linux-renesas-soc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net v2 0/2] ravb: Fix use-after-free issues
@ 2023-10-05  1:11 Yoshihiro Shimoda
  2023-10-05  1:12 ` [PATCH net v2 1/2] ravb: Fix up dma_free_coherent() call in ravb_remove() Yoshihiro Shimoda
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Yoshihiro Shimoda @ 2023-10-05  1:11 UTC (permalink / raw)
  To: s.shtylyov, davem, edumazet, kuba, pabeni
  Cc: netdev, linux-renesas-soc, Yoshihiro Shimoda

This patch series fixes use-after-free issues in ravb_remove().
The original patch is made by Zheng Wang [1]. And, I made the patch
1/2 which I found other issue in the ravb_remove().

[1]
https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/

Changes from v1:
https://lore.kernel.org/all/20231004091253.4194205-1-yoshihiro.shimoda.uh@renesas.com/
 - Based on the latest net/main branch.
 - Fix the subjects in the patch [12]/2.
 - Fix commit descriptions in the patch [12]/2.
 - Use Closes tag instead of Link tag for checkpatch.pl in the patch 2/2.
 - Add Reviewed-by tags in the patch [12]/2.

Yoshihiro Shimoda (2):
  ravb: Fix up dma_free_coherent() call in ravb_remove()
  ravb: Fix use-after-free issue in ravb_tx_timeout_work()

 drivers/net/ethernet/renesas/ravb_main.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH net v2 1/2] ravb: Fix up dma_free_coherent() call in ravb_remove()
  2023-10-05  1:11 [PATCH net v2 0/2] ravb: Fix use-after-free issues Yoshihiro Shimoda
@ 2023-10-05  1:12 ` Yoshihiro Shimoda
  2023-10-05  1:12 ` [PATCH net v2 2/2] ravb: Fix use-after-free issue in ravb_tx_timeout_work() Yoshihiro Shimoda
  2023-10-06 23:30 ` [PATCH net v2 0/2] ravb: Fix use-after-free issues patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Yoshihiro Shimoda @ 2023-10-05  1:12 UTC (permalink / raw)
  To: s.shtylyov, davem, edumazet, kuba, pabeni
  Cc: netdev, linux-renesas-soc, Yoshihiro Shimoda

In ravb_remove(), dma_free_coherent() should be call after
unregister_netdev(). Otherwise, this controller is possible to use
the freed buffer.

Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
---
 drivers/net/ethernet/renesas/ravb_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 7df9f9f8e134..9e2e801049cc 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -2891,8 +2891,6 @@ static int ravb_remove(struct platform_device *pdev)
 	clk_disable_unprepare(priv->gptp_clk);
 	clk_disable_unprepare(priv->refclk);
 
-	dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
-			  priv->desc_bat_dma);
 	/* Set reset mode */
 	ravb_write(ndev, CCC_OPC_RESET, CCC);
 	unregister_netdev(ndev);
@@ -2900,6 +2898,8 @@ static int ravb_remove(struct platform_device *pdev)
 		netif_napi_del(&priv->napi[RAVB_NC]);
 	netif_napi_del(&priv->napi[RAVB_BE]);
 	ravb_mdio_release(priv);
+	dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
+			  priv->desc_bat_dma);
 	pm_runtime_put_sync(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 	reset_control_assert(priv->rstc);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH net v2 2/2] ravb: Fix use-after-free issue in ravb_tx_timeout_work()
  2023-10-05  1:11 [PATCH net v2 0/2] ravb: Fix use-after-free issues Yoshihiro Shimoda
  2023-10-05  1:12 ` [PATCH net v2 1/2] ravb: Fix up dma_free_coherent() call in ravb_remove() Yoshihiro Shimoda
@ 2023-10-05  1:12 ` Yoshihiro Shimoda
  2023-10-06 23:30 ` [PATCH net v2 0/2] ravb: Fix use-after-free issues patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Yoshihiro Shimoda @ 2023-10-05  1:12 UTC (permalink / raw)
  To: s.shtylyov, davem, edumazet, kuba, pabeni
  Cc: netdev, linux-renesas-soc, Yoshihiro Shimoda, Zheng Wang

The ravb_stop() should call cancel_work_sync(). Otherwise,
ravb_tx_timeout_work() is possible to use the freed priv after
ravb_remove() was called like below:

CPU0			CPU1
			ravb_tx_timeout()
ravb_remove()
unregister_netdev()
free_netdev(ndev)
// free priv
			ravb_tx_timeout_work()
			// use priv

unregister_netdev() will call .ndo_stop() so that ravb_stop() is
called. And, after phy_stop() is called, netif_carrier_off()
is also called. So that .ndo_tx_timeout() will not be called
after phy_stop().

Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Reported-by: Zheng Wang <zyytlz.wz@163.com>
Closes: https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
---
 drivers/net/ethernet/renesas/ravb_main.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 9e2e801049cc..0ef0b88b7145 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -2167,6 +2167,8 @@ static int ravb_close(struct net_device *ndev)
 			of_phy_deregister_fixed_link(np);
 	}
 
+	cancel_work_sync(&priv->work);
+
 	if (info->multi_irqs) {
 		free_irq(priv->tx_irqs[RAVB_NC], ndev);
 		free_irq(priv->rx_irqs[RAVB_NC], ndev);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH net v2 0/2] ravb: Fix use-after-free issues
  2023-10-05  1:11 [PATCH net v2 0/2] ravb: Fix use-after-free issues Yoshihiro Shimoda
  2023-10-05  1:12 ` [PATCH net v2 1/2] ravb: Fix up dma_free_coherent() call in ravb_remove() Yoshihiro Shimoda
  2023-10-05  1:12 ` [PATCH net v2 2/2] ravb: Fix use-after-free issue in ravb_tx_timeout_work() Yoshihiro Shimoda
@ 2023-10-06 23:30 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-10-06 23:30 UTC (permalink / raw)
  To: Yoshihiro Shimoda
  Cc: s.shtylyov, davem, edumazet, kuba, pabeni, netdev, linux-renesas-soc

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu,  5 Oct 2023 10:11:59 +0900 you wrote:
> This patch series fixes use-after-free issues in ravb_remove().
> The original patch is made by Zheng Wang [1]. And, I made the patch
> 1/2 which I found other issue in the ravb_remove().
> 
> [1]
> https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/
> 
> [...]

Here is the summary with links:
  - [net,v2,1/2] ravb: Fix up dma_free_coherent() call in ravb_remove()
    https://git.kernel.org/netdev/net/c/e6864af61493
  - [net,v2,2/2] ravb: Fix use-after-free issue in ravb_tx_timeout_work()
    https://git.kernel.org/netdev/net/c/397144287071

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-10-06 23:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-05  1:11 [PATCH net v2 0/2] ravb: Fix use-after-free issues Yoshihiro Shimoda
2023-10-05  1:12 ` [PATCH net v2 1/2] ravb: Fix up dma_free_coherent() call in ravb_remove() Yoshihiro Shimoda
2023-10-05  1:12 ` [PATCH net v2 2/2] ravb: Fix use-after-free issue in ravb_tx_timeout_work() Yoshihiro Shimoda
2023-10-06 23:30 ` [PATCH net v2 0/2] ravb: Fix use-after-free issues patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).