Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp35257320rwd;
        Mon, 10 Jul 2023 05:05:46 -0700 (PDT)
X-Google-Smtp-Source: APBJJlEDo35VtmPieJbmTwBE1UkRcTJb0hCc5dSrIfju1s3hz1sLedItgaGNeBE9tQ6g8iWZ+ACz
X-Received: by 2002:a05:6512:2033:b0:4f8:58f4:b96e with SMTP id s19-20020a056512203300b004f858f4b96emr8639066lfs.37.1688990745498;
        Mon, 10 Jul 2023 05:05:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688990745; cv=none;
        d=google.com; s=arc-20160816;
        b=v3vfYqmlNtA3r8LftyBZR083Qh6fn9PBhLkwf+Xy3F1fbfa2aoC3ig8/7JTfLfngcu
         1lKAmq50fgNKfPnlftDGpsFbdfOy4wbnBqkDalkHkpOYXwZsXsZV2GHmoZRUmlXGyg71
         +UY4wKklfkxS8w6XVS0ihgKP2/TONM9QTMihDHN9dRpe1qrF6ncQMspoBkzL8zsCd4yB
         qe6QyANwDw06aCUPzMo1YSVGYyZNQSV5oMQMHJKEEguSM4lDCfBf8sgskY+XYZ5auztQ
         s2qpjpRmi5fSWYbNhZrQtIO/rbzFPfsc6sKrkWlKzJ+w9P1ny/J3+5giZ0a86DjX/z1B
         Z79g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=RdR55mrT81jrBr7vLf907w9LJVYiygXfYqfJoinyURQ=;
        fh=V3A9iKJE3UjWV3TawfjWCypJ4IYF+qfnHj0MKSEg14c=;
        b=OUSLoakejVUg22gVh/NRnlZ7Il/lO81bTeMCYmq7kmPoZOmnLOcZQG13I+Ga5I8iqO
         Nf+lix4LOqoxGjVe64k6a24d17WEdudo/odSgCaA2vEy7YRjOc19aTtOISA52GyyAJ8S
         mT4vyn/XJYutApPjFZGn98BT6HdqLxIgDbPEUzeis09fdbZ50/11MZ/VIez3oOE+MmWc
         PTQmVwaXcvA5pxM5qjkxVOZFuGhJNlLxQJVBJQmTAd51zCi20FcThqoyd8AdpdRQG0I3
         WxQixzrpS/3vBflflglBgEMxENmXa+Pd7Q5Hx326gkfLTlOPftR20+bhFXuJ2FLoSWc2
         0NOA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UTHDRXWq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c17-20020a056402121100b0050dfd8e2a70si9580140edw.78.2023.07.10.05.05.20;
        Mon, 10 Jul 2023 05:05:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UTHDRXWq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230464AbjGJLnC (ORCPT <rfc822;alex.slater.dev@gmail.com>
        + 99 others); Mon, 10 Jul 2023 07:43:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45328 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229493AbjGJLnB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Jul 2023 07:43:01 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7ED9EAD
        for <linux-kernel@vger.kernel.org>; Mon, 10 Jul 2023 04:43:00 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 1D30260FC0
        for <linux-kernel@vger.kernel.org>; Mon, 10 Jul 2023 11:43:00 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0D87BC433C7;
        Mon, 10 Jul 2023 11:42:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1688989379;
        bh=hUf6J5WnjG0KbBU8bMn67a55iQIfrDSdaQj01gr/rbI=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=UTHDRXWqoGzeYmc28eSsX0eiH9NHeWLcA49Zf4XreaB3K8Fh49uO77hPdUv0BaZ/w
         7oeFwp6RwUm/bEQ2bDEiDiLCyC/2VRGRnEOgaMZHuJhkpx+9cldu9vkW/irKQYC/f+
         EzdvP2KEzuKQh7sxZqfEMn+Ml845gKZ2j6r+i5rPZ9ikWUztCdJaDs6PLKRsBaBSqx
         skgLayoeSnyfjDjMT13mbFhHDXz447Rwyuu/hbia1z14i5a/6RH61+MN6hFudFh4/4
         zolz1wWnKT1EevQJq0wVCfmbkl/3L8caz0SShW/r78W+SqBWjLX+bCc1HVEOgcgu4K
         zBYlSOpDnKUmg==
Date:   Mon, 10 Jul 2023 12:42:53 +0100
From:   Lee Jones <lee@kernel.org>
To:     Zheng Wang <zyytlz.wz@163.com>
Cc:     s.shtylyov@omp.ru, davem@davemloft.net, linyunsheng@huawei.com,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        hackerzheng666@gmail.com, 1395428693sheep@gmail.com,
        alex000young@gmail.com
Subject: Re: [PATCH net v3] net: ravb: Fix possible UAF bug in ravb_remove
Message-ID: <20230710114253.GA132195@google.com>
References: <20230311180630.4011201-1-zyytlz.wz@163.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20230311180630.4011201-1-zyytlz.wz@163.com>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, 12 Mar 2023, Zheng Wang wrote:

> In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
> If timeout occurs, it will start the work. And if we call
> ravb_remove without finishing the work, there may be a
> use-after-free bug on ndev.
> 
> Fix it by finishing the job before cleanup in ravb_remove.
> 
> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
> ---
> v3:
> - fix typo in commit message
> v2:
> - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin,
> add an empty line to make code clear suggested by Sergey Shtylyov
> ---
>  drivers/net/ethernet/renesas/ravb_main.c | 4 ++++
>  1 file changed, 4 insertions(+)

For better or worse, it looks like this issue was assigned a CVE.

Are we expecting v4 or was it resolved in another way?

> diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
> index 0f54849a3823..eb63ea788e19 100644
> --- a/drivers/net/ethernet/renesas/ravb_main.c
> +++ b/drivers/net/ethernet/renesas/ravb_main.c
> @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev)
>  	struct ravb_private *priv = netdev_priv(ndev);
>  	const struct ravb_hw_info *info = priv->info;
>  
> +	netif_carrier_off(ndev);
> +	netif_tx_disable(ndev);
> +	cancel_work_sync(&priv->work);
> +	
>  	/* Stop PTP Clock driver */
>  	if (info->ccc_gac)
>  		ravb_ptp_stop(ndev);
> -- 
> 2.25.1
> 

-- 
Lee Jones [李琼斯]