mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 13:53:33 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/net/usb
History
Tuomas Tynkkynen b835a71ef6 usbnet: smsc95xx: Fix use-after-free after removal 
Syzbot reports an use-after-free in workqueue context:

BUG: KASAN: use-after-free in mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737
 mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737
 __smsc95xx_mdio_read drivers/net/usb/smsc95xx.c:217 [inline]
 smsc95xx_mdio_read+0x583/0x870 drivers/net/usb/smsc95xx.c:278
 check_carrier+0xd1/0x2e0 drivers/net/usb/smsc95xx.c:644
 process_one_work+0x777/0xf90 kernel/workqueue.c:2274
 worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
 kthread+0x2df/0x300 kernel/kthread.c:255

It looks like that smsc95xx_unbind() is freeing the structures that are
still in use by the concurrently running workqueue callback. Thus switch
to using cancel_delayed_work_sync() to ensure the work callback really
is no longer active.

Reported-by: syzbot+29dc7d4ae19b703ff947@syzkaller.appspotmail.com
Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-06-22 16:34:31 -07:00
..
aqc111.c
aqc111.h net: usb: aqc111: Use the correct style for SPDX License Identifier 2019-11-27 11:27:01 -08:00
asix.h
asix_common.c
asix_devices.c
ax88172a.c net: convert suitable drivers to use phy_do_ioctl_running 2020-01-23 10:49:30 +01:00
ax88179_178a.c net: usb: ax88179_178a: fix packet alignment padding 2020-06-17 14:58:11 -07:00
catc.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
cdc-phonet.c net: usb: cdc-phonet: Replace zero-length array with flexible-array member 2020-02-17 19:05:05 -08:00
cdc_eem.c
cdc_ether.c r8152: support additional Microsoft Surface Ethernet Adapter variant 2020-05-19 12:45:09 -07:00
cdc_mbim.c
cdc_ncm.c cdc_ncm: Fix the build warning 2020-03-15 00:41:29 -07:00
cdc_subset.c
ch9200.c net: ch9200: remove unnecessary return 2020-01-07 13:30:36 -08:00
cx82310_eth.c
dm9601.c
gl620a.c
hso.c usb: hso: correct debug message 2020-05-07 12:59:33 -07:00
huawei_cdc_ncm.c net: huawei_cdc_ncm: remove redundant assignment to variable ret 2020-05-10 11:13:07 -07:00
int51x1.c
ipheth.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
kalmia.c
kaweth.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
lan78xx.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-01-26 10:40:21 +01:00
lan78xx.h
lg-vl600.c
Makefile
mcs7830.c
net1080.c
pegasus.c pegasus: Remove pegasus' own workqueue 2020-04-02 17:58:25 -07:00
pegasus.h
plusb.c
qmi_wwan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
r8152.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-24 13:47:27 -07:00
rndis_host.c
rtl8150.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
sierra_net.c net: sierra_net: Remove unused inline function 2020-05-05 12:07:43 -07:00
smsc75xx.c
smsc75xx.h
smsc95xx.c usbnet: smsc95xx: Fix use-after-free after removal 2020-06-22 16:34:31 -07:00
smsc95xx.h
sr9700.c
sr9700.h
sr9800.c
sr9800.h
usbnet.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 15:15:05 -08:00
zaurus.c