1
0
Fork 0
alistair23-linux/net/dsa
Florian Fainelli b07ac98946 net: dsa: Fix stale cpu_switch reference after unbind then bind
Commit 9520ed8fb8 ("net: dsa: use cpu_switch instead of ds[0]")
replaced the use of dst->ds[0] with dst->cpu_switch since that is
functionally equivalent, however, we can now run into an use after free
scenario after unbinding then rebinding the switch driver.

The use after free happens because we do correctly initialize
dst->cpu_switch the first time we probe in dsa_cpu_parse(), then we
unbind the driver: dsa_dst_unapply() is called, and we rebind again.
dst->cpu_switch now points to a freed "ds" structure, and so when we
finally dereference it in dsa_cpu_port_ethtool_setup(), we oops.

To fix this, simply set dst->cpu_switch to NULL in dsa_dst_unapply()
which guarantees that we always correctly re-assign dst->cpu_switch in
dsa_cpu_parse().

Fixes: 9520ed8fb8 ("net: dsa: use cpu_switch instead of ds[0]")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-04 22:55:17 -04:00
..
Kconfig net: dsa: add support for the SMSC-LAN9303 tagging format 2017-04-20 13:48:54 -04:00
Makefile net: dsa: add support for the SMSC-LAN9303 tagging format 2017-04-20 13:48:54 -04:00
dsa.c net: dsa: Move dsa_switch_{suspend,resume} out of legacy.c 2017-06-02 10:31:16 -04:00
dsa2.c net: dsa: Fix stale cpu_switch reference after unbind then bind 2017-06-04 22:55:17 -04:00
dsa_priv.h net: dsa: add support for the SMSC-LAN9303 tagging format 2017-04-20 13:48:54 -04:00
legacy.c net: dsa: Move dsa_switch_{suspend,resume} out of legacy.c 2017-06-02 10:31:16 -04:00
slave.c net: break include loop netdevice.h, dsa.h, devlink.h 2017-03-28 22:46:04 -07:00
switch.c net: dsa: add cross-chip bridging operations 2017-04-01 12:22:57 -07:00
tag_brcm.c net: dsa: Factor bottom tag receive functions 2017-04-08 13:49:36 -07:00
tag_dsa.c net: dsa: Factor bottom tag receive functions 2017-04-08 13:49:36 -07:00
tag_edsa.c net: dsa: Factor bottom tag receive functions 2017-04-08 13:49:36 -07:00
tag_lan9303.c net: dsa: Remove redundant NULL dst check 2017-04-21 10:41:24 -04:00
tag_mtk.c net: dsa: Factor bottom tag receive functions 2017-04-08 13:49:36 -07:00
tag_qca.c net: dsa: Factor bottom tag receive functions 2017-04-08 13:49:36 -07:00
tag_trailer.c net: dsa: Factor bottom tag receive functions 2017-04-08 13:49:36 -07:00