Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00DC0C64EC4 for ; Thu, 9 Mar 2023 09:43:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231341AbjCIJnb (ORCPT ); Thu, 9 Mar 2023 04:43:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60934 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231324AbjCIJnV (ORCPT ); Thu, 9 Mar 2023 04:43:21 -0500 Received: from m12.mail.163.com (m12.mail.163.com [123.126.96.233]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 29D4C5552C; Thu, 9 Mar 2023 01:43:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=1LAKM 8ujTmsjgTGR7X/vNMNjwpQJAdiC96EghkHvIIM=; b=V3tmhaUxN5E19Lu4oMuCu C8F3LLtelKjSMeOzC9QAfey0k6++9pZ28Tki2rspG4oPrln+sox+M164Swk6qVWm T8YOgTRzWTID8iPrq4QDQJJGbi33J6hlJUJT8HLI0Ahs3WMRneYY1gnEgVjIRKZX tpsx4OLwTsIjieqPqbjLD0= Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21]) by smtp19 (Coremail) with SMTP id R9xpCgAnKa0IqglkPaTXGw--.56707S2; Thu, 09 Mar 2023 17:42:33 +0800 (CST) From: Zheng Wang To: davem@davemloft.net Cc: edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, hackerzheng666@gmail.com, 1395428693sheep@gmail.com, alex000young@gmail.com, Zheng Wang Subject: [PATCH net] net: ethernet: fix use after free bug in ns83820_remove_one due to race condition Date: Thu, 9 Mar 2023 17:42:31 +0800 Message-Id: <20230309094231.3808770-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: R9xpCgAnKa0IqglkPaTXGw--.56707S2 X-Coremail-Antispam: 1Uf129KBjvdXoWrtw45WryrZFyDWFy3KFWDCFg_yoWkXrcEg3 srZF4Skw4UKr1rtw4UGrsxX34jkr9Y9r9Y9rWDta9Iv343Kws5Cw1kur1fJr48uwnxJFW2 kry7KFyfA343AjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7xRKBT5JUUUUU== X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiQgktU1aEEmftKQAAsW Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In ns83820_init_one, dev->tq_refill was bound with queue_refill. If irq happens, it will call ns83820_irq->ns83820_do_isr. Then it invokes tasklet_schedule(&dev->rx_tasklet) to start rx_action function. And rx_action will call ns83820_rx_kick and finally start queue_refill function. If we remove the driver without finishing the work, there may be a race condition between ndev, which may cause UAF bug. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Zheng Wang --- drivers/net/ethernet/natsemi/ns83820.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c index 998586872599..285fe0fa33eb 100644 --- a/drivers/net/ethernet/natsemi/ns83820.c +++ b/drivers/net/ethernet/natsemi/ns83820.c @@ -2206,6 +2206,7 @@ static void ns83820_remove_one(struct pci_dev *pci_dev) if (!ndev) /* paranoia */ return; + cancel_work_sync(&dev->tq_refill); ns83820_disable_interrupts(dev); /* paranoia */ unregister_netdev(ndev); -- 2.25.1