* [PATCH] net: usb: usbnet: fix use-after-free in race on workqueue
[not found] <CGME20250625093354epcas1p1c9817df6e1d1599e8b4eb16c5715a6fd@epcas1p1.samsung.com>
@ 2025-06-25 9:33 ` Peter GJ. Park
2025-06-26 9:21 ` Paolo Abeni
0 siblings, 1 reply; 10+ messages in thread
From: Peter GJ. Park @ 2025-06-25 9:33 UTC (permalink / raw)
To: Oliver Neukum, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni
Cc: netdev, linux-usb, linux-kernel, Peter GJ. Park
When usbnet_disconnect() queued while usbnet_probe() processing,
it results to free_netdev before kevent gets to run on workqueue,
thus workqueue does assign_work() with referencing freeed memory address.
For graceful disconnect and to prevent use-after-free of netdev pointer,
the fix adds canceling work and timer those are placed by usbnet_probe()
Signed-off-by: Peter GJ. Park <gyujoon.park@samsung.com>
---
drivers/net/usb/usbnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index c04e715a4c2ade3bc5587b0df71643a25cf88c55..3c5d9ba7fa6660273137c80106746103f84f5a37 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1660,6 +1660,9 @@ void usbnet_disconnect (struct usb_interface *intf)
usb_free_urb(dev->interrupt);
kfree(dev->padding_pkt);
+ timer_delete_sync(&dev->delay);
+ tasklet_kill(&dev->bh);
+ cancel_work_sync(&dev->kevent);
free_netdev(net);
}
EXPORT_SYMBOL_GPL(usbnet_disconnect);
---
base-commit: 86731a2a651e58953fc949573895f2fa6d456841
change-id: 20250625-usbnet-uaf-fix-9ab85de1b8cf
Best regards,
--
Peter GJ. Park <gyujoon.park@samsung.com>
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] net: usb: usbnet: fix use-after-free in race on workqueue
2025-06-25 9:33 ` [PATCH] net: usb: usbnet: fix use-after-free in race on workqueue Peter GJ. Park
@ 2025-06-26 9:21 ` Paolo Abeni
[not found] ` <CGME20250627104728epcas1p1dee12902e3d634214a5c6753ad7613c6@epcas1p1.samsung.com>
` (3 more replies)
0 siblings, 4 replies; 10+ messages in thread
From: Paolo Abeni @ 2025-06-26 9:21 UTC (permalink / raw)
To: Peter GJ. Park, Oliver Neukum, Andrew Lunn, David S. Miller,
Eric Dumazet, Jakub Kicinski
Cc: netdev, linux-usb, linux-kernel
On 6/25/25 11:33 AM, Peter GJ. Park wrote:
> When usbnet_disconnect() queued while usbnet_probe() processing,
> it results to free_netdev before kevent gets to run on workqueue,
> thus workqueue does assign_work() with referencing freeed memory address.
>
> For graceful disconnect and to prevent use-after-free of netdev pointer,
> the fix adds canceling work and timer those are placed by usbnet_probe()
>
> Signed-off-by: Peter GJ. Park <gyujoon.park@samsung.com>
You should include a suitable fixes tag, and you should have specified
the target tree ('net' in this case) in the prefix subjext
> ---
> drivers/net/usb/usbnet.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index c04e715a4c2ade3bc5587b0df71643a25cf88c55..3c5d9ba7fa6660273137c80106746103f84f5a37 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -1660,6 +1660,9 @@ void usbnet_disconnect (struct usb_interface *intf)
> usb_free_urb(dev->interrupt);
> kfree(dev->padding_pkt);
>
> + timer_delete_sync(&dev->delay);
> + tasklet_kill(&dev->bh);
> + cancel_work_sync(&dev->kevent);
> free_netdev(net);
This happens after unregister_netdev(), which calls usbnet_stop() that
already performs the above cleanup. How the race is supposed to take place?
/P
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v2] net: usb: usbnet: fix use-after-free in race on workqueue
[not found] ` <CGME20250627104728epcas1p1dee12902e3d634214a5c6753ad7613c6@epcas1p1.samsung.com>
@ 2025-06-27 10:47 ` Peter GJ. Park
0 siblings, 0 replies; 10+ messages in thread
From: Peter GJ. Park @ 2025-06-27 10:47 UTC (permalink / raw)
To: pabeni
Cc: andrew+netdev, davem, edumazet, gyujoon.park, kuba, linux-kernel,
linux-usb, netdev, oneukum
When usbnet_disconnect() queued while usbnet_probe() processing,
it results to free_netdev before kevent gets to run on workqueue,
thus workqueue does assign_work() with referencing freeed memory address.
For graceful disconnect and to prevent use-after-free of netdev pointer,
the fix adds canceling work and timer those are placed by usbnet_probe()
Signed-off-by: Peter GJ. Park <gyujoon.park@samsung.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
---
drivers/net/usb/usbnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index c04e715a4c2a..3c5d9ba7fa66 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1660,6 +1660,9 @@ void usbnet_disconnect (struct usb_interface *intf)
usb_free_urb(dev->interrupt);
kfree(dev->padding_pkt);
+ timer_delete_sync(&dev->delay);
+ tasklet_kill(&dev->bh);
+ cancel_work_sync(&dev->kevent);
free_netdev(net);
}
EXPORT_SYMBOL_GPL(usbnet_disconnect);
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH net v2] net: usb: usbnet: fix use-after-free in race on workqueue
[not found] ` <CGME20250627105959epcas1p168bbbe460ee1f081e67723505e1f57c9@epcas1p1.samsung.com>
@ 2025-06-27 10:59 ` Peter GJ. Park
2025-07-02 1:27 ` Jakub Kicinski
0 siblings, 1 reply; 10+ messages in thread
From: Peter GJ. Park @ 2025-06-27 10:59 UTC (permalink / raw)
To: pabeni
Cc: andrew+netdev, davem, edumazet, gyujoon.park, kuba, linux-kernel,
linux-usb, netdev, oneukum
When usbnet_disconnect() queued while usbnet_probe() processing,
it results to free_netdev before kevent gets to run on workqueue,
thus workqueue does assign_work() with referencing freeed memory address.
For graceful disconnect and to prevent use-after-free of netdev pointer,
the fix adds canceling work and timer those are placed by usbnet_probe()
Signed-off-by: Peter GJ. Park <gyujoon.park@samsung.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
---
drivers/net/usb/usbnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index c04e715a4c2a..3c5d9ba7fa66 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1660,6 +1660,9 @@ void usbnet_disconnect (struct usb_interface *intf)
usb_free_urb(dev->interrupt);
kfree(dev->padding_pkt);
+ timer_delete_sync(&dev->delay);
+ tasklet_kill(&dev->bh);
+ cancel_work_sync(&dev->kevent);
free_netdev(net);
}
EXPORT_SYMBOL_GPL(usbnet_disconnect);
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH net] net: usb: usbnet: fix use-after-free in race on workqueue
2025-06-26 9:21 ` Paolo Abeni
[not found] ` <CGME20250627104728epcas1p1dee12902e3d634214a5c6753ad7613c6@epcas1p1.samsung.com>
[not found] ` <CGME20250627105959epcas1p168bbbe460ee1f081e67723505e1f57c9@epcas1p1.samsung.com>
@ 2025-07-01 4:19 ` Peter GJ. Park
2025-07-01 13:22 ` [PATCH] " Oliver Neukum
3 siblings, 0 replies; 10+ messages in thread
From: Peter GJ. Park @ 2025-07-01 4:19 UTC (permalink / raw)
To: Paolo Abeni
Cc: Oliver Neukum, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, netdev, linux-usb, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 6262 bytes --]
On Thu, Jun 26, 2025 at 11:21:39AM +0200, Paolo Abeni wrote:
> On 6/25/25 11:33 AM, Peter GJ. Park wrote:
> > When usbnet_disconnect() queued while usbnet_probe() processing,
> > it results to free_netdev before kevent gets to run on workqueue,
> > thus workqueue does assign_work() with referencing freeed memory address.
> >
> > For graceful disconnect and to prevent use-after-free of netdev pointer,
> > the fix adds canceling work and timer those are placed by usbnet_probe()
> >
> > Signed-off-by: Peter GJ. Park <gyujoon.park@samsung.com>
>
> You should include a suitable fixes tag, and you should have specified
> the target tree ('net' in this case) in the prefix subjext
>
It has been applied with v2 patch. Thank you for this.
> > ---
> > drivers/net/usb/usbnet.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> > index c04e715a4c2ade3bc5587b0df71643a25cf88c55..3c5d9ba7fa6660273137c80106746103f84f5a37 100644
> > --- a/drivers/net/usb/usbnet.c
> > +++ b/drivers/net/usb/usbnet.c
> > @@ -1660,6 +1660,9 @@ void usbnet_disconnect (struct usb_interface *intf)
> > usb_free_urb(dev->interrupt);
> > kfree(dev->padding_pkt);
> >
> > + timer_delete_sync(&dev->delay);
> > + tasklet_kill(&dev->bh);
> > + cancel_work_sync(&dev->kevent);
> > free_netdev(net);
>
> This happens after unregister_netdev(), which calls usbnet_stop() that
> already performs the above cleanup. How the race is supposed to take place?
>
> /P
>
This uaf detected while my syzkaller project for usb kernel driver.
First hub_event work:usb_new_device arrived and processing in wq,
While second new hub_event work:usb_disconnect put into wq.
Then third usbnet:kevent work put by first hub_event work.
Dev pointer free-ed by second work without preceding usbnet_stop(), so the usbnetkevent still queued in wq,
Finally it detected by kasan as use-after-free when wq try to access that poiter.
Here is log snippet.
[ 3041.949116] [5: kworker/5:1: 130] BUG: KASAN: slab-use-after-free in assign_work+0xe8/0x280
[ 3041.949128] [5: kworker/5:1: 130] Read of size 8 at addr ffffff88ef60ece8 by task kworker/5:1/130
...
[ 3041.949155] [5: kworker/5:1: 130] Workqueue: 0x0 (usb_hub_wq)
[ 3041.949167] [5: kworker/5:1: 130] Call trace:
[ 3041.949170] [5: kworker/5:1: 130] dump_backtrace+0x120/0x170
[ 3041.949178] [5: kworker/5:1: 130] show_stack+0x2c/0x40
[ 3041.949184] [5: kworker/5:1: 130] dump_stack_lvl+0x68/0x84
[ 3041.949193] [5: kworker/5:1: 130] print_report+0x13c/0x6f8
[ 3041.949203] [5: kworker/5:1: 130] kasan_report+0xdc/0x13c
[ 3041.949211] [5: kworker/5:1: 130] __asan_load8+0x98/0xa0
[ 3041.949216] [5: kworker/5:1: 130] assign_work+0xe8/0x280
[ 3041.949224] [5: kworker/5:1: 130] worker_thread+0x458/0x670
[ 3041.949231] [5: kworker/5:1: 130] kthread+0x1d8/0x298
[ 3041.949238] [5: kworker/5:1: 130] ret_from_fork+0x10/0x20
[ 3041.949248] [5: kworker/5:1: 130] Allocated by task 130:
...
[ 3041.949275] [5: kworker/5:1: 130] __kmalloc_node+0x74/0x194
[ 3041.949282] [5: kworker/5:1: 130] kvmalloc_node+0x160/0x394
[ 3041.949289] [5: kworker/5:1: 130] alloc_netdev_mqs+0x6c/0x718
[ 3041.949298] [5: kworker/5:1: 130] alloc_etherdev_mqs+0x48/0x60
[ 3041.949305] [5: kworker/5:1: 130] usbnet_probe+0xd8/0xf10 [usbnet]
[ 3041.949348] [5: kworker/5:1: 130] usb_probe_interface+0x338/0x4fc
...
[ 3041.949516] [5: kworker/5:1: 130] usb_new_device+0x7c8/0xbdc
[ 3041.949523] [5: kworker/5:1: 130] hub_event+0x1808/0x2564
[ 3041.949530] [5: kworker/5:1: 130] process_scheduled_works+0x3cc/0x92c
[ 3041.949538] [5: kworker/5:1: 130] worker_thread+0x468/0x670
[ 3041.949546] [5: kworker/5:1: 130] kthread+0x1d8/0x298
[ 3041.949552] [5: kworker/5:1: 130] ret_from_fork+0x10/0x20
[ 3041.949561] [5: kworker/5:1: 130] Freed by task 130:
...
[ 3041.949604] [5: kworker/5:1: 130] __kmem_cache_free+0xa0/0x260
[ 3041.949610] [5: kworker/5:1: 130] kfree+0x60/0x124
[ 3041.949617] [5: kworker/5:1: 130] kvfree+0x40/0x54
[ 3041.949622] [5: kworker/5:1: 130] netdev_freemem+0x2c/0x40
[ 3041.949630] [5: kworker/5:1: 130] netdev_release+0x50/0x6c
[ 3041.949638] [5: kworker/5:1: 130] device_release+0x74/0x13c
[ 3041.949645] [5: kworker/5:1: 130] kobject_put+0xfc/0x1a8
[ 3041.949654] [5: kworker/5:1: 130] put_device+0x28/0x40
[ 3041.949660] [5: kworker/5:1: 130] free_netdev+0x234/0x284
[ 3041.949667] [5: kworker/5:1: 130] usbnet_disconnect+0x18c/0x250 [usbnet]
[ 3041.949706] [5: kworker/5:1: 130] usb_unbind_interface+0x130/0x414
[ 3041.949713] [5: kworker/5:1: 130] device_release_driver_internal+0x2e8/0x494
[ 3041.949721] [5: kworker/5:1: 130] device_release_driver+0x28/0x3c
[ 3041.949730] [5: kworker/5:1: 130] bus_remove_device+0x250/0x268
[ 3041.949737] [5: kworker/5:1: 130] device_del+0x304/0x530
[ 3041.949744] [5: kworker/5:1: 130] usb_disable_device+0x1d8/0x340
[ 3041.949750] [5: kworker/5:1: 130] usb_disconnect+0x1c4/0x4f0
[ 3041.949757] [5: kworker/5:1: 130] hub_event+0x1200/0x2564
[ 3041.949764] [5: kworker/5:1: 130] process_scheduled_works+0x3cc/0x92c
[ 3041.949772] [5: kworker/5:1: 130] worker_thread+0x468/0x670
[ 3041.949780] [5: kworker/5:1: 130] kthread+0x1d8/0x298
[ 3041.949786] [5: kworker/5:1: 130] ret_from_fork+0x10/0x20
[ 3041.949796] [5: kworker/5:1: 130] Last potentially related work creation:
...
[ 3041.949820] [5: kworker/5:1: 130] __queue_work+0x5d0/0xaf4
[ 3041.949827] [5: kworker/5:1: 130] queue_work_on+0x64/0xb0
[ 3041.949833] [5: kworker/5:1: 130] usbnet_link_change+0xdc/0x13c [usbnet]
[ 3041.949873] [5: kworker/5:1: 130] usbnet_probe+0xe5c/0xf10 [usbnet]
...
[ 3041.950078] [5: kworker/5:1: 130] usb_new_device+0x7c8/0xbdc
[ 3041.950085] [5: kworker/5:1: 130] hub_event+0x1808/0x2564
[ 3041.950092] [5: kworker/5:1: 130] process_scheduled_works+0x3cc/0x92c
[ 3041.950100] [5: kworker/5:1: 130] worker_thread+0x468/0x670
[ 3041.950107] [5: kworker/5:1: 130] kthread+0x1d8/0x298
[ 3041.950113] [5: kworker/5:1: 130] ret_from_fork+0x10/0x20
Best Regards,
GJ
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net: usb: usbnet: fix use-after-free in race on workqueue
2025-06-26 9:21 ` Paolo Abeni
` (2 preceding siblings ...)
2025-07-01 4:19 ` [PATCH net] " Peter GJ. Park
@ 2025-07-01 13:22 ` Oliver Neukum
2025-07-02 1:26 ` Jakub Kicinski
3 siblings, 1 reply; 10+ messages in thread
From: Oliver Neukum @ 2025-07-01 13:22 UTC (permalink / raw)
To: Paolo Abeni, Peter GJ. Park, Oliver Neukum, Andrew Lunn,
David S. Miller, Eric Dumazet, Jakub Kicinski
Cc: netdev, linux-usb, linux-kernel
Hi,
On 26.06.25 11:21, Paolo Abeni wrote:
>> drivers/net/usb/usbnet.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
>> index c04e715a4c2ade3bc5587b0df71643a25cf88c55..3c5d9ba7fa6660273137c80106746103f84f5a37 100644
>> --- a/drivers/net/usb/usbnet.c
>> +++ b/drivers/net/usb/usbnet.c
>> @@ -1660,6 +1660,9 @@ void usbnet_disconnect (struct usb_interface *intf)
>> usb_free_urb(dev->interrupt);
>> kfree(dev->padding_pkt);
>>
>> + timer_delete_sync(&dev->delay);
>> + tasklet_kill(&dev->bh);
>> + cancel_work_sync(&dev->kevent);
>> free_netdev(net);
> This happens after unregister_netdev(), which calls usbnet_stop() that
> already performs the above cleanup. How the race is supposed to take place?
That is indeed a core question, which we really need an answer to.
Do I interpret dev_close_many() correctly, if I state that the
ndo_stop() method will _not_ be called if the device has never been
opened?
I am sorry to be a stickler here, but if that turns out to be true,
usbnet is not the only driver that has this bug.
TIA
Oliver
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net: usb: usbnet: fix use-after-free in race on workqueue
2025-07-01 13:22 ` [PATCH] " Oliver Neukum
@ 2025-07-02 1:26 ` Jakub Kicinski
2025-07-02 10:54 ` Oliver Neukum
0 siblings, 1 reply; 10+ messages in thread
From: Jakub Kicinski @ 2025-07-02 1:26 UTC (permalink / raw)
To: Oliver Neukum
Cc: Paolo Abeni, Peter GJ. Park, Andrew Lunn, David S. Miller,
Eric Dumazet, netdev, linux-usb, linux-kernel
On Tue, 1 Jul 2025 15:22:54 +0200 Oliver Neukum wrote:
> On 26.06.25 11:21, Paolo Abeni wrote:
> >> drivers/net/usb/usbnet.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> >> index c04e715a4c2ade3bc5587b0df71643a25cf88c55..3c5d9ba7fa6660273137c80106746103f84f5a37 100644
> >> --- a/drivers/net/usb/usbnet.c
> >> +++ b/drivers/net/usb/usbnet.c
> >> @@ -1660,6 +1660,9 @@ void usbnet_disconnect (struct usb_interface *intf)
> >> usb_free_urb(dev->interrupt);
> >> kfree(dev->padding_pkt);
> >>
> >> + timer_delete_sync(&dev->delay);
> >> + tasklet_kill(&dev->bh);
> >> + cancel_work_sync(&dev->kevent);
> >> free_netdev(net);
> > This happens after unregister_netdev(), which calls usbnet_stop() that
> > already performs the above cleanup. How the race is supposed to take place?
>
> That is indeed a core question, which we really need an answer to.
> Do I interpret dev_close_many() correctly, if I state that the
> ndo_stop() method will _not_ be called if the device has never been
> opened?
Correct, open and close are paired. Most drivers would crash if we
tried to close them before they ever got opened.
> I am sorry to be a stickler here, but if that turns out to be true,
> usbnet is not the only driver that has this bug.
Shooting from the hip slightly, but its unusual for a driver to start
link monitoring before open. After all there can be no packets on a
device that's closed. Why not something like:
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 9564478a79cc..b75b0b5c3abc 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -896,6 +896,9 @@ int usbnet_open (struct net_device *net)
int retval;
const struct driver_info *info = dev->driver_info;
+ if (dev->driver_info->flags & FLAG_LINK_INTR)
+ usbnet_link_change(dev, 0, 0);
+
if ((retval = usb_autopm_get_interface(dev->intf)) < 0) {
netif_info(dev, ifup, dev->net,
"resumption fail (%d) usbnet usb-%s-%s, %s\n",
@@ -1862,8 +1865,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
netif_device_attach (net);
- if (dev->driver_info->flags & FLAG_LINK_INTR)
- usbnet_link_change(dev, 0, 0);
+ netif_carrier_off(net);
return 0;
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH net v2] net: usb: usbnet: fix use-after-free in race on workqueue
2025-06-27 10:59 ` [PATCH net " Peter GJ. Park
@ 2025-07-02 1:27 ` Jakub Kicinski
0 siblings, 0 replies; 10+ messages in thread
From: Jakub Kicinski @ 2025-07-02 1:27 UTC (permalink / raw)
To: Peter GJ. Park
Cc: pabeni, andrew+netdev, davem, edumazet, linux-kernel, linux-usb,
netdev, oneukum
On Fri, 27 Jun 2025 19:59:53 +0900 Peter GJ. Park wrote:
> When usbnet_disconnect() queued while usbnet_probe() processing,
> it results to free_netdev before kevent gets to run on workqueue,
> thus workqueue does assign_work() with referencing freeed memory address.
>
> For graceful disconnect and to prevent use-after-free of netdev pointer,
> the fix adds canceling work and timer those are placed by usbnet_probe()
Discussion on the v1 thread is ongoing, please repost once it concludes.
--
pw-bot: cr
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net: usb: usbnet: fix use-after-free in race on workqueue
2025-07-02 1:26 ` Jakub Kicinski
@ 2025-07-02 10:54 ` Oliver Neukum
2025-07-02 18:22 ` Jakub Kicinski
0 siblings, 1 reply; 10+ messages in thread
From: Oliver Neukum @ 2025-07-02 10:54 UTC (permalink / raw)
To: Jakub Kicinski, Oliver Neukum
Cc: Paolo Abeni, Peter GJ. Park, Andrew Lunn, David S. Miller,
Eric Dumazet, netdev, linux-usb, linux-kernel, Ming Lei
On 02.07.25 03:26, Jakub Kicinski wrote:
> On Tue, 1 Jul 2025 15:22:54 +0200 Oliver Neukum wrote:
>> That is indeed a core question, which we really need an answer to.
>> Do I interpret dev_close_many() correctly, if I state that the
>> ndo_stop() method will _not_ be called if the device has never been
>> opened?
>
> Correct, open and close are paired. Most drivers would crash if we
> tried to close them before they ever got opened.
Thank you for clarifying that.
>> I am sorry to be a stickler here, but if that turns out to be true,
>> usbnet is not the only driver that has this bug.
>
> Shooting from the hip slightly, but its unusual for a driver to start
> link monitoring before open. After all there can be no packets on a
> device that's closed. Why not something like:
It turns out that user space wants to know whether there is carrier
even before it uses an interface because it uses that information
to decide whether to use the link.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444043
However, it looks to me like the issue is specifically
queuing work for kevent. That would call for reverting
0162c55463057 ("usbnet: apply usbnet_link_change")
[taking author into CC]
Regards
Oliver
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net: usb: usbnet: fix use-after-free in race on workqueue
2025-07-02 10:54 ` Oliver Neukum
@ 2025-07-02 18:22 ` Jakub Kicinski
0 siblings, 0 replies; 10+ messages in thread
From: Jakub Kicinski @ 2025-07-02 18:22 UTC (permalink / raw)
To: Oliver Neukum
Cc: Paolo Abeni, Peter GJ. Park, Andrew Lunn, David S. Miller,
Eric Dumazet, netdev, linux-usb, linux-kernel, Ming Lei, Ming Lei
On Wed, 2 Jul 2025 12:54:23 +0200 Oliver Neukum wrote:
> >> I am sorry to be a stickler here, but if that turns out to be true,
> >> usbnet is not the only driver that has this bug.
> >
> > Shooting from the hip slightly, but its unusual for a driver to start
> > link monitoring before open. After all there can be no packets on a
> > device that's closed. Why not something like:
>
> It turns out that user space wants to know whether there is carrier
> even before it uses an interface because it uses that information
> to decide whether to use the link.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444043
Ah. We should totally move the carrier clear _prior_ to registering
the netdev!
> However, it looks to me like the issue is specifically
> queuing work for kevent. That would call for reverting
> 0162c55463057 ("usbnet: apply usbnet_link_change")
> [taking author into CC]
Hm, spying on git logs I think Ming Lei changed employers from
Cannonical to RedHat in early 2017. Adding the @redhat address.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2025-07-02 18:22 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CGME20250625093354epcas1p1c9817df6e1d1599e8b4eb16c5715a6fd@epcas1p1.samsung.com>
2025-06-25 9:33 ` [PATCH] net: usb: usbnet: fix use-after-free in race on workqueue Peter GJ. Park
2025-06-26 9:21 ` Paolo Abeni
[not found] ` <CGME20250627104728epcas1p1dee12902e3d634214a5c6753ad7613c6@epcas1p1.samsung.com>
2025-06-27 10:47 ` [PATCH v2] " Peter GJ. Park
[not found] ` <CGME20250627105959epcas1p168bbbe460ee1f081e67723505e1f57c9@epcas1p1.samsung.com>
2025-06-27 10:59 ` [PATCH net " Peter GJ. Park
2025-07-02 1:27 ` Jakub Kicinski
2025-07-01 4:19 ` [PATCH net] " Peter GJ. Park
2025-07-01 13:22 ` [PATCH] " Oliver Neukum
2025-07-02 1:26 ` Jakub Kicinski
2025-07-02 10:54 ` Oliver Neukum
2025-07-02 18:22 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).