Hello! Hm, concerning the subject: don't we actually have use-after-free in ravb_tx_timeout() only? Also, you place () after the function names in patch #1 but not in this patch, why? On 10/4/23 12:12 PM, Yoshihiro Shimoda wrote: > The ravb_stop() should call cancel_work_sync(). Otherwise, > ravb_tx_timeout_work() is possible to use the freed priv after > ravb_remove() was called like below: > > CPU0 CPU1 > ravb_tx_timeout() > ravb_remove() > unregister_netdev() > free_netdev(ndev) > // free priv > ravb_tx_timeout_work() > // use priv > > unregister_netdev() will call .ndo_stop() so that ravb_stop() is > called. And, after phy_stop() was called, netif_carrier_off() s/was/is/? > is also called. So that .ndo_tx_timeout() will be not called Will not be... > after phy_stop(). > > Link: https://lore.kernel.org/netdev/872cf8d7-3bd6-b11a-82ac-a9f4c82d0a02@xxxxxx/ > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") > Reported-by: Zheng Wang <zyytlz.wz@xxxxxxx> > Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@xxxxxxxxxxx> Otherwise: Reviewed-by: Sergey Shtylyov <s.shtylyov@xxxxxx> [...] MBR, Sergey
