From nobody Mon Jun 8 09:48:27 2026 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B6B843CEDF for ; Wed, 3 Jun 2026 22:12:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780524758; cv=none; b=QmWQ9HAXSQVs1i9foHxzcqWigIAFznM2Wv9JMB9yngmKQsOyI9rOMMpQJNSGqXTfgcu1Bs1T6MZLCF/9QaMMRmCB6lTdYlB8uCALBZjmBA/0fUU291KG5kRoDn03UdV4q6GMtd5gIiv6o84Adhl+ETAsNNEtX+sTN0yuDfjE7Ik= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780524758; c=relaxed/simple; bh=m5uQLcScS0ZfKU3Svk4zmwu3YI1nuCzDlh+qylhiGa8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=oiUJ2kXjQDAtgFmdUXYcfKXhmkQfjKfXhpobDWD7zJpU18JpNMOiAEyWBPXfKP19CvXLUHGqv1yuwksGq6jviJPOcyOTlEwwSRK2C4FKlFAES4Y2rm5Y0COtOWh6cdTtYC4u3QmyF0uXvAeVljS6K4apBUgS78Q50E+UbQoLEZ0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Lhhbq13r; arc=none smtp.client-ip=209.85.216.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Lhhbq13r" Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-36ba706ab46so6729a91.1 for ; Wed, 03 Jun 2026 15:12:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780524755; x=1781129555; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=BJDVJnZRGyqGtwmDDNLRn29L8olqenMgNSPzxVIi8YQ=; b=Lhhbq13rPve81uYXuhWvv8tEC+9kRZVT8ZJvKSuUS/WAtWAYimm7IP59zZgqI/w0Aa 26mnwxD+GRnNhx7qra+aS4Vj1sSX/snoY9yCILDJhTnXtLR6aMINmNwTGKbcwLZXh0xa QOzrpAJHhI0Rzc5SUQAubeBgkZrZErZV09MCDXj4r2aMCPGmcjk2aunuwlN6IsnCGTUA GvZ9wnhKJblAF/oIPKFR07kE1m6t41BIiFLKe3eyw2zEozA6QeGVB8EwwyQvQ/1Z/UKA ef/Nz+stYzMDz7udR3Mfayl1XSTx7MPhfwXIjSpAa6RZ6UJ2P/FXQVyZWZICBPxuvini wgfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780524755; x=1781129555; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BJDVJnZRGyqGtwmDDNLRn29L8olqenMgNSPzxVIi8YQ=; b=Z0mgpGavmf+6RBLS6Cv3yg9qE2YrqJpa7BOrCz6mRZNCQXzxM6NqZP034tj0Toq5Dh kccDyFzGERoFqqZfkTgrNKt7wSj8KJHuP1uzPqTGzRAKKh8qwGokNBfm5z/r02XaBe3D sVFjE6Gy/bn1opasw/KU7tGYSKXuL6phMXWKK64u74A7gwisf+N+pg5FtkqizRCVyR+A WjOl4EDUGFl0gl96elWr9ctzDbJ/jtNWKnjIWhRMXQnafRq2zEs1nvTYMlILE7oerau1 RwnDH1YGv+IQbm0rkP3fuW6H3JaRGfkqb9FuptJSHW7HFfNu4jXJql6iIPvB3PEtFkHM ddqQ== X-Forwarded-Encrypted: i=1; AFNElJ/7yEGaIZev+/6HEEQCaOMsov4EnTBXELj+ofLr7bVfiZAGr0ZgMoWkY0Ecq31Rt44zDfnj8C5vkNl3954=@vger.kernel.org X-Gm-Message-State: AOJu0YxJ0lvmxQAAdiVi5nM6h9AvR73vSMcMTO03/0E7D41/gO0F0QQ7 JLKtaYmBl40bNEkfkdw096Fq4VYVsXhsp7QcmJZO34cOLOjaXkWp+49vfMaUFSWr X-Gm-Gg: Acq92OG12wlVtPcz5PKSZAg4FKHpqE5nfXRIGv1/kewvJBo7EpJfBHsfciMibc8+4ll bxHLlhWHUXSKprUzJBGAoRu6jpFPV4Dz5o+nN4EtNhjuIPNuLMnY/X/fDtbBT+zk5wGoChu7zmq uBfGy2uIhPDxSRcFr7htEWQanxrdj4uHbOzRMZcDHXPcZyyDgAplWquhEHnZUyQB9/ddmPis1Yh D7BlTh2t8nE626vYzIDKcccjvfYDJJiPTDT8uHR71Feq1A8JMJN5UrWUkFdjsi0WHefat7YZzBp 0E9fN+oN8Kirmo8TDlEfgX7DN6PHhDdx++q9PZ1MXAOIvGEKqe8tvKE8DxuWijkKNTeL14INFUD 7RycfIXuPh7uIeUwI+OKAK1nXx3P077b/5oMrGr102sDOEx1oqyVQU4YaMxpFn+snQgs4q/YGfD mCHp8QIlpN+kcCwV2yepX7hdl01a6B1YMRNZupWLTiBMtHIEfxnMOhlKMD9Jgz9js0igrpEVXYj 9JrOEGYIb6st/nwFc+gzAW62aYf2Ufyo9lfGRbbijoeHg== X-Received: by 2002:a17:90b:3eca:b0:36b:944b:fd81 with SMTP id 98e67ed59e1d1-36e2eeddae0mr4873969a91.4.1780524755174; Wed, 03 Jun 2026 15:12:35 -0700 (PDT) Received: from ryzen ([2601:644:8000:5b5d:7285:c2ff:fe45:8a32]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36f6ea172b8sm709908a91.17.2026.06.03.15.12.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jun 2026 15:12:34 -0700 (PDT) From: Rosen Penev To: netdev@vger.kernel.org Cc: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Rosen Penev , linux-kernel@vger.kernel.org (open list) Subject: [PATCH net] net: ibm: emac: Fix use-after-free during device removal Date: Wed, 3 Jun 2026 15:12:17 -0700 Message-ID: <20260603221217.55592-1-rosenp@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The driver was using devm_register_netdev() which causes unregister_netdev() to be deferred until the devres cleanup phase, which runs after emac_remove= () returns. This creates a use-after-free window where: 1. emac_remove() is called, which tears down hardware (cancels work, detach= es modules, unregisters from MAL) 2. emac_remove() returns 3. devres cleanup runs and finally calls unregister_netdev() During step 3, the network stack might still process packets, triggering emac_irq(), emac_poll(), or other handlers that access now-freed hardware resources (dev->emacp, dev->mal, etc.). Fix this by replacing devm_register_netdev() with manual register_netdev() and calling unregister_netdev() at the beginning of emac_remove(), before any hardware teardown. This ensures the network device is fully stopped and unregistered before hardware resources are released. The change is safe because: - dev->ndev is assigned very early in probe (before any error paths that could bypass emac_remove) - platform_set_drvdata() is only called after successful registration, so emac_remove() only runs for fully registered devices - unregister_netdev() is idempotent and safe to call on any registered devi= ce Fixes: a4dd8535a527 ("net: ibm: emac: use devm for register_netdev") Assisted-by: opencode:big-pickle Signed-off-by: Rosen Penev Reviewed-by: Jacob Keller --- drivers/net/ethernet/ibm/emac/core.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/ibm/emac/core.c b/drivers/net/ethernet/ib= m/emac/core.c index d9bbcfbcf60e..00a36c839d82 100644 --- a/drivers/net/ethernet/ibm/emac/core.c +++ b/drivers/net/ethernet/ibm/emac/core.c @@ -3151,7 +3151,7 @@ static int emac_probe(struct platform_device *ofdev) netif_carrier_off(ndev); - err =3D devm_register_netdev(&ofdev->dev, ndev); + err =3D register_netdev(ndev); if (err) { printk(KERN_ERR "%pOF: failed to register net device (%d)!\n", np, err); @@ -3204,6 +3204,13 @@ static void emac_remove(struct platform_device *ofde= v) DBG(dev, "remove" NL); + /* Unregister network device before tearing down hardware + * to prevent use-after-free during deferred cleanup. This ensures + * the network stack stops all operations before hardware resources + * are released. + */ + unregister_netdev(dev->ndev); + cancel_work_sync(&dev->reset_work); if (emac_has_feature(dev, EMAC_FTR_HAS_TAH)) -- 2.54.0