From: Jeremy Kerr <jk@codeconstruct.com.au>
To: Andrew Lunn <andrew@lunn.ch>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Joel Stanley <joel@jms.id.au>,
Jacky Chou <jacky_chou@aspeedtech.com>,
Jacob Keller <jacob.e.keller@intel.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH net 1/2] net: ethernet: ftgmac100: prevent use after free on unregister when using NCSI
Date: Tue, 29 Oct 2024 12:32:53 +0800 [thread overview]
Message-ID: <0123d308bb8577e7ccb5d99c504cec389ba8fe15.camel@codeconstruct.com.au> (raw)
In-Reply-To: <fe5630d4-1502-45eb-a6fb-6b5bc33506a9@lunn.ch>
Hi Andrew,
> ftgmac100_remove() should be a mirror of ftgmac100_probe() which does
> not register the ncsi device....
Sure it does:
static int ftgmac100_probe(struct platform_device *pdev)
{
/* ... */
if (np && of_get_property(np, "use-ncsi", NULL)) {
if (!IS_ENABLED(CONFIG_NET_NCSI)) {
dev_err(&pdev->dev, "NCSI stack not enabled\n");
err = -EINVAL;
goto err_phy_connect;
}
dev_info(&pdev->dev, "Using NCSI interface\n");
priv->use_ncsi = true;
=> priv->ndev = ncsi_register_dev(netdev, ftgmac100_ncsi_handler);
if (!priv->ndev) {
err = -EINVAL;
goto err_phy_connect;
}
- so we're symmetrical in that regard.
On unbind, ->remove is called before ->ndo_stop, as the latter is
invoked through the unregister_netdev():
[ 62.869014] Call trace:
[ 62.869079] unwind_backtrace from show_stack+0x18/0x1c
[ 62.869386] show_stack from dump_stack_lvl+0x68/0x74
[ 62.869575] dump_stack_lvl from print_report+0x130/0x4d8
[ 62.869771] print_report from kasan_report+0xa8/0xe8
[ 62.869956] kasan_report from detach_if_pending+0x49c/0x518
[ 62.870156] detach_if_pending from timer_delete+0xc4/0x124
[ 62.870350] timer_delete from work_grab_pending+0x8c/0x8e4
[ 62.870543] work_grab_pending from __cancel_work+0x84/0x25c
[ 62.870744] __cancel_work from __cancel_work_sync+0x1c/0x130
[ 62.870930] __cancel_work_sync from phy_stop+0x118/0x268
[ 62.871114] phy_stop from ftgmac100_stop+0x160/0x2dc
[ 62.871289] ftgmac100_stop from __dev_close_many+0x1c8/0x300
[ 62.871481] __dev_close_many from dev_close_many+0x238/0x578
[ 62.871674] dev_close_many from unregister_netdevice_many_notify+0x460/0x2368
[ 62.871900] unregister_netdevice_many_notify from unregister_netdevice_queue+0x27c/0x32c
[ 62.872144] unregister_netdevice_queue from unregister_netdev+0x20/0x28
[ 62.872348] unregister_netdev from ftgmac100_remove+0x8c/0x24c
[ 62.872542] ftgmac100_remove from platform_remove+0x84/0xa4
[ 62.872730] platform_remove from device_release_driver_internal+0x428/0x5e4
[ 62.872952] device_release_driver_internal from unbind_store+0xb8/0x108
[ 62.873163] unbind_store from kernfs_fop_write_iter+0x3a4/0x590
[ 62.873364] kernfs_fop_write_iter from vfs_write+0x65c/0xec8
[ 62.873567] vfs_write from ksys_write+0xec/0x1d4
[ 62.873735] ksys_write from ret_fast_syscall+0x0/0x54
As the ordering in ftgmac100_remove() is:
if (priv->ndev)
ncsi_unregister_dev(priv->ndev);
unregister_netdev(netdev);
which, is (I assume intentionally) symmetric with the _probe, which
does:
priv->ndev = ncsi_register_dev(netdev, ftgmac100_ncsi_handler);
/* ... */
register_netdev(netdev)
So we would either re-order _remove() to do the ncsi_unregister() after
the unregister_netdev(), breaking the symmetry there, or we check for a
valid ncsi device in ->ndo_stop. I have chosen the latter for this
change.
Cheers,
Jeremy
next prev parent reply other threads:[~2024-10-29 4:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-28 4:54 [PATCH net 0/2] net: ethernet: ftgmac100: fixes for ncsi/phy handling on device remove Jeremy Kerr
2024-10-28 4:54 ` [PATCH net 1/2] net: ethernet: ftgmac100: prevent use after free on unregister when using NCSI Jeremy Kerr
2024-10-28 18:33 ` Jacob Keller
2024-10-28 20:15 ` Andrew Lunn
2024-10-29 4:32 ` Jeremy Kerr [this message]
2024-10-29 12:37 ` Andrew Lunn
2024-10-29 14:10 ` Jeremy Kerr
2024-10-29 22:36 ` Jakub Kicinski
2024-10-30 0:29 ` Jeremy Kerr
2024-10-30 2:58 ` Jeremy Kerr
2024-10-30 9:02 ` Sam Mendoza-Jonas
2024-10-28 4:54 ` [PATCH net 2/2] net: ethernet: ftgmac100: fix NULL phy usage on device remove Jeremy Kerr
2024-10-28 5:58 ` 回覆: " Jacky Chou
2024-10-28 18:34 ` Jacob Keller
2024-10-28 20:23 ` Andrew Lunn
2024-10-29 4:36 ` Jeremy Kerr
2024-10-29 12:41 ` Andrew Lunn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0123d308bb8577e7ccb5d99c504cec389ba8fe15.camel@codeconstruct.com.au \
--to=jk@codeconstruct.com.au \
--cc=andrew+netdev@lunn.ch \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jacky_chou@aspeedtech.com \
--cc=jacob.e.keller@intel.com \
--cc=joel@jms.id.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).