;
+	struct mv88e6xxx_mdio_bus *mdio_bus, *p;
 	struct mii_bus *bus;
 
-	list_for_each_entry(mdio_bus, &chip->mdios, list) {
+	list_for_each_entry_safe(mdio_bus, p, &chip->mdios, list) {
 		bus = mdio_bus->bus;
 
 		if (!mdio_bus->external)






