lpc_eth: kernel BUG on remove

Message ID	3A5A66BC-5DAB-4408-A904-10D5EDD99158@usp.br
State	Accepted
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Bruno Carneiro da Cunha <brunocarneirodacunha@usp.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\)) Subject: [PATCH] lpc_eth: kernel BUG on remove Message-Id: <3A5A66BC-5DAB-4408-A904-10D5EDD99158@usp.br> Date: Thu, 5 Dec 2019 17:16:26 -0300 Cc: linux@danielsmartinez.com To: netdev@vger.kernel.org Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	lpc_eth: kernel BUG on remove \| expand lpc_eth: kernel BUG on remove

Message ID

3A5A66BC-5DAB-4408-A904-10D5EDD99158@usp.br

State

Accepted

Delegated to:

David Miller

Headers

From: Bruno Carneiro da Cunha <brunocarneirodacunha@usp.br>
Content-Type: text/plain;
        charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Subject: [PATCH] lpc_eth: kernel BUG on remove
Message-Id: <3A5A66BC-5DAB-4408-A904-10D5EDD99158@usp.br>
Date: Thu, 5 Dec 2019 17:16:26 -0300
Cc: linux@danielsmartinez.com
To: netdev@vger.kernel.org
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

lpc_eth: kernel BUG on remove | expand

Commit Message

Bruno Carneiro da Cunha Dec. 5, 2019, 8:16 p.m. UTC

Hi,

We may have found a bug in the nxp/lpc_eth.c driver. The function platform_set_drvdata() is called twice, the second time it is called, in lpc_mii_init(), it overwrites the struct net_device which should be at pdev->dev->driver_data with pldat->mii_bus. When trying to remove the driver, in lpc_eth_drv_remove(), platform_get_drvdata() will return the pldat->mii_bus pointer and try to use it as a struct net_device pointer. This causes unregister_netdev to segfault and generate a kernel BUG. Is this reproducible?

We recommend the following patch to fix it. 

Signed-off-by: Daniel Martinez <linux@danielsmartinez.com>
Signed-off-by: Bruno Carneiro da Cunha <brunocarneirodacunha@usp.br>

---
 drivers/net/ethernet/nxp/lpc_eth.c | 2 --
 1 file changed, 2 deletions(-)

--
2.20.1

Comments

David Miller Dec. 7, 2019, 4:51 a.m. UTC | #1

From: Bruno Carneiro da Cunha <brunocarneirodacunha@usp.br>
Date: Thu, 5 Dec 2019 17:16:26 -0300

> We may have found a bug in the nxp/lpc_eth.c driver. The function
> platform_set_drvdata() is called twice, the second time it is
> called, in lpc_mii_init(), it overwrites the struct net_device which
> should be at pdev->dev->driver_data with pldat->mii_bus. When trying
> to remove the driver, in lpc_eth_drv_remove(),
> platform_get_drvdata() will return the pldat->mii_bus pointer and
> try to use it as a struct net_device pointer. This causes
> unregister_netdev to segfault and generate a kernel BUG. Is this
> reproducible?
>
> Signed-off-by: Daniel Martinez <linux@danielsmartinez.com>
> Signed-off-by: Bruno Carneiro da Cunha <brunocarneirodacunha@usp.br>

Patch applied, thanks.

diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c
index ebb81d6d4..656169214 100644
--- a/drivers/net/ethernet/nxp/lpc_eth.c
+++ b/drivers/net/ethernet/nxp/lpc_eth.c
@@ -817,8 +817,6 @@  static int lpc_mii_init(struct netdata_local *pldat)
 	pldat->mii_bus->priv = pldat;
 	pldat->mii_bus->parent = &pldat->pdev->dev;

-	platform_set_drvdata(pldat->pdev, pldat->mii_bus);
-
 	node = of_get_child_by_name(pldat->pdev->dev.of_node, "mdio");
 	err = of_mdiobus_register(pldat->mii_bus, node);
 	of_node_put(node);