Patch "net: dsa: Fix stale cpu_switch reference after unbind then bind" has been added to the 4.11-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Thu, 08 Jun 2017 08:59:13 +0200

This is a note to let you know that I've just added the patch titled

    net: dsa: Fix stale cpu_switch reference after unbind then bind

to the 4.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-dsa-fix-stale-cpu_switch-reference-after-unbind-then-bind.patch
and it can be found in the queue-4.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Thu Jun  8 08:58:08 CEST 2017
From: Florian Fainelli <f.fainelli@xxxxxxxxx>
Date: Fri, 2 Jun 2017 22:05:23 -0700
Subject: net: dsa: Fix stale cpu_switch reference after unbind then bind

From: Florian Fainelli <f.fainelli@xxxxxxxxx>


[ Upstream commit b07ac9894644202614ca87c69f3f45e424a82fef ]

Commit 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]")
replaced the use of dst->ds[0] with dst->cpu_switch since that is
functionally equivalent, however, we can now run into an use after free
scenario after unbinding then rebinding the switch driver.

The use after free happens because we do correctly initialize
dst->cpu_switch the first time we probe in dsa_cpu_parse(), then we
unbind the driver: dsa_dst_unapply() is called, and we rebind again.
dst->cpu_switch now points to a freed "ds" structure, and so when we
finally dereference it in dsa_cpu_port_ethtool_setup(), we oops.

To fix this, simply set dst->cpu_switch to NULL in dsa_dst_unapply()
which guarantees that we always correctly re-assign dst->cpu_switch in
dsa_cpu_parse().

Fixes: 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]")
Signed-off-by: Florian Fainelli <f.fainelli@xxxxxxxxx>
Reviewed-by: Vivien Didelot <vivien.didelot@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/dsa/dsa2.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
@@ -440,8 +440,10 @@ static void dsa_dst_unapply(struct dsa_s
 		dsa_ds_unapply(dst, ds);
 	}
 
-	if (dst->cpu_switch)
+	if (dst->cpu_switch) {
 		dsa_cpu_port_ethtool_restore(dst->cpu_switch);
+		dst->cpu_switch = NULL;
+	}
 
 	pr_info("DSA: tree %d unapplied\n", dst->tree);
 	dst->applied = false;


Patches currently in stable-queue which might be from f.fainelli@xxxxxxxxx are

queue-4.11/net-dsa-fix-stale-cpu_switch-reference-after-unbind-then-bind.patch
queue-4.11/net-ethoc-enable-napi-before-poll-may-be-scheduled.patch
queue-4.11/net-systemport-fix-missing-wake-on-lan-interrupt-for-systemport-lite.patch






