linux/drivers/net/usb
Tuomas Tynkkynen b835a71ef6 usbnet: smsc95xx: Fix use-after-free after removal
Syzbot reports an use-after-free in workqueue context:

BUG: KASAN: use-after-free in mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737
 mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737
 __smsc95xx_mdio_read drivers/net/usb/smsc95xx.c:217 [inline]
 smsc95xx_mdio_read+0x583/0x870 drivers/net/usb/smsc95xx.c:278
 check_carrier+0xd1/0x2e0 drivers/net/usb/smsc95xx.c:644
 process_one_work+0x777/0xf90 kernel/workqueue.c:2274
 worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
 kthread+0x2df/0x300 kernel/kthread.c:255

It looks like that smsc95xx_unbind() is freeing the structures that are
still in use by the concurrently running workqueue callback. Thus switch
to using cancel_delayed_work_sync() to ensure the work callback really
is no longer active.

Reported-by: syzbot+29dc7d4ae19b703ff947@syzkaller.appspotmail.com
Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-06-22 16:34:31 -07:00
..
aqc111.c aqc111: cleanup mtu related logic 2019-05-16 14:22:13 -07:00
aqc111.h net: usb: aqc111: Use the correct style for SPDX License Identifier 2019-11-27 11:27:01 -08:00
asix_common.c net: usb: Merge cpu_to_le32s + memcpy to put_unaligned_le32 2019-07-22 20:44:14 -07:00
asix_devices.c net: usb: asix: init MAC address buffers 2019-07-02 15:24:48 -07:00
asix.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
ax88172a.c net: convert suitable drivers to use phy_do_ioctl_running 2020-01-23 10:49:30 +01:00
ax88179_178a.c net: usb: ax88179_178a: fix packet alignment padding 2020-06-17 14:58:11 -07:00
catc.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
cdc_eem.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
cdc_ether.c r8152: support additional Microsoft Surface Ethernet Adapter variant 2020-05-19 12:45:09 -07:00
cdc_mbim.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
cdc_ncm.c cdc_ncm: Fix the build warning 2020-03-15 00:41:29 -07:00
cdc_subset.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
cdc-phonet.c net: usb: cdc-phonet: Replace zero-length array with flexible-array member 2020-02-17 19:05:05 -08:00
ch9200.c net: ch9200: remove unnecessary return 2020-01-07 13:30:36 -08:00
cx82310_eth.c cx82310_eth: fix a memory leak bug 2019-08-18 13:01:54 -07:00
dm9601.c
gl620a.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
hso.c usb: hso: correct debug message 2020-05-07 12:59:33 -07:00
huawei_cdc_ncm.c net: huawei_cdc_ncm: remove redundant assignment to variable ret 2020-05-10 11:13:07 -07:00
int51x1.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
ipheth.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
kalmia.c net: kalmia: fix memory leaks 2019-08-18 13:03:21 -07:00
kaweth.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
lan78xx.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-01-26 10:40:21 +01:00
lan78xx.h
lg-vl600.c net: usb: Delete unnecessary checks before the macro call “dev_kfree_skb” 2019-08-22 16:22:03 -07:00
Makefile
mcs7830.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
net1080.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
pegasus.c pegasus: Remove pegasus' own workqueue 2020-04-02 17:58:25 -07:00
pegasus.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
plusb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
qmi_wwan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
r8152.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-24 13:47:27 -07:00
rndis_host.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
rtl8150.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
sierra_net.c net: sierra_net: Remove unused inline function 2020-05-05 12:07:43 -07:00
smsc75xx.c net: usb: Merge cpu_to_le32s + memcpy to put_unaligned_le32 2019-07-22 20:44:14 -07:00
smsc75xx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
smsc95xx.c usbnet: smsc95xx: Fix use-after-free after removal 2020-06-22 16:34:31 -07:00
smsc95xx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
sr9700.c drivers: net: Remove unnecessary semicolon 2019-03-01 23:13:49 -08:00
sr9700.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
sr9800.c net: usb: sr9800: fix uninitialized local variable 2019-10-15 21:02:12 -07:00
sr9800.h
usbnet.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 15:15:05 -08:00
zaurus.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00