[BUG] net: macb: Use-After-Free when removing the module
From: Zheyu Ma
Date: Thu Mar 03 2022 - 07:25:22 EST
When removing the macb_pci module, the driver will cause a UAF bug.
Commit d82d5303c4c5 ("net: macb: fix use after free on rmmod") moves
the platform_device_unregister() after clk_unregister(), but this
introduces another UAF bug.
The following log reveals it:
[ 64.783836] BUG: KASAN: use-after-free in clk_prepare+0x32/0x50
[ 64.794805] kasan_report+0x45/0x60
[ 64.795226] clk_prepare+0x32/0x50
[ 64.795641] macb_runtime_resume+0xc4/0x2e0
[ 64.796149] __rpm_callback+0x3e8/0xa30
[ 64.796621] ? ktime_get_mono_fast_ns+0x97/0x1c0
[ 64.797172] ? pm_generic_runtime_suspend+0xb0/0xb0
[ 64.797760] rpm_resume+0xff5/0x1860
[ 64.798194] ? _raw_spin_lock_irqsave+0x7a/0x140
[ 64.798751] __pm_runtime_resume+0x105/0x160
[ 64.799253] device_release_driver_internal+0x13c/0x7c0
[ 64.799874] bus_remove_device+0x2d0/0x340
[ 64.816165] Allocated by task 252:
[ 64.817167] ____kasan_kmalloc+0xb5/0xf0
[ 64.817669] __clk_register+0x98d/0x23b0
[ 64.818149] clk_hw_register+0xb2/0xd0
[ 64.818610] clk_register_fixed_rate+0x290/0x350
[ 64.819861] macb_probe+0x233/0x590 [macb_pci]
[ 64.820411] local_pci_probe+0x13f/0x210
[ 64.820890] pci_device_probe+0x34c/0x6d0
[ 64.821368] really_probe+0x24c/0x8d0
[ 64.821814] __driver_probe_device+0x1b3/0x280
[ 64.822346] driver_probe_device+0x50/0x370
[ 64.828473] Freed by task 485:
[ 64.829440] kasan_set_track+0x3d/0x70
[ 64.829901] kasan_set_free_info+0x1f/0x40
[ 64.830396] ____kasan_slab_free+0x103/0x140
[ 64.830914] kfree+0xf2/0x270
[ 64.831275] clk_unregister+0x6df/0x8d0
[ 64.831739] macb_remove+0x89/0xc0 [macb_pci]
[ 64.832252] pci_device_remove+0x92/0x240
[ 64.832741] device_release_driver_internal+0x4e4/0x7c0
[ 64.833365] driver_detach+0x1e1/0x2b0
[ 64.833817] bus_remove_driver+0xf2/0x1d0
[ 64.834294] pci_unregister_driver+0x29/0x1a0
Regards,
Zheyu Ma