From patchwork Fri Mar 10 10:57:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheng Wang X-Patchwork-Id: 67360 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp802763wrd; Fri, 10 Mar 2023 03:00:56 -0800 (PST) X-Google-Smtp-Source: AK7set+yiuk3KewX4R6ZbAZfqnPlxj1tIFpZnvRDZEnHQWOaZ0TF79cfMb3A+OvOpzKLG9+1bSqf X-Received: by 2002:a17:903:441:b0:19e:7d51:3a41 with SMTP id iw1-20020a170903044100b0019e7d513a41mr21997257plb.69.1678446056287; Fri, 10 Mar 2023 03:00:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678446056; cv=none; d=google.com; s=arc-20160816; b=i+WIv8diRr16Rbg5Y9aFEwenjngOlbDIZktaGJ+8fs1+jmeBZZqwaC4M01+p2j0sUP sxlRNz2eOTIYyYTqCM+JlRFO38mjCD1ZNMoGBRHrP5Fh5JJdahgyrZ6IA9IrcXoNmgFa a7jUbX6BLGsn/QBYzBTrJWa6RgZ4x4XGE4N33PWul5xBL4+ZP0gfDFBDcpgLkWmoT8Zp yGYH9nZkY9qqDc3y1u8CBjW2YgCRaGm4JatOK6j8OznXOpNy4e7jU0TiGmAnsjZUsAbj brUx4z6IQ3QAbuurDEsUgg5Qa7VVOfAZrfJPf6dcKBoVvyApABYq2rKOEeEhOmVPG3kj 9ICQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Owj+MBUPPj7JSD6XFwrGK/Dxxkli2/FUahfWV3epWvw=; b=N83vhUNZ5nzpNRIgRlaDo44YhIfuQxIx2ttXrbeF4X+0xy8vTANRCfywUflEWpf/sp 0CSAqveSbWoB5AcgSYkbo1vC4yg30kMyy2lD6cXipFaD9hu/DzaUsHHwVxmRuDEbwzMC i7XWbAgt8c5vRSI+/yXLFQScQdhpmZm5cHWMgJJmPNiLfUL7fSTQzrmt0gq3bS8lLt4W cAUGqRMSHvRzprV6/0E5Lc31Et9VQYim16JNtxYyn0/CKCyqH4Ok9bY+ddQi/YgmsIua JYArW4TK23edncn4KUWgpcbnJjUR1t7JI5srUMyJ9IiP4VEm+kkO1P8JnW53wN7rRfQI sK0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=ObP0BI5N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jh3-20020a170903328300b0019ca5ddf22dsi1840875plb.365.2023.03.10.03.00.44; Fri, 10 Mar 2023 03:00:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=ObP0BI5N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229925AbjCJK7E (ORCPT + 99 others); Fri, 10 Mar 2023 05:59:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230420AbjCJK6q (ORCPT ); Fri, 10 Mar 2023 05:58:46 -0500 Received: from m12.mail.163.com (m12.mail.163.com [123.126.96.234]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7555862DB3; Fri, 10 Mar 2023 02:58:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=Owj+M BUPPj7JSD6XFwrGK/Dxxkli2/FUahfWV3epWvw=; b=ObP0BI5NU4KI53o1lP1T7 H5/H9yYVUQsaFHc8eNJDlSVgwmNZottETKBgG0ssL0PrvpCUiBDBGGzgbrjBzlfc kZ5e9bdyRYO/yZ1/0VR3XPHqvvJ/LhufYPulcoVtzpIHg1n9EwjzFr76MoBgzhCo 7l9hXZAbl5Zem2h3z/5Vg4= Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21]) by smtp19 (Coremail) with SMTP id R9xpCgB3bKAfDQtkaPFpHA--.3786S2; Fri, 10 Mar 2023 18:57:35 +0800 (CST) From: Zheng Wang To: timur@kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, hackerzheng666@gmail.com, 1395428693sheep@gmail.com, alex000young@gmail.com, Zheng Wang Subject: [PATCH net] net: qcom/emac: Fix use after free bug in emac_remove due to race condition Date: Fri, 10 Mar 2023 18:57:34 +0800 Message-Id: <20230310105734.1574078-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CM-TRANSID: R9xpCgB3bKAfDQtkaPFpHA--.3786S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7CF4DZrWrCr4ktFWkXr1rtFb_yoW8GF4Dpa yDGa4xu34vgF129F4kJr4UtFyUGw4DK34ag3y3Cw4rX3Z8Cr4xWryrKFy8Zry8ZFZ8Jr1a qr1UZ343Ca1kJ3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0ziaZXrUUUUU= X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiGgAuU1aEEhk-vwAAs+ X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759978251768799796?= X-GMAIL-MSGID: =?utf-8?q?1759978251768799796?= In emac_probe, &adpt->work_thread is bound with emac_work_thread. Then it will be started by timeout handler emac_tx_timeout or a IRQ handler emac_isr. If we remove the driver which will call emac_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows: Fix it by finishing the work before cleanup in the emac_remove and disable timeout response. CPU0 CPU1 |emac_work_thread emac_remove | free_netdev | kfree(netdev); | |emac_reinit_locked |emac_mac_down |//use netdev Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver") Signed-off-by: Zheng Wang --- drivers/net/ethernet/qualcomm/emac/emac.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c index 3115b2c12898..ddc328f7b96a 100644 --- a/drivers/net/ethernet/qualcomm/emac/emac.c +++ b/drivers/net/ethernet/qualcomm/emac/emac.c @@ -724,6 +724,9 @@ static int emac_remove(struct platform_device *pdev) struct net_device *netdev = dev_get_drvdata(&pdev->dev); struct emac_adapter *adpt = netdev_priv(netdev); + netif_carrier_off(netdev); + netif_tx_disable(netdev); + cancel_work_sync(&adpt->work_thread); unregister_netdev(netdev); netif_napi_del(&adpt->rx_q.napi);