From: Jakub Kicinski <kuba@kernel.org>
To: Duoming Zhou <duoming@zju.edu.cn>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
pabeni@redhat.com, edumazet@google.com, davem@davemloft.net,
andrew+netdev@lunn.ch
Subject: Re: [PATCH net] cnic: Fix use-after-free bugs in cnic_delete_task
Date: Mon, 15 Sep 2025 18:22:35 -0700 [thread overview]
Message-ID: <20250915182235.77a556c4@kernel.org> (raw)
In-Reply-To: <20250914034335.35643-1-duoming@zju.edu.cn>
On Sun, 14 Sep 2025 11:43:35 +0800 Duoming Zhou wrote:
> The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),
> which does not guarantee that the delayed work item 'delete_task' has
> fully completed if it was already running. Additionally, the delayed work
> item is cyclic, flush_workqueue() in cnic_cm_stop_bnx2x_hw() could not
> prevent the new incoming ones. This leads to use-after-free scenarios
> where the cnic_dev is deallocated by cnic_free_dev(), while delete_task
> remains active and attempt to dereference cnic_dev in cnic_delete_task().
[snip]
> Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
> that the delayed work item is properly canceled and any executing delayed
> work has finished before the cnic_dev is deallocated.
Have you tested this on real HW? Please always include information on
how you discovered the problem and whether you managed to test the fix.
> Fixes: fdf24086f475 ("cnic: Defer iscsi connection cleanup")
> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> cnic_bnx2x_delete_wait(dev, 0);
>
> - cancel_delayed_work(&cp->delete_task);
> + cancel_delayed_work_sync(&cp->delete_task);
> flush_workqueue(cnic_wq);
AFAICT your patch is a nop, doubt this if fixing anything
> if (atomic_read(&cp->iscsi_conn) != 0)
--
pw-bot: cr
pv-bot: s
next prev parent reply other threads:[~2025-09-16 1:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-14 3:43 [PATCH net] cnic: Fix use-after-free bugs in cnic_delete_task Duoming Zhou
2025-09-16 1:22 ` Jakub Kicinski [this message]
2025-09-16 10:19 ` duoming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250915182235.77a556c4@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=duoming@zju.edu.cn \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.