Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp35257320rwd; Mon, 10 Jul 2023 05:05:46 -0700 (PDT) X-Google-Smtp-Source: APBJJlEDo35VtmPieJbmTwBE1UkRcTJb0hCc5dSrIfju1s3hz1sLedItgaGNeBE9tQ6g8iWZ+ACz X-Received: by 2002:a05:6512:2033:b0:4f8:58f4:b96e with SMTP id s19-20020a056512203300b004f858f4b96emr8639066lfs.37.1688990745498; Mon, 10 Jul 2023 05:05:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688990745; cv=none; d=google.com; s=arc-20160816; b=v3vfYqmlNtA3r8LftyBZR083Qh6fn9PBhLkwf+Xy3F1fbfa2aoC3ig8/7JTfLfngcu 1lKAmq50fgNKfPnlftDGpsFbdfOy4wbnBqkDalkHkpOYXwZsXsZV2GHmoZRUmlXGyg71 +UY4wKklfkxS8w6XVS0ihgKP2/TONM9QTMihDHN9dRpe1qrF6ncQMspoBkzL8zsCd4yB qe6QyANwDw06aCUPzMo1YSVGYyZNQSV5oMQMHJKEEguSM4lDCfBf8sgskY+XYZ5auztQ s2qpjpRmi5fSWYbNhZrQtIO/rbzFPfsc6sKrkWlKzJ+w9P1ny/J3+5giZ0a86DjX/z1B Z79g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=RdR55mrT81jrBr7vLf907w9LJVYiygXfYqfJoinyURQ=; fh=V3A9iKJE3UjWV3TawfjWCypJ4IYF+qfnHj0MKSEg14c=; b=OUSLoakejVUg22gVh/NRnlZ7Il/lO81bTeMCYmq7kmPoZOmnLOcZQG13I+Ga5I8iqO Nf+lix4LOqoxGjVe64k6a24d17WEdudo/odSgCaA2vEy7YRjOc19aTtOISA52GyyAJ8S mT4vyn/XJYutApPjFZGn98BT6HdqLxIgDbPEUzeis09fdbZ50/11MZ/VIez3oOE+MmWc PTQmVwaXcvA5pxM5qjkxVOZFuGhJNlLxQJVBJQmTAd51zCi20FcThqoyd8AdpdRQG0I3 WxQixzrpS/3vBflflglBgEMxENmXa+Pd7Q5Hx326gkfLTlOPftR20+bhFXuJ2FLoSWc2 0NOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UTHDRXWq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c17-20020a056402121100b0050dfd8e2a70si9580140edw.78.2023.07.10.05.05.20; Mon, 10 Jul 2023 05:05:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UTHDRXWq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230464AbjGJLnC (ORCPT + 99 others); Mon, 10 Jul 2023 07:43:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229493AbjGJLnB (ORCPT ); Mon, 10 Jul 2023 07:43:01 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7ED9EAD for ; Mon, 10 Jul 2023 04:43:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1D30260FC0 for ; Mon, 10 Jul 2023 11:43:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0D87BC433C7; Mon, 10 Jul 2023 11:42:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1688989379; bh=hUf6J5WnjG0KbBU8bMn67a55iQIfrDSdaQj01gr/rbI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=UTHDRXWqoGzeYmc28eSsX0eiH9NHeWLcA49Zf4XreaB3K8Fh49uO77hPdUv0BaZ/w 7oeFwp6RwUm/bEQ2bDEiDiLCyC/2VRGRnEOgaMZHuJhkpx+9cldu9vkW/irKQYC/f+ EzdvP2KEzuKQh7sxZqfEMn+Ml845gKZ2j6r+i5rPZ9ikWUztCdJaDs6PLKRsBaBSqx skgLayoeSnyfjDjMT13mbFhHDXz447Rwyuu/hbia1z14i5a/6RH61+MN6hFudFh4/4 zolz1wWnKT1EevQJq0wVCfmbkl/3L8caz0SShW/r78W+SqBWjLX+bCc1HVEOgcgu4K zBYlSOpDnKUmg== Date: Mon, 10 Jul 2023 12:42:53 +0100 From: Lee Jones To: Zheng Wang Cc: s.shtylyov@omp.ru, davem@davemloft.net, linyunsheng@huawei.com, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, hackerzheng666@gmail.com, 1395428693sheep@gmail.com, alex000young@gmail.com Subject: Re: [PATCH net v3] net: ravb: Fix possible UAF bug in ravb_remove Message-ID: <20230710114253.GA132195@google.com> References: <20230311180630.4011201-1-zyytlz.wz@163.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230311180630.4011201-1-zyytlz.wz@163.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 12 Mar 2023, Zheng Wang wrote: > In ravb_probe, priv->work was bound with ravb_tx_timeout_work. > If timeout occurs, it will start the work. And if we call > ravb_remove without finishing the work, there may be a > use-after-free bug on ndev. > > Fix it by finishing the job before cleanup in ravb_remove. > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > Signed-off-by: Zheng Wang > Reviewed-by: Sergey Shtylyov > --- > v3: > - fix typo in commit message > v2: > - stop dev_watchdog so that handle no more timeout work suggested by Yunsheng Lin, > add an empty line to make code clear suggested by Sergey Shtylyov > --- > drivers/net/ethernet/renesas/ravb_main.c | 4 ++++ > 1 file changed, 4 insertions(+) For better or worse, it looks like this issue was assigned a CVE. Are we expecting v4 or was it resolved in another way? > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c > index 0f54849a3823..eb63ea788e19 100644 > --- a/drivers/net/ethernet/renesas/ravb_main.c > +++ b/drivers/net/ethernet/renesas/ravb_main.c > @@ -2892,6 +2892,10 @@ static int ravb_remove(struct platform_device *pdev) > struct ravb_private *priv = netdev_priv(ndev); > const struct ravb_hw_info *info = priv->info; > > + netif_carrier_off(ndev); > + netif_tx_disable(ndev); > + cancel_work_sync(&priv->work); > + > /* Stop PTP Clock driver */ > if (info->ccc_gac) > ravb_ptp_stop(ndev); > -- > 2.25.1 > -- Lee Jones [李琼斯]