This patch series fixes use-after-free issues in ravb_remove(). The original patch is made by Zheng Wang [1]. And, I made the patch 1/2 which I found other issue in the ravb_remove(). The issue is difficult to be reproduced. So, I checked this with a fault injection code which I made like below: --- --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -1874,6 +1874,7 @@ static void ravb_tx_timeout_work(struct work_struct *work) struct net_device *ndev = priv->ndev; int error; + netdev_info(ndev, "%s: enter\n", __func__); netif_tx_stop_all_queues(ndev); /* Stop PTP Clock driver */ @@ -1911,12 +1912,15 @@ static void ravb_tx_timeout_work(struct work_struct *work) } ravb_emac_init(ndev); + msleep(100); + out: /* Initialise PTP Clock driver */ if (info->gptp) ravb_ptp_init(ndev, priv->pdev); netif_tx_start_all_queues(ndev); + netdev_info(ndev, "%s: exit\n", __func__); } /* Packet transmit function for Ethernet AVB */ @@ -2886,6 +2890,7 @@ static int ravb_remove(struct platform_device *pdev) struct ravb_private *priv = netdev_priv(ndev); const struct ravb_hw_info *info = priv->info; + netdev_info(ndev, "%s: enter\n", __func__); /* Stop PTP Clock driver */ if (info->ccc_gac) ravb_ptp_stop(ndev); @@ -2895,6 +2900,11 @@ static int ravb_remove(struct platform_device *pdev) /* Set reset mode */ ravb_write(ndev, CCC_OPC_RESET, CCC); + + /* fault injection for tx timeout */ + if (netif_running(ndev)) + schedule_work(&priv->work); + unregister_netdev(ndev); if (info->nc_queues) netif_napi_del(&priv->napi[RAVB_NC]); @@ -2907,6 +2917,7 @@ static int ravb_remove(struct platform_device *pdev) reset_control_assert(priv->rstc); free_netdev(ndev); platform_set_drvdata(pdev, NULL); + netdev_info(ndev, "%s: exit\n", __func__); return 0; } --- Before the patches are applied, the following message output if unbind: # echo e6800000.ethernet > unbind ravb e6800000.ethernet eth0: ravb_remove: enter ravb e6800000.ethernet eth0: ravb_tx_timeout_work: enter ravb e6800000.ethernet eth0: Link is Down ravb e6800000.ethernet eth0 (released): ravb_remove: exit platform e6800000.ethernet eth0 (released): ravb_tx_timeout_work: exit After the patches were appliedy, "released" ravb_tx_timeout_work disappeared: ravb e6800000.ethernet eth0: ravb_remove: enter ravb e6800000.ethernet eth0: ravb_tx_timeout_work: enter ravb e6800000.ethernet eth0: Link is Down ravb e6800000.ethernet eth0: ravb_tx_timeout_work: exit ravb e6800000.ethernet eth0 (released): ravb_remove: exit [1] https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@xxxxxxx/ Yoshihiro Shimoda (2): ravb: Fix dma_free_coherent() of desc_bat timing in ravb_remove() ravb: Fix use-after-free issue in ravb_remove and ravb_tx_timeout_work drivers/net/ethernet/renesas/ravb_main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.25.1