net: ncsi: Prevent use-after-free in workqueues (torvalds#318)

Workqueues can run after being canceled, so prevent further scheduling.

Signed-off-by: Eddie James <[email protected]>
Co-authored-by: Eddie James <[email protected]>

Author: 2 people

drivers/net/ethernet/faraday/ftgmac100.c

@@ -109,6 +109,7 @@ struct ftgmac100 {
 	/* Misc */
 	bool need_mac_restart;
 	bool is_aspeed;
+	bool shutdown;
 };
 
 static int ftgmac100_reset_mac(struct ftgmac100 *priv, u32 maccr)
@@ -1110,7 +1111,7 @@ ftgmac100_set_ringparam(struct net_device *netdev,
 
 	priv->new_rx_q_entries = ering->rx_pending;
 	priv->new_tx_q_entries = ering->tx_pending;
-	if (netif_running(netdev))
+	if (netif_running(netdev) && !priv->shutdown)
 		schedule_work(&priv->reset_task);
 
 	return 0;
@@ -1188,7 +1189,8 @@ static irqreturn_t ftgmac100_interrupt(int irq, void *dev_id)
 				netdev_warn(netdev,
 					   "AHB bus error ! Resetting chip.\n");
 			iowrite32(0, priv->base + FTGMAC100_OFFSET_IER);
-			schedule_work(&priv->reset_task);
+			if (!priv->shutdown)
+				schedule_work(&priv->reset_task);
 			return IRQ_HANDLED;
 		}
 
@@ -1600,7 +1602,8 @@ static void ftgmac100_tx_timeout(struct net_device *netdev, unsigned int txqueue
 	iowrite32(0, priv->base + FTGMAC100_OFFSET_IER);
 
 	/* Do the reset outside of interrupt context */
-	schedule_work(&priv->reset_task);
+	if (!priv->shutdown)
+		schedule_work(&priv->reset_task);
 }
 
 static int ftgmac100_set_features(struct net_device *netdev,
@@ -2032,6 +2035,7 @@ static int ftgmac100_remove(struct platform_device *pdev)
 	/* There's a small chance the reset task will have been re-queued,
 	 * during stop, make sure it's gone before we free the structure.
 	 */
+	priv->shutdown = true;
 	cancel_work_sync(&priv->reset_task);
 
 	ftgmac100_phy_disconnect(netdev);

net/ncsi/internal.h

@@ -318,6 +318,7 @@ struct ncsi_dev_priv {
 #define NCSI_DEV_HWA		2            /* Enabled HW arbitration     */
 #define NCSI_DEV_RESHUFFLE	4
 #define NCSI_DEV_RESET		8            /* Reset state of NC          */
+#define NCSI_DEV_SHUTDOWN	16
 	unsigned int        gma_flag;        /* OEM GMA flag               */
 	spinlock_t          lock;            /* Protect the NCSI device    */
 	unsigned int        package_probe_id;/* Current ID during probe    */

net/ncsi/ncsi-manage.c

@@ -410,7 +410,7 @@ void ncsi_free_request(struct ncsi_request *nr)
 	driven = !!(nr->flags & NCSI_REQ_FLAG_EVENT_DRIVEN);
 	spin_unlock_irqrestore(&ndp->lock, flags);
 
-	if (driven && cmd && --ndp->pending_req_num == 0)
+	if (driven && cmd && --ndp->pending_req_num == 0 && !(ndp->flags & NCSI_DEV_SHUTDOWN))
 		schedule_work(&ndp->work);
 
 	/* Release command and response */
@@ -1055,7 +1055,7 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
 		ret = ncsi_gma_handler(&nca, nc->version.mf_id);
 #endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */
 
-		if (ret < 0)
+		if (ret < 0 && !(ndp->flags & NCSI_DEV_SHUTDOWN))
 			schedule_work(&ndp->work);
 
 		break;
@@ -1079,7 +1079,8 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
 			ret = clear_one_vid(ndp, nc, &nca);
 			if (ret) {
 				nd->state = ncsi_dev_state_config_svf;
-				schedule_work(&ndp->work);
+				if (!(ndp->flags & NCSI_DEV_SHUTDOWN))
+					schedule_work(&ndp->work);
 				break;
 			}
 			/* Repeat */
@@ -1089,7 +1090,8 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
 			ret = set_one_vid(ndp, nc, &nca);
 			if (ret) {
 				nd->state = ncsi_dev_state_config_ev;
-				schedule_work(&ndp->work);
+				if (!(ndp->flags & NCSI_DEV_SHUTDOWN))
+					schedule_work(&ndp->work);
 				break;
 			}
 			/* Repeat */
@@ -1396,15 +1398,17 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
 		if (!ndp->active_package) {
 			/* No response */
 			nd->state = ncsi_dev_state_probe_dp;
-			schedule_work(&ndp->work);
+			if (!(ndp->flags & NCSI_DEV_SHUTDOWN))
+				schedule_work(&ndp->work);
 			break;
 		}
 		nd->state = ncsi_dev_state_probe_cis;
 		if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC) &&
 		    ndp->mlx_multi_host)
 			nd->state = ncsi_dev_state_probe_mlx_gma;
 
-		schedule_work(&ndp->work);
+		if (!(ndp->flags & NCSI_DEV_SHUTDOWN))
+			schedule_work(&ndp->work);
 		break;
 #if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
 	case ncsi_dev_state_probe_mlx_gma:
@@ -1825,7 +1829,8 @@ int ncsi_start_dev(struct ncsi_dev *nd)
 	if (!(ndp->flags & NCSI_DEV_PROBED)) {
 		ndp->package_probe_id = 0;
 		nd->state = ncsi_dev_state_probe;
-		schedule_work(&ndp->work);
+		if (!(ndp->flags & NCSI_DEV_SHUTDOWN))
+			schedule_work(&ndp->work);
 		return 0;
 	}
 
@@ -1947,7 +1952,8 @@ int ncsi_reset_dev(struct ncsi_dev *nd)
 	spin_unlock_irqrestore(&ndp->lock, flags);
 
 	nd->state = ncsi_dev_state_suspend;
-	schedule_work(&ndp->work);
+	if (!(ndp->flags & NCSI_DEV_SHUTDOWN))
+		schedule_work(&ndp->work);
 	return 0;
 }
 
@@ -1966,6 +1972,7 @@ void ncsi_unregister_dev(struct ncsi_dev *nd)
 	list_del_rcu(&ndp->node);
 	spin_unlock_irqrestore(&ncsi_dev_lock, flags);
 
+	ndp->flags |= NCSI_DEV_SHUTDOWN;
 	cancel_work_sync(&ndp->work);
 
 	kfree(ndp);