From patchwork Thu Apr 20 14:01:57 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Duoming Zhou <duoming@zju.edu.cn>
X-Patchwork-Id: 85923
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp370984vqo;
        Thu, 20 Apr 2023 07:17:20 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350aBRHR9UJIrcDf0tclZj3c8TdYlYh2BrsNBgyj8ClYzawsdqJ+qZKF3xRxqjW5xwLQ580kD
X-Received: by 2002:a05:6a20:9144:b0:f0:3c5e:b997 with SMTP id
 x4-20020a056a20914400b000f03c5eb997mr2651102pzc.58.1682000240116;
        Thu, 20 Apr 2023 07:17:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682000240; cv=none;
        d=google.com; s=arc-20160816;
        b=Ee1vBDfXZJQ0NHxpEsDsQb7xzWcmHwgiZGM1oNVkNRX5rwFP+Gm0QXrHKbJN+RmTy4
         YfKeu9jWOupv1NA6ZiXbPkBvTc1Yk370O/cO1wPDu1IxSD/h59ma5CdOonPszxBXbIL4
         Xf9AjwE5c+BMAPxYEIeThvP1uvBuf6mTrwuJcH0AFD5M2nj8SnC8+OjOpyqQ3/Ba+q3i
         pAQekoi9TuM3X+fG5rHc3N+I6SmWN0hkD3iZQGj1R1EdU4/YnHhDt33f+IJVy4opw2KV
         6ZqsKf+RhETYU2yZneG7xRF6KgqqaaDsg4t8C8qN/hpjpBxaiaLCEPSlqBJsU4Y5Udt/
         UUFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=NgbKo93rdr64tj0jUtJTX015/LtllVIcZwO6ltTpieE=;
        b=OqABKwNrlr+gGRX7ux5+bz5AZc5+oiEs6MKbBGASUkSxH1SaKNpS7u7oVRCDBm2DPu
         9O3GpAOdyYwRHX9aTw7N8P6rb6bWBeXzCoxApMDIFe4gxXHMZdQss8Zvte50f3osT3Ch
         W2zPxNUYcwzaCSkKEilrngG4NRCCYLYLHiZf9v63sWhLrStabrfHQ2P91Wh9DiqkuEPu
         y67MG4S8nQbTcZmMVbNECk8UkoVdf+LlorgZ4dsb+i2+S2mwHN8//z5sbbyf5etkyipP
         5BH3exu7KA78dMMsI7Vmo1BbdlJi4k4awP8BapmGGy0rftz1yKN9LConMoH6YyeXug7A
         vyAQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 pf10-20020a17090b1d8a00b00247b56ce17asi4962793pjb.112.2023.04.20.07.17.02;
        Thu, 20 Apr 2023 07:17:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231809AbjDTOC7 (ORCPT <rfc822;cjcooper78@gmail.com> + 99 others);
        Thu, 20 Apr 2023 10:02:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60560 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230248AbjDTOC6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 Apr 2023 10:02:58 -0400
Received: from zg8tmtyylji0my4xnjqumte4.icoremail.net
 (zg8tmtyylji0my4xnjqumte4.icoremail.net [162.243.164.118])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 968521FEA
        for <linux-kernel@vger.kernel.org>;
 Thu, 20 Apr 2023 07:02:55 -0700 (PDT)
Received: from ubuntu.localdomain (unknown [218.12.18.95])
        by mail-app3 (Coremail) with SMTP id cC_KCgDn7w_XRUFkQSOLAA--.3844S2;
        Thu, 20 Apr 2023 22:02:12 +0800 (CST)
From: Duoming Zhou <duoming@zju.edu.cn>
To: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, jesse.brandeburg@intel.com,
        anthony.l.nguyen@intel.com, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        intel-wired-lan@lists.osuosl.org, Duoming Zhou <duoming@zju.edu.cn>
Subject: [PATCH net] ethernet: ixgb: fix use after free bugs caused by
 circular dependency problem
Date: Thu, 20 Apr 2023 22:01:57 +0800
Message-Id: <20230420140157.22416-1-duoming@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: cC_KCgDn7w_XRUFkQSOLAA--.3844S2
X-Coremail-Antispam: 1UD129KBjvJXoW7Ar17Xr4fWF48CF17Cw1rZwb_yoW8Ar13p3
        ySva4fJF10qr4YvFyxXr1kJFyrGas7ArWkKF1xCw4ru3Z7ArnYgr9Ykry0gFyrGFZ8ZF43
        AF1F93y5CwnxAwUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUUkE14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
        rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
        1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U
        JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc
        CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
        2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
        W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2
        Y2ka0xkIwI1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4
        xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43
        MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I
        0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWU
        JVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0xZFpf9x0JUdHU
        DUUUUU=
X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAwMLAWRAA1s8WwAwsh
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1763705083414137954?=
X-GMAIL-MSGID: =?utf-8?q?1763705083414137954?=

The watchdog_timer can schedule tx_timeout_task and tx_timeout_task
can also arm watchdog_timer. The process is shown below:

----------- timer schedules work ------------
ixgb_watchdog() //timer handler
  schedule_work(&adapter->tx_timeout_task)

----------- work arms timer ------------
ixgb_tx_timeout_task() //workqueue callback function
  ixgb_up()
    mod_timer(&adapter->watchdog_timer,...)

When ixgb device is detaching, the timer and workqueue
could still be rearmed. The process is shown below:

  (cleanup routine)           |  (timer and workqueue routine)
ixgb_remove()                 |
                              | ixgb_tx_timeout_task() //workqueue
                              |   ixgb_up()
                              |     mod_timer()
  cancel_work_sync()          |
  free_netdev(netdev) //FREE  | ixgb_watchdog() //timer
                              |   netif_carrier_ok(netdev) //USE

This patch adds timer_shutdown_sync() in ixgb_remove(), which
could prevent rearming of the timer from the workqueue.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
 drivers/net/ethernet/intel/ixgb/ixgb_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/intel/ixgb/ixgb_main.c b/drivers/net/ethernet/intel/ixgb/ixgb_main.c
index b4d47e7a76c..6ce3601904b 100644
--- a/drivers/net/ethernet/intel/ixgb/ixgb_main.c
+++ b/drivers/net/ethernet/intel/ixgb/ixgb_main.c
@@ -516,6 +516,7 @@ ixgb_remove(struct pci_dev *pdev)
 	struct net_device *netdev = pci_get_drvdata(pdev);
 	struct ixgb_adapter *adapter = netdev_priv(netdev);
 
+	timer_shutdown_sync(&adapter->watchdog_timer);
 	cancel_work_sync(&adapter->tx_timeout_task);
 
 	unregister_netdev(netdev);