From patchwork Fri Feb 21 16:55:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Barker X-Patchwork-Id: 13986038 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA11EC021B3 for ; Fri, 21 Feb 2025 16:55:35 +0000 (UTC) Received: from relmlie6.idc.renesas.com (relmlie6.idc.renesas.com [210.160.252.172]) by mx.groups.io with SMTP id smtpd.web11.28053.1740156931335066601 for ; Fri, 21 Feb 2025 08:55:31 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: bp.renesas.com, ip: 210.160.252.172, mailfrom: paul.barker.ct@bp.renesas.com) X-CSE-ConnectionGUID: PTFuChJTSeeDsHNdBEo/KQ== X-CSE-MsgGUID: CMChn2rARPWADgcwh1WA7Q== Received: from unknown (HELO relmlir5.idc.renesas.com) ([10.200.68.151]) by relmlie6.idc.renesas.com with ESMTP; 22 Feb 2025 01:55:30 +0900 Received: from rz-ub2404.betafive.net (unknown [10.226.93.173]) by relmlir5.idc.renesas.com (Postfix) with ESMTP id E10ED400F723; Sat, 22 Feb 2025 01:55:28 +0900 (JST) From: Paul Barker To: Ulrich Hecht Cc: cip-dev@lists.cip-project.org Subject: [PATCH 4.4.y-st] ravb: Fix use-after-free issue in ravb_tx_timeout_work() Date: Fri, 21 Feb 2025 16:55:17 +0000 Message-ID: <20250221165517.357768-1-paul.barker.ct@bp.renesas.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Feb 2025 16:55:35 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17879 From: Yoshihiro Shimoda commit 3971442870713de527684398416970cf025b4f89 upstream. The ravb_stop() should call cancel_work_sync(). Otherwise, ravb_tx_timeout_work() is possible to use the freed priv after ravb_remove() was called like below: CPU0 CPU1 ravb_tx_timeout() ravb_remove() unregister_netdev() free_netdev(ndev) // free priv ravb_tx_timeout_work() // use priv unregister_netdev() will call .ndo_stop() so that ravb_stop() is called. And, after phy_stop() is called, netif_carrier_off() is also called. So that .ndo_tx_timeout() will not be called after phy_stop(). Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Reported-by: Zheng Wang Closes: https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/ Signed-off-by: Yoshihiro Shimoda Reviewed-by: Sergey Shtylyov Link: https://lore.kernel.org/r/20231005011201.14368-3-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman [adjusted to apply to linux-4.4.y-st] Signed-off-by: Paul Barker --- This patch has been tested on RZ/G1M using the linux-4.4.y-cip tree, but I'm sending it for linux-4.4.y-st as the issue is also present there. I currently have no way to test the -st tree without the corresponding cip patches. This patch addresses CVE-2023-35827. drivers/net/ethernet/renesas/ravb_main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index 46280e3bfdfc..259c1794d173 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -1544,6 +1544,8 @@ static int ravb_close(struct net_device *ndev) priv->phydev = NULL; } + cancel_work_sync(&priv->work); + if (priv->chip_id == RCAR_GEN3) free_irq(priv->emac_irq, ndev); free_irq(ndev->irq, ndev);