Patch "net: qcom/emac: Fix use after free bug in emac_remove due to race condition" has been added to the 4.14-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    net: qcom/emac: Fix use after free bug in emac_remove due to race condition

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-qcom-emac-fix-use-after-free-bug-in-emac_remove-.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7c025c1f8330e27af3821d8ad12d621f8ed2c76b
Author: Zheng Wang <zyytlz.wz@xxxxxxx>
Date:   Sat Mar 18 16:05:26 2023 +0800

    net: qcom/emac: Fix use after free bug in emac_remove due to race condition
    
    [ Upstream commit 6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 ]
    
    In emac_probe, &adpt->work_thread is bound with
    emac_work_thread. Then it will be started by timeout
    handler emac_tx_timeout or a IRQ handler emac_isr.
    
    If we remove the driver which will call emac_remove
      to make cleanup, there may be a unfinished work.
    
    The possible sequence is as follows:
    
    Fix it by finishing the work before cleanup in the emac_remove
    and disable timeout response.
    
    CPU0                  CPU1
    
                        |emac_work_thread
    emac_remove         |
    free_netdev         |
    kfree(netdev);      |
                        |emac_reinit_locked
                        |emac_mac_down
                        |//use netdev
    Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver")
    Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
    
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c
index cae570f1d7e12..527c4dd250833 100644
--- a/drivers/net/ethernet/qualcomm/emac/emac.c
+++ b/drivers/net/ethernet/qualcomm/emac/emac.c
@@ -758,9 +758,15 @@ static int emac_remove(struct platform_device *pdev)
 	struct net_device *netdev = dev_get_drvdata(&pdev->dev);
 	struct emac_adapter *adpt = netdev_priv(netdev);
 
+	netif_carrier_off(netdev);
+	netif_tx_disable(netdev);
+
 	unregister_netdev(netdev);
 	netif_napi_del(&adpt->rx_q.napi);
 
+	free_irq(adpt->irq.irq, &adpt->irq);
+	cancel_work_sync(&adpt->work_thread);
+
 	emac_clks_teardown(adpt);
 
 	put_device(&adpt->phydev->mdio.dev);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux