[PATCH net 0/2] ravb: Fix use-after-free issues

[PATCH net 0/2] ravb: Fix use-after-free issues

[Yoshihiro Shimoda]

This patch series fixes use-after-free issues in ravb_remove().
The original patch is made by Zheng Wang [1]. And, I made the patch
1/2 which I found other issue in the ravb_remove().

The issue is difficult to be reproduced. So, I checked this with a fault
injection code which I made like below:
---
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -1874,6 +1874,7 @@ static void ravb_tx_timeout_work(struct work_struct *work)
 	struct net_device *ndev = priv->ndev;
 	int error;
 
+	netdev_info(ndev, "%s: enter\n", __func__);
 	netif_tx_stop_all_queues(ndev);
 
 	/* Stop PTP Clock driver */
@@ -1911,12 +1912,15 @@ static void ravb_tx_timeout_work(struct work_struct *work)
 	}
 	ravb_emac_init(ndev);
 
+	msleep(100);
+
 out:
 	/* Initialise PTP Clock driver */
 	if (info->gptp)
 		ravb_ptp_init(ndev, priv->pdev);
 
 	netif_tx_start_all_queues(ndev);
+	netdev_info(ndev, "%s: exit\n", __func__);
 }
 
 /* Packet transmit function for Ethernet AVB */
@@ -2886,6 +2890,7 @@ static int ravb_remove(struct platform_device *pdev)
 	struct ravb_private *priv = netdev_priv(ndev);
 	const struct ravb_hw_info *info = priv->info;
 
+	netdev_info(ndev, "%s: enter\n", __func__);
 	/* Stop PTP Clock driver */
 	if (info->ccc_gac)
 		ravb_ptp_stop(ndev);
@@ -2895,6 +2900,11 @@ static int ravb_remove(struct platform_device *pdev)
 
 	/* Set reset mode */
 	ravb_write(ndev, CCC_OPC_RESET, CCC);
+
+	/* fault injection for tx timeout */
+	if (netif_running(ndev))
+		schedule_work(&priv->work);
+
 	unregister_netdev(ndev);
 	if (info->nc_queues)
 		netif_napi_del(&priv->napi[RAVB_NC]);
@@ -2907,6 +2917,7 @@ static int ravb_remove(struct platform_device *pdev)
 	reset_control_assert(priv->rstc);
 	free_netdev(ndev);
 	platform_set_drvdata(pdev, NULL);
+	netdev_info(ndev, "%s: exit\n", __func__);
 
 	return 0;
 }
---

Before the patches are applied, the following message output if unbind:
# echo e6800000.ethernet > unbind
ravb e6800000.ethernet eth0: ravb_remove: enter
ravb e6800000.ethernet eth0: ravb_tx_timeout_work: enter
ravb e6800000.ethernet eth0: Link is Down
ravb e6800000.ethernet eth0 (released): ravb_remove: exit
platform e6800000.ethernet eth0 (released): ravb_tx_timeout_work: exit

After the patches were appliedy, "released" ravb_tx_timeout_work disappeared:
ravb e6800000.ethernet eth0: ravb_remove: enter
ravb e6800000.ethernet eth0: ravb_tx_timeout_work: enter
ravb e6800000.ethernet eth0: Link is Down
ravb e6800000.ethernet eth0: ravb_tx_timeout_work: exit
ravb e6800000.ethernet eth0 (released): ravb_remove: exit

[1]
https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/

Yoshihiro Shimoda (2):
  ravb: Fix dma_free_coherent() of desc_bat timing in ravb_remove()
  ravb: Fix use-after-free issue in ravb_remove and ravb_tx_timeout_work

 drivers/net/ethernet/renesas/ravb_main.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

-- 
2.25.1

[PATCH net 1/2] ravb: Fix dma_free_coherent() of desc_bat timing in ravb_remove()

[Yoshihiro Shimoda]

The dma_free_coherent() in ravb_remove() should be called after
unregister_netdev(). Otherwise, this controller is possible to use
the freed buffer.

Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
---
 drivers/net/ethernet/renesas/ravb_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 7df9f9f8e134..9e2e801049cc 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -2891,8 +2891,6 @@ static int ravb_remove(struct platform_device *pdev)
 	clk_disable_unprepare(priv->gptp_clk);
 	clk_disable_unprepare(priv->refclk);
 
-	dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
-			  priv->desc_bat_dma);
 	/* Set reset mode */
 	ravb_write(ndev, CCC_OPC_RESET, CCC);
 	unregister_netdev(ndev);
@@ -2900,6 +2898,8 @@ static int ravb_remove(struct platform_device *pdev)
 		netif_napi_del(&priv->napi[RAVB_NC]);
 	netif_napi_del(&priv->napi[RAVB_BE]);
 	ravb_mdio_release(priv);
+	dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
+			  priv->desc_bat_dma);
 	pm_runtime_put_sync(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	reset_control_assert(priv->rstc);
-- 
2.25.1

[PATCH net 2/2] ravb: Fix use-after-free issue in ravb_remove and ravb_tx_timeout_work

[Yoshihiro Shimoda]

The ravb_stop() should call cancel_work_sync(). Otherwise,
ravb_tx_timeout_work() is possible to use the freed priv after
ravb_remove() was called like below:

CPU0			CPU1
			ravb_tx_timeout()
ravb_remove()
unregister_netdev()
free_netdev(ndev)
// free priv
			ravb_tx_timeout_work()
			// use priv

unregister_netdev() will call .ndo_stop() so that ravb_stop() is
called. And, after phy_stop() was called, netif_carrier_off()
is also called. So that .ndo_tx_timeout() will be not called
after phy_stop().

Link: https://lore.kernel.org/netdev/872cf8d7-3bd6-b11a-82ac-a9f4c82d0a02@omp.ru/
Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Reported-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
---
 drivers/net/ethernet/renesas/ravb_main.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 9e2e801049cc..0ef0b88b7145 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -2167,6 +2167,8 @@ static int ravb_close(struct net_device *ndev)
 			of_phy_deregister_fixed_link(np);
 	}
 
+	cancel_work_sync(&priv->work);
+
 	if (info->multi_irqs) {
 		free_irq(priv->tx_irqs[RAVB_NC], ndev);
 		free_irq(priv->rx_irqs[RAVB_NC], ndev);
-- 
2.25.1

Re: [PATCH net 2/2] ravb: Fix use-after-free issue in ravb_remove and ravb_tx_timeout_work

[Sergey Shtylyov]

Hello!

   Hm, concerning the subject: don't we actually have use-after-free in ravb_tx_timeout()
only? Also, you place () after the function names in patch #1 but not in this patch, why?

On 10/4/23 12:12 PM, Yoshihiro Shimoda wrote:

> The ravb_stop() should call cancel_work_sync(). Otherwise,
> ravb_tx_timeout_work() is possible to use the freed priv after
> ravb_remove() was called like below:
> 
> CPU0			CPU1
> 			ravb_tx_timeout()
> ravb_remove()
> unregister_netdev()
> free_netdev(ndev)
> // free priv
> 			ravb_tx_timeout_work()
> 			// use priv
> 
> unregister_netdev() will call .ndo_stop() so that ravb_stop() is
> called. And, after phy_stop() was called, netif_carrier_off()

   s/was/is/?

> is also called. So that .ndo_tx_timeout() will be not called

   Will not be...

> after phy_stop().
> 
> Link: https://lore.kernel.org/netdev/872cf8d7-3bd6-b11a-82ac-a9f4c82d0a02@omp.ru/
> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> Reported-by: Zheng Wang <zyytlz.wz@163.com>
> Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

   Otherwise:

Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>

[...]

MBR, Sergey

Re: [PATCH net 1/2] ravb: Fix dma_free_coherent() of desc_bat timing in ravb_remove()

[Sergey Shtylyov]

On 10/4/23 12:12 PM, Yoshihiro Shimoda wrote:

> The dma_free_coherent() in ravb_remove() should be called after

   How about:

In ravb_remove(), dma_free_coherent() should be called after unregister_netdev().

> unregister_netdev(). Otherwise, this controller is possible to use
> the freed buffer.
> 
> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>

[...]

MBR, Sergey

Re: [PATCH net 1/2] ravb: Fix dma_free_coherent() of desc_bat timing in ravb_remove()

[Sergey Shtylyov]

Concerning the summary: how about the below?

ravb: fix up dma_free_coherent() call in ravb_remove()

RE: [PATCH net 2/2] ravb: Fix use-after-free issue in ravb_remove and ravb_tx_timeout_work

[Yoshihiro Shimoda]

Hello Sergey,

> From: Sergey Shtylyov, Sent: Thursday, October 5, 2023 3:30 AM
> 
> Hello!
> 
>    Hm, concerning the subject: don't we actually have use-after-free in ravb_tx_timeout()
> only?

IIUC, the issue causes ravb_remove(), and is in ravb_tx_timeout_work().

> Also, you place () after the function names in patch #1 but not in this patch, why?

I thought that the subject was long so that remove the ()...

So, I'll fix the subject as the follow:

ravb: Fix use-after-free issue in ravb_tx_timeout_work()

> On 10/4/23 12:12 PM, Yoshihiro Shimoda wrote:
> 
> > The ravb_stop() should call cancel_work_sync(). Otherwise,
> > ravb_tx_timeout_work() is possible to use the freed priv after
> > ravb_remove() was called like below:
> >
> > CPU0			CPU1
> > 			ravb_tx_timeout()
> > ravb_remove()
> > unregister_netdev()
> > free_netdev(ndev)
> > // free priv
> > 			ravb_tx_timeout_work()
> > 			// use priv
> >
> > unregister_netdev() will call .ndo_stop() so that ravb_stop() is
> > called. And, after phy_stop() was called, netif_carrier_off()
> 
>    s/was/is/?

I'll fix it.

> > is also called. So that .ndo_tx_timeout() will be not called
> 
>    Will not be...

Oops. I'll fix it.

> > after phy_stop().
> >
> > Link:
<snip URL>
> > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> > Reported-by: Zheng Wang <zyytlz.wz@163.com>
> > Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> 
>    Otherwise:
> 
> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>

Thank you for your review!

Best regards,
Yoshihiro Shimoda

> [...]
> 
> MBR, Sergey

RE: [PATCH net 1/2] ravb: Fix dma_free_coherent() of desc_bat timing in ravb_remove()

[Yoshihiro Shimoda]

Hello Sergey,

> From: Sergey Shtylyov, Sent: Thursday, October 5, 2023 3:47 AM
> Subject: Re: [PATCH net 1/2] ravb: Fix dma_free_coherent() of desc_bat timing in ravb_remove()

Thank you for your suggestion in other thread. I'll fix the subject.

> On 10/4/23 12:12 PM, Yoshihiro Shimoda wrote:
> 
> > The dma_free_coherent() in ravb_remove() should be called after
> 
>    How about:
> 
> In ravb_remove(), dma_free_coherent() should be called after unregister_netdev().

I got it. I'll fix this.

> > unregister_netdev(). Otherwise, this controller is possible to use
> > the freed buffer.
> >
> > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> > Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> 
> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>

Thank you for your review!

Best regards,
Yoshihiro Shimoda

> [...]
> 
> MBR, Sergey