Re: [PATCH net] net: ravb: Fix possible UAF bug in ravb_remove

[Salvatore Bonaccorso <carnil@debian.org>]

Hi,

On Sat, Mar 11, 2023 at 12:38:10AM +0800, Zheng Hacker wrote:
> Yunsheng Lin <linyunsheng@huawei.com> 于2023年3月10日周五 09:12写道：
> >
> > On 2023/3/9 18:02, Zheng Wang wrote:
> > > In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
> > > If timeout occurs, it will start the work. And if we call
> > > ravb_remove without finishing the work, ther may be a use
> >
> > ther -> there
> >
> 
> Sorry about the typo, will correct it in the next version.
> 
> > > after free bug on ndev.
> > >
> > > Fix it by finishing the job before cleanup in ravb_remove.
> > >
> > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > > ---
> > >  drivers/net/ethernet/renesas/ravb_main.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
> > > index 0f54849a3823..07a08e72f440 100644
> > > --- a/drivers/net/ethernet/renesas/ravb_main.c
> > > +++ b/drivers/net/ethernet/renesas/ravb_main.c
> > > @@ -2892,6 +2892,7 @@ static int ravb_remove(struct platform_device *pdev)
> > >       struct ravb_private *priv = netdev_priv(ndev);
> > >       const struct ravb_hw_info *info = priv->info;
> > >
> > > +     cancel_work_sync(&priv->work);
> >
> > As your previous patch, I still do not see anything stopping
> > dev_watchdog() from calling dev->netdev_ops->ndo_tx_timeout
> > after cancel_work_sync(), maybe I missed something obvious
> > here?
> >
> Yes, that's a keyed suggestion. I was hurry to report the issue today
> so wrote with many mistakes.
> Thanks agagin for the advice. I will review other patch carefully.
> 
> Best regards,
> Zheng

Looking through some older reports and proposed patches, has this even
been accepted later? Or did it felt trough the cracks?

Regards,
Salvatore