[net,v2] net: qcom/emac: Fix use after free bug in emac_remove due to race condition
| Message ID | 20230318080526.785457-1-zyytlz.wz@163.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp188447wrt;
Sat, 18 Mar 2023 01:30:02 -0700 (PDT)
X-Google-Smtp-Source:
AK7set+anJUkvqn4NVpDnFzJHVtc3l5FAMM3PJx+OJ9PhSEYLwsxgQzeMd70TiCe1Y2PkT3nl71g
X-Received: by 2002:a17:90b:4f45:b0:23a:f6e6:8ea5 with SMTP id
pj5-20020a17090b4f4500b0023af6e68ea5mr5211212pjb.24.1679128202101;
Sat, 18 Mar 2023 01:30:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679128202; cv=none;
d=google.com; s=arc-20160816;
b=ZeTm4jqRyrIUWmHU8IwG+ql+wQIDVJQ49g16BdZd68lgwdJCmjhK+VwICzPBLfa9DI
8vZ4BqioYqwKUwM3UMNP/Iiihmk56fSDA/O5xptuAA3SgoB18KJldCnHYeUw/g6Qao3c
722gGl/6Yj0mgTkRtvNFbcA9t0HU3bkVkepQf1Lu2cItE8KLFFvkjrnyR/23avFZS+cc
DAtia0PLA0xxzTiPg27TmDecNpIprt3gES5ZJrXndWwNX0Uu0j77x4bP2sRsD8npel0E
qNCHY0Iu5wtro4/qO+/JWfRSP9bwsF36kBTn685YvCETj0MxdH5nEqnXuyxt6X4F+Go+
ZUJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=NLgclpVGg+cj1T9ME4V3k2q3Xxe+gHdjdWnzy/lpn/8=;
b=CelKGLg023vbRYjmP6ADRv7d7B7hKqnobE1fi9xBtuHzvJbdLaRI81KOS7JeOD2pk2
Rq+o4bzE6yOVAmLdUqFpnJx8cEYV6GX7cxaf2zp7GFHPjT4Q8dgPyHCYBus7qBLcarR1
kbJjfGxF3THLLyajzlJ3oqStptUX+kWf6tP5n3rEPbNrb6zN70VGnGSM2ypBlzgMT+9t
8w3AJOvefWp1X5m7qXThi2oX1q1AN4jkrYHl2ZgMGrv+YHabhk2et82naFmhHcc4c5fX
ZIGyJSEYXgdf20QsLjL5Ky7P//9AHDi1Bsv7NfrtTk1/wpj43Es20wdZxtIuL5XFeTON
R8kg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=RkUQVr9E;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
u2-20020a170902e5c200b001a1bbc5bea5si393810plf.537.2023.03.18.01.29.46;
Sat, 18 Mar 2023 01:30:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@163.com header.s=s110527 header.b=RkUQVr9E;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229867AbjCRIHX (ORCPT <rfc822;pusanteemu@gmail.com> + 99 others);
Sat, 18 Mar 2023 04:07:23 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33760 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229516AbjCRIHW (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 18 Mar 2023 04:07:22 -0400
Received: from m12.mail.163.com (m12.mail.163.com [220.181.12.216])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id B244817CEC;
Sat, 18 Mar 2023 01:07:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=NLgcl
pVGg+cj1T9ME4V3k2q3Xxe+gHdjdWnzy/lpn/8=; b=RkUQVr9EoeST5XJK0HoEL
25x2KFnRDyRV4gc87XIFyD3t7ntfFZ40mcm9nmKYfgRxdPC7DMKFxU8tktEOLuOY
eb6yMmURljEWspXllwyn43I0BiIcgUaJUQn/gh+Gcbu2jSWk2+6HeAAISZLzNqu9
o/YvN2j+a6DhO82uBa2Ra8=
Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21])
by zwqz-smtp-mta-g1-3 (Coremail) with SMTP id
_____wBn1unHcBVkXCVqAQ--.22021S2;
Sat, 18 Mar 2023 16:05:27 +0800 (CST)
From: Zheng Wang <zyytlz.wz@163.com>
To: timur@kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, hackerzheng666@gmail.com,
1395428693sheep@gmail.com, alex000young@gmail.com,
Zheng Wang <zyytlz.wz@163.com>
Subject: [PATCH net v2] net: qcom/emac: Fix use after free bug in emac_remove
due to race condition
Date: Sat, 18 Mar 2023 16:05:26 +0800
Message-Id: <20230318080526.785457-1-zyytlz.wz@163.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: _____wBn1unHcBVkXCVqAQ--.22021S2
X-Coremail-Antispam: 1Uf129KBjvJXoW7CF4DZrWrCr4ktFWkXr1rtFb_yoW8Wr4kpa
yDWa4xu34ktF17KF4kJr47tFyUGw4DK34ag3y3Cw4rZ3Z8Cry7KryrKFyrXryfZFZ8Ar4Y
qr18Z343Ca1kJ3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0ziaZXrUUUUU=
X-Originating-IP: [111.206.145.21]
X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiXAg2U1Xl5+MwYQAAsU
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1760693533474562945?=
X-GMAIL-MSGID: =?utf-8?q?1760693533474562945?=
|
| Series |
[net,v2] net: qcom/emac: Fix use after free bug in emac_remove due to race condition
|
|
Commit Message
Zheng Wang
March 18, 2023, 8:05 a.m. UTC
In emac_probe, &adpt->work_thread is bound with
emac_work_thread. Then it will be started by timeout
handler emac_tx_timeout or a IRQ handler emac_isr.
If we remove the driver which will call emac_remove
to make cleanup, there may be a unfinished work.
The possible sequence is as follows:
Fix it by finishing the work before cleanup in the emac_remove
and disable timeout response.
CPU0 CPU1
|emac_work_thread
emac_remove |
free_netdev |
kfree(netdev); |
|emac_reinit_locked
|emac_mac_down
|//use netdev
Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v2:
- cancel the work after unregister_netdev suggested by Jakub
---
drivers/net/ethernet/qualcomm/emac/emac.c | 6 ++++++
1 file changed, 6 insertions(+)
Comments
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Sat, 18 Mar 2023 16:05:26 +0800 you wrote: > In emac_probe, &adpt->work_thread is bound with > emac_work_thread. Then it will be started by timeout > handler emac_tx_timeout or a IRQ handler emac_isr. > > If we remove the driver which will call emac_remove > to make cleanup, there may be a unfinished work. > > [...] Here is the summary with links: - [net,v2] net: qcom/emac: Fix use after free bug in emac_remove due to race condition https://git.kernel.org/netdev/net/c/6b6bc5b8bd2d You are awesome, thank you!
On Mon, 20 Mar 2023 09:20:17 +0000 patchwork-bot+netdevbpf@kernel.org wrote: > Here is the summary with links: > - [net,v2] net: qcom/emac: Fix use after free bug in emac_remove due to race condition > https://git.kernel.org/netdev/net/c/6b6bc5b8bd2d Don't think this is correct FWIW, randomly shutting things down without holding any locks and before unregister_netdev() is called has got to be racy. Oh, eh.
Jakub Kicinski <kuba@kernel.org> 于2023年3月21日周二 03:23写道: > > On Mon, 20 Mar 2023 09:20:17 +0000 patchwork-bot+netdevbpf@kernel.org > wrote: > > Here is the summary with links: > > - [net,v2] net: qcom/emac: Fix use after free bug in emac_remove due to race condition > > https://git.kernel.org/netdev/net/c/6b6bc5b8bd2d > > Don't think this is correct FWIW, randomly shutting things down without > holding any locks and before unregister_netdev() is called has got to > be racy. Oh, eh. Dear Jakubju, Sorry for my late reply. I had a busy week. I have taken a look at similar fixes implemented in other drivers, but I do think your advice is more precious for I'm not familiar with the driver. Based on your experience and expertise, what do you think would be the most effective solution to address the race condition issue that you have identified in the emac_remove function of the qcom/emac driver? I appreciate any insights or suggestions that you might have on this matter. Thank you for your time and help. Best regards, Zheng Wang
diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c index 3115b2c12898..eaa50050aa0b 100644 --- a/drivers/net/ethernet/qualcomm/emac/emac.c +++ b/drivers/net/ethernet/qualcomm/emac/emac.c @@ -724,9 +724,15 @@ static int emac_remove(struct platform_device *pdev) struct net_device *netdev = dev_get_drvdata(&pdev->dev); struct emac_adapter *adpt = netdev_priv(netdev); + netif_carrier_off(netdev); + netif_tx_disable(netdev); + unregister_netdev(netdev); netif_napi_del(&adpt->rx_q.napi); + free_irq(adpt->irq.irq, &adpt->irq); + cancel_work_sync(&adpt->work_thread); + emac_clks_teardown(adpt); put_device(&adpt->phydev->mdio.dev);