| Message ID | 20240917191255.1436553-1-eajames@linux.ibm.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net/ncsi: Cancel the ncsi work before freeing the associated structure | expand |
On 9/17/24 21:12, Eddie James wrote: > The work function can run after the ncsi device is freed, resulting > in use-after-free bugs or kernel panic. > > Fixes: 2d283bdd079c ("net/ncsi: Resource management") > Signed-off-by: Eddie James <eajames@linux.ibm.com> > --- > net/ncsi/ncsi-manage.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c > index 5ecf611c8820..3eda24eac668 100644 > --- a/net/ncsi/ncsi-manage.c > +++ b/net/ncsi/ncsi-manage.c > @@ -1954,6 +1954,8 @@ void ncsi_unregister_dev(struct ncsi_dev *nd) > list_del_rcu(&ndp->node); > spin_unlock_irqrestore(&ncsi_dev_lock, flags); > > + cancel_work_sync(&ndp->work); Possibly disable_work_sync(), just to be on the safe side? Thanks, Paolo
diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c index 5ecf611c8820..3eda24eac668 100644 --- a/net/ncsi/ncsi-manage.c +++ b/net/ncsi/ncsi-manage.c @@ -1954,6 +1954,8 @@ void ncsi_unregister_dev(struct ncsi_dev *nd) list_del_rcu(&ndp->node); spin_unlock_irqrestore(&ncsi_dev_lock, flags); + cancel_work_sync(&ndp->work); + kfree(ndp); } EXPORT_SYMBOL_GPL(ncsi_unregister_dev);
The work function can run after the ncsi device is freed, resulting in use-after-free bugs or kernel panic. Fixes: 2d283bdd079c ("net/ncsi: Resource management") Signed-off-by: Eddie James <eajames@linux.ibm.com> --- net/ncsi/ncsi-manage.c | 2 ++ 1 file changed, 2 insertions(+)