From patchwork Fri May 31 19:15:50 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Robert Hancock <hancock@sedsystems.ca>
X-Patchwork-Id: 1108544
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=sedsystems.ca
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45FvLk2L20z9s3Z
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  1 Jun 2019 05:16:14 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1727164AbfEaTQL (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 31 May 2019 15:16:11 -0400
Received: from sed198n136.SEDSystems.ca ([198.169.180.136]:44724 "EHLO
	sed198n136.sedsystems.ca" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726807AbfEaTQL (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 31 May 2019 15:16:11 -0400
Received: from barney.sedsystems.ca (barney [198.169.180.121])
	by sed198n136.sedsystems.ca  with ESMTP id x4VJGAqE005235
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NOT)
	for <netdev@vger.kernel.org>; Fri, 31 May 2019 13:16:10 -0600 (CST)
Received: from SED.RFC1918.192.168.sedsystems.ca (eng1n65.eng.sedsystems.ca
	[172.21.1.65])
	by barney.sedsystems.ca (8.14.7/8.14.4) with ESMTP id x4VJG6dn007508
	(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO); Fri, 31 May 2019 13:16:10 -0600
From: Robert Hancock <hancock@sedsystems.ca>
To: netdev@vger.kernel.org
Cc: Robert Hancock <hancock@sedsystems.ca>
Subject: [PATCH net-next] net: phy: Ensure scheduled work is cancelled
	during removal
Date: Fri, 31 May 2019 13:15:50 -0600
Message-Id: <1559330150-30099-2-git-send-email-hancock@sedsystems.ca>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1559330150-30099-1-git-send-email-hancock@sedsystems.ca>
References: <1559330150-30099-1-git-send-email-hancock@sedsystems.ca>
X-Scanned-By: MIMEDefang 2.64 on 198.169.180.136
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

It is possible that scheduled work started by the PHY driver is still
outstanding when phy_device_remove is called if the PHY was initially
started but never connected, and therefore phy_disconnect is never
called. phy_stop does not guarantee that the scheduled work is stopped
because it is called under rtnl_lock. This can cause an oops due to
use-after-free if the delayed work fires after freeing the PHY device.

Ensure that the state_queue work is cancelled in both phy_device_remove
and phy_remove paths.

Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
---
 drivers/net/phy/phy_device.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 2c879ba..1c90b33 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -877,6 +877,8 @@ int phy_device_register(struct phy_device *phydev)
  */
 void phy_device_remove(struct phy_device *phydev)
 {
+	cancel_delayed_work_sync(&phydev->state_queue);
+
 	device_del(&phydev->mdio.dev);
 
 	/* Assert the reset signal */