Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp5271717rwe; Tue, 18 Apr 2023 04:48:17 -0700 (PDT) X-Google-Smtp-Source: AKy350a0aeN99D8jPkATUwh1rgfCPHbF6mzmAzN7RYH2yuDWlAsK2489uGqjlwVveD12WFAsnyID X-Received: by 2002:a05:6a20:a11b:b0:f0:edb:f60b with SMTP id q27-20020a056a20a11b00b000f00edbf60bmr6558363pzk.20.1681818496969; Tue, 18 Apr 2023 04:48:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681818496; cv=none; d=google.com; s=arc-20160816; b=bvGMw01/9dMdWjAKFiZPjtOZQ3uFnSxcBt/W+lgaTb8Ghtwp5H1ZfuQnfOV4tDewEh eE+VpjlCHRPIQDuAZORoX9n3r5FdhCX+IhnbdnqRbxzUFJ79aJhNSMbHFstJO6epkjbh TwboG22Pr4pZYTi8A8YwtaiY8YNYG8/zt4de+D5pTBbo8vKEpqx91/jCBPdKq9Mdn7b7 x8FT+8O8ssiQzo8uey+CJyM645rbSFsFpoc6js0MhV1eA/SOqkG1/5VyIqYD/5d+9Osf pkQc00Bu286XUZ4lss78N4ryJZQxb+hJrRFlFnXcwd9cnJ0/juPFxsJnTsQd/iVotZvA VqZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=IXr3pi9Jp3VaBugtl4UHUg86eCkETt18FZ6n6kwXewc=; b=v5UrXHzT1kc8NKbjbIQBU7QayNTGtmdyeebPsO5IQS+pFgFiZBLqxEgvwxKevmuLMT FQbQlto6AhUQbjmEIS1DD9GtXWgYKpyIj62if+BnG1bolwhZkwHW0xbr4z7UBeRutdJv dVr+ClWVw6kYawn01G8uHjsTIB9B+XRrturC5Tf5f8kaE6xaR18VqzpIzYRmnjOh96L7 WTkpPdDDuBYRWaVtqg8DjtSZP0Kq6Km17xJCDTOQbFaFizkhmKQJyclCcoV+QlYhKJsh SF8Q7FN6dvbANj7fotYgKCPWOfit7XzgZhl6ye3LbgLpfY0M6eY11bzIP5nIXHM/MPMw LJ1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microchip.com header.s=mchp header.b=M4sSo0n4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=microchip.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bs3-20020a632803000000b00514403ff3a8si14108521pgb.372.2023.04.18.04.48.04; Tue, 18 Apr 2023 04:48:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@microchip.com header.s=mchp header.b=M4sSo0n4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=microchip.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230429AbjDRLoh (ORCPT + 99 others); Tue, 18 Apr 2023 07:44:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53428 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229756AbjDRLof (ORCPT ); Tue, 18 Apr 2023 07:44:35 -0400 Received: from esa.microchip.iphmx.com (esa.microchip.iphmx.com [68.232.153.233]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C7A6173A; Tue, 18 Apr 2023 04:44:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=microchip.com; i=@microchip.com; q=dns/txt; s=mchp; t=1681818274; x=1713354274; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=+C2jqc6qkrcBwo4zQizbRJP0wcjhdwJdRlYZeeyBDhE=; b=M4sSo0n43XUtoTczDZI48YRkfGWv5BZDIw/4jw8VF6WRF1w2sx+8lApK vO745l0Rg87E4E/JD+6OEzrOloC8T0NDm9WmDMphYx9l23zH4nkckjtsj 65157tmZzH/jjoIE4EMSNEpgrjOjdycnl33S3CseQTaM/XW7G+ZHmlCis gW2NDz2u9uEkYz6SXRCuVEZB3zuffL4vDv+EGmoFsKPKx10b3XXGOfmhT nNz78sDO3sQcaayXWzyS58WnnFwZW1BG4X/ltAft/7PpuH2xejXlFY2CM HrhNGed4zl2cTSRvSUQrvhCq5fHxsgp2k+BsGyKeO0du6hgN+H+mXTh+f Q==; X-IronPort-AV: E=Sophos;i="5.99,207,1677567600"; d="scan'208";a="221417508" Received: from unknown (HELO email.microchip.com) ([170.129.1.10]) by esa1.microchip.iphmx.com with ESMTP/TLS/AES256-SHA256; 18 Apr 2023 04:44:33 -0700 Received: from chn-vm-ex04.mchp-main.com (10.10.85.152) by chn-vm-ex04.mchp-main.com (10.10.85.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Tue, 18 Apr 2023 04:44:33 -0700 Received: from localhost (10.10.115.15) by chn-vm-ex04.mchp-main.com (10.10.85.152) with Microsoft SMTP Server id 15.1.2507.21 via Frontend Transport; Tue, 18 Apr 2023 04:44:33 -0700 Date: Tue, 18 Apr 2023 13:44:32 +0200 From: Horatiu Vultur To: Zheng Wang CC: , , , , , , , <1395428693sheep@gmail.com>, Subject: Re: [PATCH net v3] net: ethernet: fix use after free bug in ns83820_remove_one due to race condition Message-ID: <20230418114432.4zd5vec4q7t4w7ll@soft-dev3-1> References: <20230417013107.360888-1-zyytlz.wz@163.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Disposition: inline In-Reply-To: <20230417013107.360888-1-zyytlz.wz@163.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The 04/17/2023 09:31, Zheng Wang wrote: > > In ns83820_init_one, dev->tq_refill was bound with queue_refill. > > If irq happens, it will call ns83820_irq->ns83820_do_isr. > Then it invokes tasklet_schedule(&dev->rx_tasklet) to start > rx_action function. And rx_action will call ns83820_rx_kick > and finally start queue_refill function. > > If we remove the driver without finishing the work, there > may be a race condition between ndev, which may cause UAF > bug. > > CPU0 CPU1 > > |queue_refill > ns83820_remove_one | > free_netdev | > put_device | > free ndev | > |rx_refill > |//use ndev > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Zheng Wang I think it looks OK: Reviewed-by: Horatiu Vultur > --- > v3: > - add tasklet_kill to stop more task scheduling suggested by > Horatiu Vultur > v2: > - cancel the work after unregister_netdev to make sure there > is no more request suggested by Jakub Kicinski > --- > drivers/net/ethernet/natsemi/ns83820.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c > index 998586872599..af597719795d 100644 > --- a/drivers/net/ethernet/natsemi/ns83820.c > +++ b/drivers/net/ethernet/natsemi/ns83820.c > @@ -2208,8 +2208,14 @@ static void ns83820_remove_one(struct pci_dev *pci_dev) > > ns83820_disable_interrupts(dev); /* paranoia */ > > + netif_carrier_off(ndev); > + netif_tx_disable(ndev); > + > unregister_netdev(ndev); > free_irq(dev->pci_dev->irq, ndev); > + tasklet_kill(&dev->rx_tasklet); > + cancel_work_sync(&dev->tq_refill); > + > iounmap(dev->base); > dma_free_coherent(&dev->pci_dev->dev, 4 * DESC_SIZE * NR_TX_DESC, > dev->tx_descs, dev->tx_phy_descs); > -- > 2.25.1 > -- /Horatiu