lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aXr_DNapxeHpuWt1@pek-khao-d3>
Date: Thu, 29 Jan 2026 14:32:44 +0800
From: Kevin Hao <haokexin@...il.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: netdev@...r.kernel.org, stable@...r.kernel.org,
	Siddharth Vadapalli <s-vadapalli@...com>,
	Roger Quadros <rogerq@...nel.org>,
	Andrew Lunn <andrew+netdev@...n.ch>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
	Vladimir Oltean <vladimir.oltean@....com>,
	Kuniyuki Iwashima <kuniyu@...gle.com>, linux-omap@...r.kernel.org
Subject: Re: [PATCH net v3] net: cpsw_new: Execute ndo_set_rx_mode callback
 in a work queue

On Tue, Jan 27, 2026 at 07:08:36PM -0800, Jakub Kicinski wrote:
> On Tue, 27 Jan 2026 16:02:07 +0800 Kevin Hao wrote:
> > To resolve this issue, we opt to execute the actual processing within
> > a work queue, following the approach used by the icssg-prueth driver.
> 
> Code looks good now, but why are you creating a workqueue for this one
> work? Can't you use the system wq and just cancel it sync where you had
> the wq destroy?

This implementation was adapted from the icssg-prueth driver. After reviewing
the git history, I found no explicit rationale for using a dedicated workqueue.
In my opinion, if we were to use the system wq and rely on cancel_work_sync()
before unregister_netdev(), a race condition could arise between these two calls.
Specifically, cpsw_ndo_set_rx_mode_work() might be scheduled during this interval
and run after the net device is unregistered, leading to a use-after-free bug.

While reviewing the code, I noticed that in the current implementation, we may
need to move the destroy_workqueue() call after unregister_netdev(). Otherwise,
there is a risk of encountering a use-after-free bug related to the dedicated workqueue.

> 
> BTW you're fixing drivers/net/ethernet/ti/cpsw_new.c I think
> drivers/net/ethernet/ti/cpsw.c has an identical bug, no?

Yes, as noted in the patch comment area, I plan to address the same issue in
drivers/net/ethernet/ti/cpsw.c once this patch is approved.

Thanks,
Kevin

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ