net: ethernet: fix potential use-after-free in ec_bhf_remove

[ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ] static void ec_bhf_remove(struct pci_dev *dev) { ... struct ec_bhf_priv *priv = netdev_priv(net_dev); unregister_netdev(net_dev); free_netdev(net_dev); pci_iounmap(dev, priv->dma_io); pci_iounmap(dev, priv->io); ... } priv is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing priv pointer. So, fix it by moving free_netdev() after pci_iounmap() calls. Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.") Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Pavel Skripkin <paskripkin@gmail.com> 2021-06-18 16:49:02 +0300
committer: Sasha Levin <sashal@kernel.org> 2021-06-30 08:49:34 -0400
commit: db2bc3cfd2bc01621014d4f17cdfc74611f339c8 (patch)
tree: 0aec64ee8445d348573ae33a338088660d6b6a9c
parent: f12554b0ff639e74612cc01b3b4a049e098d2d65 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c
index f7b42483921c..0ade0c6d81ee 100644
--- a/drivers/net/ethernet/ec_bhf.c
+++ b/drivers/net/ethernet/ec_bhf.c
@@ -589,10 +589,12 @@ static void ec_bhf_remove(struct pci_dev *dev)
 	struct ec_bhf_priv *priv = netdev_priv(net_dev);
 
 	unregister_netdev(net_dev);
-	free_netdev(net_dev);
 
 	pci_iounmap(dev, priv->dma_io);
 	pci_iounmap(dev, priv->io);
+
+	free_netdev(net_dev);
+
 	pci_release_regions(dev);
 	pci_clear_master(dev);
 	pci_disable_device(dev);
author	Pavel Skripkin <paskripkin@gmail.com>	2021-06-18 16:49:02 +0300
committer	Sasha Levin <sashal@kernel.org>	2021-06-30 08:49:34 -0400
commit	db2bc3cfd2bc01621014d4f17cdfc74611f339c8 (patch)
tree	0aec64ee8445d348573ae33a338088660d6b6a9c
parent	f12554b0ff639e74612cc01b3b4a049e098d2d65 (diff)