From patchwork Fri Feb 21 16:56:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Barker X-Patchwork-Id: 13986039 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B393AC021B5 for ; Fri, 21 Feb 2025 16:56:55 +0000 (UTC) Received: from relmlie6.idc.renesas.com (relmlie6.idc.renesas.com [210.160.252.172]) by mx.groups.io with SMTP id smtpd.web11.28080.1740157005833027649 for ; Fri, 21 Feb 2025 08:56:46 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: bp.renesas.com, ip: 210.160.252.172, mailfrom: paul.barker.ct@bp.renesas.com) X-CSE-ConnectionGUID: qrNwVKGERhOiYpsdFR97Tg== X-CSE-MsgGUID: TYixoKxDQhqlVppxQooj9g== Received: from unknown (HELO relmlir6.idc.renesas.com) ([10.200.68.152]) by relmlie6.idc.renesas.com with ESMTP; 22 Feb 2025 01:56:45 +0900 Received: from rz-ub2404.betafive.net (unknown [10.226.93.173]) by relmlir6.idc.renesas.com (Postfix) with ESMTP id 85F3B4043061; Sat, 22 Feb 2025 01:56:43 +0900 (JST) From: Paul Barker To: Pavel Machek , Nobuhiro Iwamatsu Cc: cip-dev@lists.cip-project.org Subject: [PATCH 4.19.y-st] ravb: Fix use-after-free issue in ravb_tx_timeout_work() Date: Fri, 21 Feb 2025 16:56:28 +0000 Message-ID: <20250221165628.357818-1-paul.barker.ct@bp.renesas.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Feb 2025 16:56:55 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/17880 From: Yoshihiro Shimoda commit 3971442870713de527684398416970cf025b4f89 upstream. The ravb_stop() should call cancel_work_sync(). Otherwise, ravb_tx_timeout_work() is possible to use the freed priv after ravb_remove() was called like below: CPU0 CPU1 ravb_tx_timeout() ravb_remove() unregister_netdev() free_netdev(ndev) // free priv ravb_tx_timeout_work() // use priv unregister_netdev() will call .ndo_stop() so that ravb_stop() is called. And, after phy_stop() is called, netif_carrier_off() is also called. So that .ndo_tx_timeout() will not be called after phy_stop(). Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Reported-by: Zheng Wang Closes: https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/ Signed-off-by: Yoshihiro Shimoda Reviewed-by: Sergey Shtylyov Link: https://lore.kernel.org/r/20231005011201.14368-3-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Signed-off-by: Paul Barker --- This patch has been tested on RZ/G2H using the linux-4.19.y-cip tree, but I'm sending it for linux-4.19.y-st as the issue is also present there. I currently have no way to test the -st tree without the corresponding cip patches. This patch addresses CVE-2023-35827. drivers/net/ethernet/renesas/ravb_main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index 3cfcc9e3c35d..2e5a109655c9 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -1714,6 +1714,8 @@ static int ravb_close(struct net_device *ndev) of_phy_deregister_fixed_link(np); } + cancel_work_sync(&priv->work); + if (priv->chip_id != RCAR_GEN2) { free_irq(priv->tx_irqs[RAVB_NC], ndev); free_irq(priv->rx_irqs[RAVB_NC], ndev);