From patchwork Tue Oct 1 10:29:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11168449 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E02C316B1 for ; Tue, 1 Oct 2019 10:30:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BCAC821D71 for ; Tue, 1 Oct 2019 10:30:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569925801; bh=/lEzt9P9HwxVSvZi1nnfQ+ocCVdWy0iWyayDvC/51l8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=AbJNd+MJB2tcuJNFQKOnwlUsCwNoTqXHpQJ9rYeGJG0NWFHgVoQns0Tr4XaWc2c4i uhYBc37DJ8uy3o87c14FkIGDfyN3kIdvHRQZJ7GnEliMRwtmGNWh9WGI5CTho+M4MS YUy8LTKmEJjihtqcLPAI3dX8arrtek1IucWQcEBg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730680AbfJAK3l (ORCPT ); Tue, 1 Oct 2019 06:29:41 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:36534 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726655AbfJAK3k (ORCPT ); Tue, 1 Oct 2019 06:29:40 -0400 Received: by mail-lf1-f67.google.com with SMTP id x80so9464818lff.3; Tue, 01 Oct 2019 03:29:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=X4ymK0rjtC21S8mmu+jb54BEtu4vxPDPz2X3rodFDcE=; b=TnL/GwWiqoCUYpg7TGWhrqsur1ks3G/DOLPZ3RASf66fdoCOvQxM3ZGUMPkbvwnDo6 HewIHxAHJ/2lwkEi1h6Bhpuj88XAZm5eLz8KJVs02VWEIqjCMghmehJh3FxJEcO9FVOU mxByDRbJsCiBwnlo4Q0gJCBFdTjx3EPdxe3J7i6i/lzVpV9JqOKQQ2l1su3TjXk1v2n9 ycEIkuqOD4Ry+5oBkowhJVQUtQHXKYs+yHnSSh7xy7U1Ly4cUxXGEuu6/FLYJtci/8As BIfF1Jvt22zj+C2R+zW3B0PDSDCR9a458YT4oF5dcvhzs2pMOLkMgvhsvaXgCsYaM3Lh by3g== X-Gm-Message-State: APjAAAXvp4xyCbvNUhq1YT+AmBHIlXPDI1QYM7vBvwz5ntLhiaJNl2aT 7TRvLAUI/xXCK44xDBEE/54= X-Google-Smtp-Source: APXvYqzp2qPO8N0e/hx+heiBHZfiYdwL3P95gV/OAEGpNUR+SKZqRYWURTv0EzcOfWr70QTJy/lj/Q== X-Received: by 2002:a19:ef17:: with SMTP id n23mr13859903lfh.109.1569925778475; Tue, 01 Oct 2019 03:29:38 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id s7sm3921124ljs.16.2019.10.01.03.29.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Oct 2019 03:29:37 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iFFPd-000365-VW; Tue, 01 Oct 2019 12:29:46 +0200 From: Johan Hovold To: Wolfgang Grandegger , Marc Kleine-Budde Cc: "David S. Miller" , linux-can@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, Johan Hovold , stable , =?utf-8?b?UmVtaWdpdXN6IEtvxYLFgsSFdGFq?= , syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com Subject: [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Date: Tue, 1 Oct 2019 12:29:13 +0200 Message-Id: <20191001102914.4567-2-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191001102914.4567-1-johan@kernel.org> References: <20191001102914.4567-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was accessing its driver data after having freed it. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Cc: stable # 4.12 Cc: Remigiusz Kołłątaj Reported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com Signed-off-by: Johan Hovold --- drivers/net/can/usb/mcba_usb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c index 19a702ac49e4..21faa2ec4632 100644 --- a/drivers/net/can/usb/mcba_usb.c +++ b/drivers/net/can/usb/mcba_usb.c @@ -876,9 +876,8 @@ static void mcba_usb_disconnect(struct usb_interface *intf) netdev_info(priv->netdev, "device disconnected\n"); unregister_candev(priv->netdev); - free_candev(priv->netdev); - mcba_urb_unlink(priv); + free_candev(priv->netdev); } static struct usb_driver mcba_usb_driver = { From patchwork Tue Oct 1 10:29:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 11168445 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 26D4316B1 for ; Tue, 1 Oct 2019 10:29:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0511121A4C for ; Tue, 1 Oct 2019 10:29:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1569925791; bh=q8IRWQ1G5Bh1/mdP9l3riudWvhpGZWC28wSYUMGfaJM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=bQmBo20bndFzq9ZZuU6/dnqaUQmEc2IZXeCisRbeqHOH7kKIoTy7+Y8gLY25ALoFK N0efI8xxmkTs9dxFWlWn4PGbgmfPJVcoFDdX/1vxmHO9JLZ6jp+CHihknxDAGNYDMN WedmEiL3Opq4TjMrKbV3QM1PJozKjwggm/ypzUGA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730749AbfJAK3m (ORCPT ); Tue, 1 Oct 2019 06:29:42 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:40220 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730006AbfJAK3l (ORCPT ); Tue, 1 Oct 2019 06:29:41 -0400 Received: by mail-lf1-f67.google.com with SMTP id d17so9452530lfa.7; Tue, 01 Oct 2019 03:29:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XEBOz+FE2mSzj8bTRRBXElsPNG8TwUlMu3OH4VYCIKE=; b=naeKcQB6yQnQ+b9vyQKNOIoHnXnYPnL5nFnfd+2afwOHI8jPJhslaKcYNYm3eUOksW qYqcm3wnmSJG73TcFrcfKzDalgyfVAYgS7XVDNVQCAhXJfSt6ku2C0xqocvyt83s3g4/ S5MGIbLHFhgyuHCAN3VDiY+CWmWmIbFKNCVHbNOhNODfZ6J0OkGTf/sW4nipFZ+whHfj TRkaTevcseTGMtmHbrmREwc5DJRme7kmfIgnOBqSIhgPA6/4eCyKFBHppwhE8qWtTBbg 7TgqvqDE3KOoZthtIQUMyVPvqwgJYSHKZUwo4J6qM6YnMD2gWm+feWbHNaCPN9b/xJ4I 3FJw== X-Gm-Message-State: APjAAAVf+Xdari43MNKHE1WBsILbeA+ZydlnicUs7SAI4rBphLoYfI8F AC6+NhIRVUy/R0gNkoEJ+lw= X-Google-Smtp-Source: APXvYqyTHGCN3wYKNli04woh59rO57J3qnF9hWbaIix7kDk0xpaeXe/u/OtF/L7xZBxd3GVR+r4haw== X-Received: by 2002:a19:2313:: with SMTP id j19mr12881735lfj.138.1569925779217; Tue, 01 Oct 2019 03:29:39 -0700 (PDT) Received: from xi.terra (c-51f1e055.07-184-6d6c6d4.bbcust.telenor.se. [85.224.241.81]) by smtp.gmail.com with ESMTPSA id t16sm3920399ljj.29.2019.10.01.03.29.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Oct 2019 03:29:37 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.92.2) (envelope-from ) id 1iFFPe-00036A-2a; Tue, 01 Oct 2019 12:29:46 +0200 From: Johan Hovold To: Wolfgang Grandegger , Marc Kleine-Budde Cc: "David S. Miller" , linux-can@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, Johan Hovold , stable , Bernd Krumboeck Subject: [PATCH 2/2] can: usb_8dev: fix use-after-free on disconnect Date: Tue, 1 Oct 2019 12:29:14 +0200 Message-Id: <20191001102914.4567-3-johan@kernel.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191001102914.4567-1-johan@kernel.org> References: <20191001102914.4567-1-johan@kernel.org> MIME-Version: 1.0 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver was accessing its driver data after having freed it. Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") Cc: stable # 3.9 Cc: Bernd Krumboeck Cc: Wolfgang Grandegger Signed-off-by: Johan Hovold --- drivers/net/can/usb/usb_8dev.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c index d596a2ad7f78..8fa224b28218 100644 --- a/drivers/net/can/usb/usb_8dev.c +++ b/drivers/net/can/usb/usb_8dev.c @@ -996,9 +996,8 @@ static void usb_8dev_disconnect(struct usb_interface *intf) netdev_info(priv->netdev, "device disconnected\n"); unregister_netdev(priv->netdev); - free_candev(priv->netdev); - unlink_all_urbs(priv); + free_candev(priv->netdev); } }