| Message ID | 20230311180630.4011201-1-zyytlz.wz@163.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp395391wrd;
Sat, 11 Mar 2023 10:22:09 -0800 (PST)
X-Google-Smtp-Source:
AK7set/btu1ia//kFXXxnqIb7Bjwqx0GJ1NWuJCpcuOzM/Xz5VEGoi9jBUdILcIDj8tAqZuKIxjH
X-Received: by 2002:a05:6a20:4c88:b0:cc:786d:2128 with SMTP id
fq8-20020a056a204c8800b000cc786d2128mr23821348pzb.53.1678558929108;
Sat, 11 Mar 2023 10:22:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678558929; cv=none;
d=google.com; s=arc-20160816;
b=er35R1/2h3FLu3MKTWjzU3pb0Ng7PFKPCR+9rkTEgp9KN4gayvXXU9k4bJ0k7tmu7X
CMDFtDF5Qg76fiD4qz+v4ubHxbwXYkmnS53BUfWM4Toi7sPAHW6gYJrVbSYSKuLltS9e
p+3uJxCI3e5Q0zs+3OCvfeQKDIpJ/CH6zr58paZqm8pHDaeEL1FuBjO65SVUz296JkTa
kCn7YadOtSpL7WGlQmOL2TfFdhVB2M+aoa54+KB/d9R6Tmte4nNyg6GgzxX9pSb3FQS3
f4fZoVjdnpmhv2znyZa+pc+iopP2IeJ6zTAOOjuBasU6AWrhGGsof65FEzHmaSq888Te
FkLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=YXELYQhkSMhCKRXhZ5fp5y3ZjId2tVim6Q6kYlCoa7M=;
b=Iy65Qk2deTn3a2OJ6fGrzE81TwFqPRsgq72au3qrIpeC1P4iXQU6rUy9MJhXrPprma
Vv/XDQLUame9I5HUA6EOPCqsz6ZRgwO1OhWv2sR+zU6VnyptQI3szmDaESYfEblLrn/x
MhGDpKqcCdTvzieP3nMbUSrnNJwCra9YeSZYEX0lncp7vFMG3nunMCfcyvhvK1H2Ccy/
1w7VBxCjaI/lTCyIPp/ii9Hhdm8hjKNyv/CpllYmmWgkuUquotPbP3wZ3zIq2ZrA2f/j
5HTv2wynzjsb8xefvIMHwdjgOSVmsFlk4Zkf0oHhK3tosqmAnGLyjKC2wa9P0XZG6Jjs
L/zg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=Zq6+HtY+;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
u11-20020a6540cb000000b005089640a405si1903401pgp.752.2023.03.11.10.21.56;
Sat, 11 Mar 2023 10:22:09 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=Zq6+HtY+;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230363AbjCKSHS (ORCPT <rfc822;toshivichauhan@gmail.com>
+ 99 others); Sat, 11 Mar 2023 13:07:18 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38966 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230344AbjCKSHQ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 11 Mar 2023 13:07:16 -0500
Received: from m12.mail.163.com (m12.mail.163.com [220.181.12.217])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id A963D6A422;
Sat, 11 Mar 2023 10:07:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=YXELY
QhkSMhCKRXhZ5fp5y3ZjId2tVim6Q6kYlCoa7M=; b=Zq6+HtY+LKoMdn8gyJH66
PvNEjR9Rx9i+ik6raQMpODircupWNMoJcHjMUzGc18bMIiakzTpOLOnVZkWhXOYR
2wRHklABN0Vp6044UY3yAOo7srmwIE+Ybn3zKniz7nNnISAxP7E4j8HPMYuXQRR4
AslrjmnRNuslB/MbcdzZRc=
Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21])
by zwqz-smtp-mta-g0-0 (Coremail) with SMTP id
_____wDnwxQowwxk9fcHDA--.22999S2;
Sun, 12 Mar 2023 02:06:32 +0800 (CST)
From: Zheng Wang <zyytlz.wz@163.com>
To: s.shtylyov@omp.ru
Cc: davem@davemloft.net, linyunsheng@huawei.com, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, hackerzheng666@gmail.com,
1395428693sheep@gmail.com, alex000young@gmail.com,
Zheng Wang <zyytlz.wz@163.com>
Subject: [PATCH net v3] net: ravb: Fix possible UAF bug in ravb_remove
Date: Sun, 12 Mar 2023 02:06:30 +0800
Message-Id: <20230311180630.4011201-1-zyytlz.wz@163.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: _____wDnwxQowwxk9fcHDA--.22999S2
X-Coremail-Antispam: 1Uf129KBjvJXoW7CF1DZF1Dur1Uur45AFyUtrb_yoW8Gr1Dp3
9xKa4fuws5Jr1UWa1xGws7ZFWrG3WUKrnIgFWxAw4FvasayF1DXr1FgFW0yw1UJrWkta4a
vrWjvw1xu3WDAa7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pEZ2adUUUUU=
X-Originating-IP: [111.206.145.21]
X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiXQgvU1WBo4EEqwAAsw
X-Spam-Status: No, score=-0.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
RCVD_IN_VALIDITY_RPBL,SPF_HELO_NONE,SPF_PASS autolearn=no
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1760096467928191274?=
X-GMAIL-MSGID: =?utf-8?q?1760096607557863763?=
|
| Series |
[net,v3] net: ravb: Fix possible UAF bug in ravb_remove
|
|
Commit Message
Zheng Wang
March 11, 2023, 6:06 p.m. UTC
In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
If timeout occurs, it will start the work. And if we call
ravb_remove without finishing the work, there may be a
use-after-free bug on ndev.
Fix it by finishing the job before cleanup in ravb_remove.
Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
---
v3:
- fix typo in commit message
v2:
- stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin,
add an empty line to make code clear suggested by Sergey Shtylyov
---
drivers/net/ethernet/renesas/ravb_main.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
On 3/11/23 9:06 PM, Zheng Wang wrote: > In ravb_probe, priv->work was bound with ravb_tx_timeout_work. > If timeout occurs, it will start the work. And if we call > ravb_remove without finishing the work, there may be a > use-after-free bug on ndev. > > Fix it by finishing the job before cleanup in ravb_remove. > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> Well, I haven't reviewed v3 yet... > --- > v3: > - fix typo in commit message > v2: > - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin, > add an empty line to make code clear suggested by Sergey Shtylyov > --- > drivers/net/ethernet/renesas/ravb_main.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c > index 0f54849a3823..eb63ea788e19 100644 > --- a/drivers/net/ethernet/renesas/ravb_main.c > +++ b/drivers/net/ethernet/renesas/ravb_main.c > @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev) > struct ravb_private *priv = netdev_priv(ndev); > const struct ravb_hw_info *info = priv->info; > > + netif_carrier_off(ndev); > + netif_tx_disable(ndev); > + cancel_work_sync(&priv->work); > + Thinking about it again (and looking on some drivers): can ravb_remove() be called without ravb_close() having been called on the bound devices? So I suspect this code should be added to ravb_close()... [...] MBR, Sergey
Sergey Shtylyov <s.shtylyov@omp.ru> 于2023年3月13日周一 04:26写道: > > On 3/11/23 9:06 PM, Zheng Wang wrote: > > > In ravb_probe, priv->work was bound with ravb_tx_timeout_work. > > If timeout occurs, it will start the work. And if we call > > ravb_remove without finishing the work, there may be a > > use-after-free bug on ndev. > > > > Fix it by finishing the job before cleanup in ravb_remove. > > > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> > > Well, I haven't reviewed v3 yet... Please forgive my rudeness, I forgot that.. > > --- > > v3: > > - fix typo in commit message > > v2: > > - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin, > > add an empty line to make code clear suggested by Sergey Shtylyov > > --- > > drivers/net/ethernet/renesas/ravb_main.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c > > index 0f54849a3823..eb63ea788e19 100644 > > --- a/drivers/net/ethernet/renesas/ravb_main.c > > +++ b/drivers/net/ethernet/renesas/ravb_main.c > > @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev) > > struct ravb_private *priv = netdev_priv(ndev); > > const struct ravb_hw_info *info = priv->info; > > > > + netif_carrier_off(ndev); > > + netif_tx_disable(ndev); > > + cancel_work_sync(&priv->work); > > + > > Thinking about it again (and looking on some drivers): can ravb_remove() be > called without ravb_close() having been called on the bound devices? > So I suspect this code should be added to ravb_close()... > Yes, as this bug is found by static analysis, I've also seen a lot of other drivers, many of them put the cancel-work-related code into *_close as we must close all open file handle before remove a driver. So I think you'are right. I'll try to add the code to ravb_close. Best regards, Zheng
Yunsheng Lin <linyunsheng@huawei.com> 于2023年3月13日周一 09:15写道: > > On 2023/3/12 2:06, Zheng Wang wrote: > > In ravb_probe, priv->work was bound with ravb_tx_timeout_work. > > If timeout occurs, it will start the work. And if we call > > ravb_remove without finishing the work, there may be a > > use-after-free bug on ndev. > > > > Fix it by finishing the job before cleanup in ravb_remove. > > > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> > > --- > > v3: > > - fix typo in commit message > > v2: > > - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin, > > add an empty line to make code clear suggested by Sergey Shtylyov > > --- > > drivers/net/ethernet/renesas/ravb_main.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c > > index 0f54849a3823..eb63ea788e19 100644 > > --- a/drivers/net/ethernet/renesas/ravb_main.c > > +++ b/drivers/net/ethernet/renesas/ravb_main.c > > @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev) > > struct ravb_private *priv = netdev_priv(ndev); > > const struct ravb_hw_info *info = priv->info; > > > > + netif_carrier_off(ndev); > > + netif_tx_disable(ndev); > > + cancel_work_sync(&priv->work); > > LGTM. > Reviewed-by: Yunsheng Lin <linyunsheng@huawei.com> > > As noted by Sergey, ravb_remove() and ravb_close() may > share the same handling, but may require some refactoring > in order to do that. So for a fix, it seems the easiest > way to just add the handling here. Dear Yunsheng, I think Sergey is right for I've seen other drivers' same handling logic. Do you think we should try to move the cancel-work-related code from ravb_remove to ravb_close funtion? Appreciate for your precise advice. Best regards, Zheng > > > + > > /* Stop PTP Clock driver */ > > if (info->ccc_gac) > > ravb_ptp_stop(ndev); > >
Yunsheng Lin <linyunsheng@huawei.com> 于2023年3月13日周一 11:32写道: > > On 2023/3/13 11:02, Zheng Hacker wrote: > > Yunsheng Lin <linyunsheng@huawei.com> 于2023年3月13日周一 09:15写道: > >> > >> On 2023/3/12 2:06, Zheng Wang wrote: > >>> In ravb_probe, priv->work was bound with ravb_tx_timeout_work. > >>> If timeout occurs, it will start the work. And if we call > >>> ravb_remove without finishing the work, there may be a > >>> use-after-free bug on ndev. > >>> > >>> Fix it by finishing the job before cleanup in ravb_remove. > >>> > >>> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > >>> Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > >>> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> > >>> --- > >>> v3: > >>> - fix typo in commit message > >>> v2: > >>> - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin, > >>> add an empty line to make code clear suggested by Sergey Shtylyov > >>> --- > >>> drivers/net/ethernet/renesas/ravb_main.c | 4 ++++ > >>> 1 file changed, 4 insertions(+) > >>> > >>> diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c > >>> index 0f54849a3823..eb63ea788e19 100644 > >>> --- a/drivers/net/ethernet/renesas/ravb_main.c > >>> +++ b/drivers/net/ethernet/renesas/ravb_main.c > >>> @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev) > >>> struct ravb_private *priv = netdev_priv(ndev); > >>> const struct ravb_hw_info *info = priv->info; > >>> > >>> + netif_carrier_off(ndev); > >>> + netif_tx_disable(ndev); > >>> + cancel_work_sync(&priv->work); > >> > >> LGTM. > >> Reviewed-by: Yunsheng Lin <linyunsheng@huawei.com> > >> > >> As noted by Sergey, ravb_remove() and ravb_close() may > >> share the same handling, but may require some refactoring > >> in order to do that. So for a fix, it seems the easiest > >> way to just add the handling here. > > > > Dear Yunsheng, > > > > I think Sergey is right for I've seen other drivers' same handling > > logic. Do you think we should try to move the cancel-work-related code > > from ravb_remove to ravb_close funtion? > > Appreciate for your precise advice. > > As Sergey question "can ravb_remove() be called without ravb_close() > having been called on the bound devices?" > If I understand it correctly, I think ravb_remove() can be called > without ravb_close() having been called on the bound devices. I am > happy to be corrected if I am wrong. > Hi Yunsheng, I'm still not sure. I'll look at code more carefully and see if there is more proof about it. And as I'm not familiar with the related code, let's see how Sergey thnks. > Yes, you can call *_close() directly in *_remove(), but that may > require some refactoring and a lot of testing. > > Also, if you found the bug through some static analysis, it may > be better to make it clear in the commit log and share some info > about the static analysis, which I suppose it is a tool? Yes, I'll append this msg to commit msg later. > > > >> > >>> + > >>> /* Stop PTP Clock driver */ > >>> if (info->ccc_gac) > >>> ravb_ptp_stop(ndev); > >>> > > . > > Best regards, Zheng
On Sun, 12 Mar 2023 02:06:30 +0800 Zheng Wang wrote:
> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
You must CC all people involved in a commit if you put it as Fixes.
Are you using the get_maintainer.pl script?
How do you call in exactly?
Jakub Kicinski <kuba@kernel.org> 于2023年3月14日周二 06:39写道: > > On Sun, 12 Mar 2023 02:06:30 +0800 Zheng Wang wrote: > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > > You must CC all people involved in a commit if you put it as Fixes. Hi Jakub, Get it. > Are you using the get_maintainer.pl script? > How do you call in exactly? Yes, I used this script to find developers involved but It seems that I unintentionally forgot to CC some people. I apologize for my offense for everyone exclued in the list. Thanks, Zheng
On Sun, 12 Mar 2023, Zheng Wang wrote: > In ravb_probe, priv->work was bound with ravb_tx_timeout_work. > If timeout occurs, it will start the work. And if we call > ravb_remove without finishing the work, there may be a > use-after-free bug on ndev. > > Fix it by finishing the job before cleanup in ravb_remove. > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> > --- > v3: > - fix typo in commit message > v2: > - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin, > add an empty line to make code clear suggested by Sergey Shtylyov > --- > drivers/net/ethernet/renesas/ravb_main.c | 4 ++++ > 1 file changed, 4 insertions(+) Was a follow-up to this ever sent?
On Sun, 12 Mar 2023, Zheng Wang wrote: > In ravb_probe, priv->work was bound with ravb_tx_timeout_work. > If timeout occurs, it will start the work. And if we call > ravb_remove without finishing the work, there may be a > use-after-free bug on ndev. > > Fix it by finishing the job before cleanup in ravb_remove. > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> > --- > v3: > - fix typo in commit message > v2: > - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin, > add an empty line to make code clear suggested by Sergey Shtylyov > --- > drivers/net/ethernet/renesas/ravb_main.c | 4 ++++ > 1 file changed, 4 insertions(+) For better or worse, it looks like this issue was assigned a CVE. Are we expecting v4 or was it resolved in another way? > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c > index 0f54849a3823..eb63ea788e19 100644 > --- a/drivers/net/ethernet/renesas/ravb_main.c > +++ b/drivers/net/ethernet/renesas/ravb_main.c > @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev) > struct ravb_private *priv = netdev_priv(ndev); > const struct ravb_hw_info *info = priv->info; > > + netif_carrier_off(ndev); > + netif_tx_disable(ndev); > + cancel_work_sync(&priv->work); > + > /* Stop PTP Clock driver */ > if (info->ccc_gac) > ravb_ptp_stop(ndev); > -- > 2.25.1 >
On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote:
> For better or worse, it looks like this issue was assigned a CVE.
Ugh, what a joke.
Sergey, could you take a look at fixing this properly?
On 7/10/23 7:15 PM, Jakub Kicinski wrote: [...] >> For better or worse, it looks like this issue was assigned a CVE. > > Ugh, what a joke. > > Sergey, could you take a look at fixing this properly? OK, started looking at it again... I have no h/w anymore but I'm hoping to find a tester on #renesas-soc... MBR, Sergey
On Mon, 10 Jul 2023, Jakub Kicinski wrote: > On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: > > For better or worse, it looks like this issue was assigned a CVE. > > Ugh, what a joke. I think that's putting it politely. :)
Sorry for my late reply. I'll see what I can do later. Lee Jones <lee@kernel.org> 于2023年7月12日周三 19:56写道: > > On Mon, 10 Jul 2023, Jakub Kicinski wrote: > > > On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: > > > For better or worse, it looks like this issue was assigned a CVE. > > > > Ugh, what a joke. > > I think that's putting it politely. :) > > -- > Lee Jones [李琼斯]
On 7/15/23 7:07 PM, Zheng Hacker wrote: > Sorry for my late reply. I'll see what I can do later. That's good to hear! Because I'm now only able to look at it during weekends... > Lee Jones <lee@kernel.org> 于2023年7月12日周三 19:56写道: >> >> On Mon, 10 Jul 2023, Jakub Kicinski wrote: >> >>> On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: >>>> For better or worse, it looks like this issue was assigned a CVE. >>> >>> Ugh, what a joke. >> >> I think that's putting it politely. :) >> >> -- >> Lee Jones [李琼斯] MBR, Sergey
Hello, This bug is found by static analysis. I'm sorry that my friends apply for a CVE number before we really fix it. We made a list about the bugs we have submitted and wouldn't disclose them before the fix. But we had a inconsistent situation last month. And we applied it by mistake foe we thought we had fixed it. And so sorry about my late reply, I'll see the patch right now. Best regards, Zheng Wang Sergey Shtylyov <s.shtylyov@omp.ru> 于2023年7月16日周日 04:48写道: > > On 7/15/23 7:07 PM, Zheng Hacker wrote: > > > Sorry for my late reply. I'll see what I can do later. > > That's good to hear! > Because I'm now only able to look at it during weekends... > > > Lee Jones <lee@kernel.org> 于2023年7月12日周三 19:56写道: > >> > >> On Mon, 10 Jul 2023, Jakub Kicinski wrote: > >> > >>> On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: > >>>> For better or worse, it looks like this issue was assigned a CVE. > >>> > >>> Ugh, what a joke. > >> > >> I think that's putting it politely. :) > >> > >> -- > >> Lee Jones [李琼斯] > > MBR, Sergey
Hello, After reviewing the code, I think it's better to put the code in ravb_remove. For the ravb_remove is bound with the device and ravb_close is bound with the file. We may not call ravb_close if there's no file opened. Thanks, Zheng Zheng Hacker <hackerzheng666@gmail.com> 于2023年7月16日周日 10:11写道: > > Hello, > > This bug is found by static analysis. I'm sorry that my friends apply > for a CVE number before we really fix it. We made a list about the > bugs we have submitted and wouldn't disclose them before the fix. But > we had a inconsistent situation last month. And we applied it by > mistake foe we thought we had fixed it. And so sorry about my late > reply, I'll see the patch right now. > > Best regards, > Zheng Wang > > Sergey Shtylyov <s.shtylyov@omp.ru> 于2023年7月16日周日 04:48写道: > > > > On 7/15/23 7:07 PM, Zheng Hacker wrote: > > > > > Sorry for my late reply. I'll see what I can do later. > > > > That's good to hear! > > Because I'm now only able to look at it during weekends... > > > > > Lee Jones <lee@kernel.org> 于2023年7月12日周三 19:56写道: > > >> > > >> On Mon, 10 Jul 2023, Jakub Kicinski wrote: > > >> > > >>> On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: > > >>>> For better or worse, it looks like this issue was assigned a CVE. > > >>> > > >>> Ugh, what a joke. > > >> > > >> I think that's putting it politely. :) > > >> > > >> -- > > >> Lee Jones [李琼斯] > > > > MBR, Sergey
On Sun, 16 Jul 2023, Zheng Hacker wrote: > Zheng Hacker <hackerzheng666@gmail.com> 于2023年7月16日周日 10:11写道: > > > > Hello, > > > > This bug is found by static analysis. I'm sorry that my friends apply > > for a CVE number before we really fix it. We made a list about the > > bugs we have submitted and wouldn't disclose them before the fix. But > > we had a inconsistent situation last month. And we applied it by > > mistake foe we thought we had fixed it. And so sorry about my late > > reply, I'll see the patch right now. > > > > Best regards, > > Zheng Wang > > > > Sergey Shtylyov <s.shtylyov@omp.ru> 于2023年7月16日周日 04:48写道: > > > > > > On 7/15/23 7:07 PM, Zheng Hacker wrote: > > > > > > > Sorry for my late reply. I'll see what I can do later. > > > > > > That's good to hear! > > > Because I'm now only able to look at it during weekends... > > > > > > > Lee Jones <lee@kernel.org> 于2023年7月12日周三 19:56写道: > > > >> > > > >> On Mon, 10 Jul 2023, Jakub Kicinski wrote: > > > >> > > > >>> On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: > > > >>>> For better or worse, it looks like this issue was assigned a CVE. > > > >>> > > > >>> Ugh, what a joke. > > > >> > > > >> I think that's putting it politely. :) > > After reviewing the code, I think it's better to put the code in > ravb_remove. For the ravb_remove is bound with the device and > ravb_close is bound with the file. We may not call ravb_close if > there's no file opened. When you do submit this, would you be kind enough to Cc me please?
Lee Jones <lee@kernel.org> 于2023年7月17日周一 21:04写道: > > On Sun, 16 Jul 2023, Zheng Hacker wrote: > > Zheng Hacker <hackerzheng666@gmail.com> 于2023年7月16日周日 10:11写道: > > > > > > Hello, > > > > > > This bug is found by static analysis. I'm sorry that my friends apply > > > for a CVE number before we really fix it. We made a list about the > > > bugs we have submitted and wouldn't disclose them before the fix. But > > > we had a inconsistent situation last month. And we applied it by > > > mistake foe we thought we had fixed it. And so sorry about my late > > > reply, I'll see the patch right now. > > > > > > Best regards, > > > Zheng Wang > > > > > > Sergey Shtylyov <s.shtylyov@omp.ru> 于2023年7月16日周日 04:48写道: > > > > > > > > On 7/15/23 7:07 PM, Zheng Hacker wrote: > > > > > > > > > Sorry for my late reply. I'll see what I can do later. > > > > > > > > That's good to hear! > > > > Because I'm now only able to look at it during weekends... > > > > > > > > > Lee Jones <lee@kernel.org> 于2023年7月12日周三 19:56写道: > > > > >> > > > > >> On Mon, 10 Jul 2023, Jakub Kicinski wrote: > > > > >> > > > > >>> On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: > > > > >>>> For better or worse, it looks like this issue was assigned a CVE. > > > > >>> > > > > >>> Ugh, what a joke. > > > > >> > > > > >> I think that's putting it politely. :) > > > > After reviewing the code, I think it's better to put the code in > > ravb_remove. For the ravb_remove is bound with the device and > > ravb_close is bound with the file. We may not call ravb_close if > > there's no file opened. > > When you do submit this, would you be kind enough to Cc me please? > Oh sorry for my rudeness. I use reply to all in gmail and it didn't add new people from conversation. MBR, Zheng > -- > Lee Jones [李琼斯]
Hello! On 3/13/23 6:32 AM, Yunsheng Lin wrote: [...] >>> On 2023/3/12 2:06, Zheng Wang wrote: >>>> In ravb_probe, priv->work was bound with ravb_tx_timeout_work. >>>> If timeout occurs, it will start the work. And if we call >>>> ravb_remove without finishing the work, there may be a >>>> use-after-free bug on ndev. >>>> >>>> Fix it by finishing the job before cleanup in ravb_remove. >>>> >>>> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") >>>> Signed-off-by: Zheng Wang <zyytlz.wz@163.com> >>>> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> >>>> --- >>>> v3: >>>> - fix typo in commit message >>>> v2: >>>> - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin, >>>> add an empty line to make code clear suggested by Sergey Shtylyov >>>> --- >>>> drivers/net/ethernet/renesas/ravb_main.c | 4 ++++ >>>> 1 file changed, 4 insertions(+) >>>> >>>> diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c >>>> index 0f54849a3823..eb63ea788e19 100644 >>>> --- a/drivers/net/ethernet/renesas/ravb_main.c >>>> +++ b/drivers/net/ethernet/renesas/ravb_main.c >>>> @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev) >>>> struct ravb_private *priv = netdev_priv(ndev); >>>> const struct ravb_hw_info *info = priv->info; >>>> >>>> + netif_carrier_off(ndev); >>>> + netif_tx_disable(ndev); >>>> + cancel_work_sync(&priv->work); >>> >>> LGTM. >>> Reviewed-by: Yunsheng Lin <linyunsheng@huawei.com> >>> >>> As noted by Sergey, ravb_remove() and ravb_close() may >>> share the same handling, but may require some refactoring >>> in order to do that. So for a fix, it seems the easiest >>> way to just add the handling here. >> >> Dear Yunsheng, >> >> I think Sergey is right for I've seen other drivers' same handling >> logic. Do you think we should try to move the cancel-work-related code >> from ravb_remove to ravb_close funtion? >> Appreciate for your precise advice. > > As Sergey question "can ravb_remove() be called without ravb_close() > having been called on the bound devices?" > If I understand it correctly, I think ravb_remove() can be called > without ravb_close() having been called on the bound devices. I am > happy to be corrected if I am wrong. Yes, correct. It's ravb_remove() that calls unregister_netdev() which results in calling ravb_close() on the opened devices... > Yes, you can call *_close() directly in *_remove(), but that may > require some refactoring and a lot of testing. No need to do that I think, as it's called anyways... > Also, if you found the bug through some static analysis, it may > be better to make it clear in the commit log and share some info > about the static analysis, which I suppose it is a tool? Agreed. :-) >> Best regards, >> Zheng MBR, Sergey
On Mon, 17 Jul 2023, Lee Jones wrote: > On Sun, 16 Jul 2023, Zheng Hacker wrote: > > Zheng Hacker <hackerzheng666@gmail.com> 于2023年7月16日周日 10:11写道: > > > > > > Hello, > > > > > > This bug is found by static analysis. I'm sorry that my friends apply > > > for a CVE number before we really fix it. We made a list about the > > > bugs we have submitted and wouldn't disclose them before the fix. But > > > we had a inconsistent situation last month. And we applied it by > > > mistake foe we thought we had fixed it. And so sorry about my late > > > reply, I'll see the patch right now. > > > > > > Best regards, > > > Zheng Wang > > > > > > Sergey Shtylyov <s.shtylyov@omp.ru> 于2023年7月16日周日 04:48写道: > > > > > > > > On 7/15/23 7:07 PM, Zheng Hacker wrote: > > > > > > > > > Sorry for my late reply. I'll see what I can do later. > > > > > > > > That's good to hear! > > > > Because I'm now only able to look at it during weekends... > > > > > > > > > Lee Jones <lee@kernel.org> 于2023年7月12日周三 19:56写道: > > > > >> > > > > >> On Mon, 10 Jul 2023, Jakub Kicinski wrote: > > > > >> > > > > >>> On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: > > > > >>>> For better or worse, it looks like this issue was assigned a CVE. > > > > >>> > > > > >>> Ugh, what a joke. > > > > >> > > > > >> I think that's putting it politely. :) > > > > After reviewing the code, I think it's better to put the code in > > ravb_remove. For the ravb_remove is bound with the device and > > ravb_close is bound with the file. We may not call ravb_close if > > there's no file opened. > > When you do submit this, would you be kind enough to Cc me please? Could I trouble you for an update on this please? Have you submitted v4 yet?
Lee Jones <lee@kernel.org> 于2023年7月24日周一 17:21写道: > > On Mon, 17 Jul 2023, Lee Jones wrote: > > > On Sun, 16 Jul 2023, Zheng Hacker wrote: > > > Zheng Hacker <hackerzheng666@gmail.com> 于2023年7月16日周日 10:11写道: > > > > > > > > Hello, > > > > > > > > This bug is found by static analysis. I'm sorry that my friends apply > > > > for a CVE number before we really fix it. We made a list about the > > > > bugs we have submitted and wouldn't disclose them before the fix. But > > > > we had a inconsistent situation last month. And we applied it by > > > > mistake foe we thought we had fixed it. And so sorry about my late > > > > reply, I'll see the patch right now. > > > > > > > > Best regards, > > > > Zheng Wang > > > > > > > > Sergey Shtylyov <s.shtylyov@omp.ru> 于2023年7月16日周日 04:48写道: > > > > > > > > > > On 7/15/23 7:07 PM, Zheng Hacker wrote: > > > > > > > > > > > Sorry for my late reply. I'll see what I can do later. > > > > > > > > > > That's good to hear! > > > > > Because I'm now only able to look at it during weekends... > > > > > > > > > > > Lee Jones <lee@kernel.org> 于2023年7月12日周三 19:56写道: > > > > > >> > > > > > >> On Mon, 10 Jul 2023, Jakub Kicinski wrote: > > > > > >> > > > > > >>> On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote: > > > > > >>>> For better or worse, it looks like this issue was assigned a CVE. > > > > > >>> > > > > > >>> Ugh, what a joke. > > > > > >> > > > > > >> I think that's putting it politely. :) > > > > > > After reviewing the code, I think it's better to put the code in > > > ravb_remove. For the ravb_remove is bound with the device and > > > ravb_close is bound with the file. We may not call ravb_close if > > > there's no file opened. > > > > When you do submit this, would you be kind enough to Cc me please? > > Could I trouble you for an update on this please? > > Have you submitted v4 yet? Sorry, will do right now. Best regards, Zheng > > -- > Lee Jones [李琼斯]
diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index 0f54849a3823..eb63ea788e19 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev) struct ravb_private *priv = netdev_priv(ndev); const struct ravb_hw_info *info = priv->info; + netif_carrier_off(ndev); + netif_tx_disable(ndev); + cancel_work_sync(&priv->work); + /* Stop PTP Clock driver */ if (info->ccc_gac) ravb_ptp_stop(ndev);