From: Jacob Keller <jacob.e.keller@intel.com>
To: Jeremy Kerr <jk@codeconstruct.com.au>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Joel Stanley <joel@jms.id.au>,
Jacky Chou <jacky_chou@aspeedtech.com>
Cc: <netdev@vger.kernel.org>
Subject: Re: [PATCH net 1/2] net: ethernet: ftgmac100: prevent use after free on unregister when using NCSI
Date: Mon, 28 Oct 2024 11:33:39 -0700 [thread overview]
Message-ID: <5493ec79-7f64-47cd-972e-2ad0935f27b2@intel.com> (raw)
In-Reply-To: <20241028-ftgmac-fixes-v1-1-b334a507be6c@codeconstruct.com.au>
On 10/27/2024 9:54 PM, Jeremy Kerr wrote:
> When removing an active ftgmac100 netdev that is configured for NCSI, we
> have a double free of the ncsi device: We currently unregister the ncsi
> device (freeing it), then unregister the netdev itself. If the netdev is
> running, the netdev_unregister() path performs a ->ndo_stop(), which
> calls ncsi_stop_dev() on the now-free ncsi pointer.
>
> Instead, modify ftgmac100_stop() to check the ncsi pointer before
> freeing (rather than use_ncsi, which reflects configuration intent), and
> clear the pointer once we have done the ncsi_unregister().
>
> Fixes: 3d5179458d22 ("net: ftgmac100: Fix crash when removing driver")
> Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
> ---
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
next prev parent reply other threads:[~2024-10-28 18:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-28 4:54 [PATCH net 0/2] net: ethernet: ftgmac100: fixes for ncsi/phy handling on device remove Jeremy Kerr
2024-10-28 4:54 ` [PATCH net 1/2] net: ethernet: ftgmac100: prevent use after free on unregister when using NCSI Jeremy Kerr
2024-10-28 18:33 ` Jacob Keller [this message]
2024-10-28 20:15 ` Andrew Lunn
2024-10-29 4:32 ` Jeremy Kerr
2024-10-29 12:37 ` Andrew Lunn
2024-10-29 14:10 ` Jeremy Kerr
2024-10-29 22:36 ` Jakub Kicinski
2024-10-30 0:29 ` Jeremy Kerr
2024-10-30 2:58 ` Jeremy Kerr
2024-10-30 9:02 ` Sam Mendoza-Jonas
2024-10-28 4:54 ` [PATCH net 2/2] net: ethernet: ftgmac100: fix NULL phy usage on device remove Jeremy Kerr
2024-10-28 5:58 ` 回覆: " Jacky Chou
2024-10-28 18:34 ` Jacob Keller
2024-10-28 20:23 ` Andrew Lunn
2024-10-29 4:36 ` Jeremy Kerr
2024-10-29 12:41 ` Andrew Lunn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5493ec79-7f64-47cd-972e-2ad0935f27b2@intel.com \
--to=jacob.e.keller@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jacky_chou@aspeedtech.com \
--cc=jk@codeconstruct.com.au \
--cc=joel@jms.id.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).