Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2201542rwl; Thu, 13 Apr 2023 03:10:29 -0700 (PDT) X-Google-Smtp-Source: AKy350Z6TmCj4k7yAqCBEeqo5VaAObvGxc9raUwkxvHYvVu9SViGyM+kSdXpjgw8zsol+Eedtgsx X-Received: by 2002:aa7:d797:0:b0:4f9:f07d:a978 with SMTP id s23-20020aa7d797000000b004f9f07da978mr2322956edq.5.1681380629113; Thu, 13 Apr 2023 03:10:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681380629; cv=none; d=google.com; s=arc-20160816; b=D1zYGcnq9ClGdyTY+EhWsL6i14Ik0fhuLM0QgZTWQgKXDASQ07Hc5weUzr2j54LO+c z1y21IA9bTA7+ZSwr2892LY/VjHQoyMdiUAz4/NuyWybruGAjkCFNuo4oELZKPqE1xfw vwt9hCR28QrIX+Tvu7EyuPjVXvE7c5V0OdE7Z2gFRU263iTLjW9YOH7OxvZv3NAioS5S vBCPlrI5Rw6egwpDuamiuxbF7d5s5bIJHywh3kV3ujXugzzP7fOxNeg30GI/nyvKLiTE Y9WXUCXkfCXxXyACR4/ilQEBYI8hRUPqs0bcZGB54/l/myW1ttI5Donu2gCqV2nX3vNH LzyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=AtCIsfTRx5vMxyPtmaTWTG+zpVPxWAqQS1FLGbmYEhE=; b=mrsIxMD2hQmaqD4i1x8a6gXGj2eZQ8QPc6Or8/olJ7SDD/inAVKq/UtINB1dkD1tUN qJeOadJwLgbsbwTZnwyydE9m4cN8ROF/uY9hYz5BB0aZaylJcBPjqB+C7pnI3RfCk/DB Fv+dvaxem40c6DzNYlnV2kwaqq0H0foliqBH7vy2iMafxr+IiogvFcfx7voRTG00cm+g lk2qaxUqubM2xMvhhUxerJC7dcA6iPOcwuIVRwEx4IAjFmykm/Sa8NwncNhh24kx2iks U8AIzVyF6OsUdjsKRtnp2v4XB0eAx5S/ueWyi1Lv0vHPtiP1/3tyO7Wcf1fuTQjtv6r+ pHpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microchip.com header.s=mchp header.b=IMljj3sR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=microchip.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b7-20020a05640202c700b004c461474e86si1487866edx.152.2023.04.13.03.10.04; Thu, 13 Apr 2023 03:10:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@microchip.com header.s=mchp header.b=IMljj3sR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=microchip.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230187AbjDMKBl (ORCPT + 99 others); Thu, 13 Apr 2023 06:01:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229746AbjDMKBh (ORCPT ); Thu, 13 Apr 2023 06:01:37 -0400 Received: from esa.microchip.iphmx.com (esa.microchip.iphmx.com [68.232.153.233]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF0B77AA0; Thu, 13 Apr 2023 03:01:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=microchip.com; i=@microchip.com; q=dns/txt; s=mchp; t=1681380090; x=1712916090; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=uz4KE9ShWEG/KYQWIZ19a/8EmBDeITrEkJ7Sdq+pOqk=; b=IMljj3sR7wX4LDmmL/l3FBFBCnZQjyAZ/vSWQlM7ef7GZpLWmRCm7tzb uoJYn8vgLHZE5fyngqILz7EHlx038MfZoOasokwxs0uq5y4BcwvyzBUL4 Tm3vjNQDoffStYfTxexwJfVGnfLXC8hTYpsxtSBgGcyi76j+BRnr5n/YV FAGi1WFPOym1yuXH3TLoge5OfLqH/Eerx5Oo+MBIhrqtWyZCahcCo9lHb E3SwEO1Wn+zZ0mRl9ZDaRlaE3/l7vbdGMgu4RlMI8VCp8FciHeZjSeiV/ HmoP4OI94uZwaFlXuqEhNWFGxklRnOV9fVFH0/79x4vQMfHiotJEdeRtg Q==; X-IronPort-AV: E=Sophos;i="5.98,341,1673938800"; d="scan'208";a="220707414" Received: from unknown (HELO email.microchip.com) ([170.129.1.10]) by esa1.microchip.iphmx.com with ESMTP/TLS/AES256-SHA256; 13 Apr 2023 03:01:29 -0700 Received: from chn-vm-ex02.mchp-main.com (10.10.85.144) by chn-vm-ex04.mchp-main.com (10.10.85.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Thu, 13 Apr 2023 03:01:29 -0700 Received: from localhost (10.10.115.15) by chn-vm-ex02.mchp-main.com (10.10.85.144) with Microsoft SMTP Server id 15.1.2507.21 via Frontend Transport; Thu, 13 Apr 2023 03:01:29 -0700 Date: Thu, 13 Apr 2023 12:01:28 +0200 From: Horatiu Vultur To: Zheng Wang CC: , , , , , , , <1395428693sheep@gmail.com>, Subject: Re: [PATCH net v2] net: ethernet: fix use after free bug in ns83820_remove_one due to race condition Message-ID: <20230413100128.bcnqvdpu6hgilws4@soft-dev3-1> References: <20230413071401.210599-1-zyytlz.wz@163.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Disposition: inline In-Reply-To: <20230413071401.210599-1-zyytlz.wz@163.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The 04/13/2023 15:14, Zheng Wang wrote: Hi Zheng, > > In ns83820_init_one, dev->tq_refill was bound with queue_refill. > > If irq happens, it will call ns83820_irq->ns83820_do_isr. > Then it invokes tasklet_schedule(&dev->rx_tasklet) to start > rx_action function. And rx_action will call ns83820_rx_kick > and finally start queue_refill function. > > If we remove the driver without finishing the work, there > may be a race condition between ndev, which may cause UAF > bug. > > CPU0 CPU1 > > |queue_refill > ns83820_remove_one | > free_netdev | > put_device | > free ndev | > |rx_refill > |//use ndev Will you not have the same issue if you remove the driver after you schedule rx_tasklet? Because rx_action will use also ndev. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Zheng Wang > --- > v2: > - cancel the work after unregister_netdev to make sure there > is no more request suggested by Jakub Kicinski > --- > drivers/net/ethernet/natsemi/ns83820.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c > index 998586872599..2e84b9fcd8e9 100644 > --- a/drivers/net/ethernet/natsemi/ns83820.c > +++ b/drivers/net/ethernet/natsemi/ns83820.c > @@ -2208,8 +2208,13 @@ static void ns83820_remove_one(struct pci_dev *pci_dev) > > ns83820_disable_interrupts(dev); /* paranoia */ > > + netif_carrier_off(ndev); > + netif_tx_disable(ndev); > + > unregister_netdev(ndev); > free_irq(dev->pci_dev->irq, ndev); > + cancel_work_sync(&dev->tq_refill); > + > iounmap(dev->base); > dma_free_coherent(&dev->pci_dev->dev, 4 * DESC_SIZE * NR_TX_DESC, > dev->tx_descs, dev->tx_phy_descs); > -- > 2.25.1 > -- /Horatiu