* [PATCH 0/2] can: fix use-after-free on USB disconnect
@ 2019-10-01 10:29 Johan Hovold
2019-10-01 10:29 ` [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Johan Hovold
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Johan Hovold @ 2019-10-01 10:29 UTC (permalink / raw)
To: Wolfgang Grandegger, Marc Kleine-Budde
Cc: David S. Miller, linux-can, netdev, linux-kernel, linux-usb,
Johan Hovold
Syzbot reported a use-after-free on disconnect in mcba_usb and a quick
grep revealed a similar issue in usb_8dev.
Compile-tested only.
Johan
Johan Hovold (2):
can: mcba_usb: fix use-after-free on disconnect
can: usb_8dev: fix use-after-free on disconnect
drivers/net/can/usb/mcba_usb.c | 3 +--
drivers/net/can/usb/usb_8dev.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
--
2.23.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect
2019-10-01 10:29 [PATCH 0/2] can: fix use-after-free on USB disconnect Johan Hovold
@ 2019-10-01 10:29 ` Johan Hovold
2019-10-01 10:29 ` [PATCH 2/2] can: usb_8dev: " Johan Hovold
2019-10-04 20:45 ` [PATCH 0/2] can: fix use-after-free on USB disconnect Marc Kleine-Budde
2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2019-10-01 10:29 UTC (permalink / raw)
To: Wolfgang Grandegger, Marc Kleine-Budde
Cc: David S. Miller, linux-can, netdev, linux-kernel, linux-usb,
Johan Hovold, stable, Remigiusz Kołłątaj,
syzbot+e29b17e5042bbc56fae9
The driver was accessing its driver data after having freed it.
Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
Cc: stable <stable@vger.kernel.org> # 4.12
Cc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>
Reported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/net/can/usb/mcba_usb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index 19a702ac49e4..21faa2ec4632 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -876,9 +876,8 @@ static void mcba_usb_disconnect(struct usb_interface *intf)
netdev_info(priv->netdev, "device disconnected\n");
unregister_candev(priv->netdev);
- free_candev(priv->netdev);
-
mcba_urb_unlink(priv);
+ free_candev(priv->netdev);
}
static struct usb_driver mcba_usb_driver = {
--
2.23.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] can: usb_8dev: fix use-after-free on disconnect
2019-10-01 10:29 [PATCH 0/2] can: fix use-after-free on USB disconnect Johan Hovold
2019-10-01 10:29 ` [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Johan Hovold
@ 2019-10-01 10:29 ` Johan Hovold
2019-10-04 20:45 ` [PATCH 0/2] can: fix use-after-free on USB disconnect Marc Kleine-Budde
2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2019-10-01 10:29 UTC (permalink / raw)
To: Wolfgang Grandegger, Marc Kleine-Budde
Cc: David S. Miller, linux-can, netdev, linux-kernel, linux-usb,
Johan Hovold, stable, Bernd Krumboeck
The driver was accessing its driver data after having freed it.
Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
Cc: stable <stable@vger.kernel.org> # 3.9
Cc: Bernd Krumboeck <b.krumboeck@gmail.com>
Cc: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/net/can/usb/usb_8dev.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c
index d596a2ad7f78..8fa224b28218 100644
--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -996,9 +996,8 @@ static void usb_8dev_disconnect(struct usb_interface *intf)
netdev_info(priv->netdev, "device disconnected\n");
unregister_netdev(priv->netdev);
- free_candev(priv->netdev);
-
unlink_all_urbs(priv);
+ free_candev(priv->netdev);
}
}
--
2.23.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] can: fix use-after-free on USB disconnect
2019-10-01 10:29 [PATCH 0/2] can: fix use-after-free on USB disconnect Johan Hovold
2019-10-01 10:29 ` [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Johan Hovold
2019-10-01 10:29 ` [PATCH 2/2] can: usb_8dev: " Johan Hovold
@ 2019-10-04 20:45 ` Marc Kleine-Budde
2 siblings, 0 replies; 4+ messages in thread
From: Marc Kleine-Budde @ 2019-10-04 20:45 UTC (permalink / raw)
To: Johan Hovold, Wolfgang Grandegger
Cc: David S. Miller, linux-can, netdev, linux-kernel, linux-usb
[-- Attachment #1.1: Type: text/plain, Size: 500 bytes --]
On 10/1/19 12:29 PM, Johan Hovold wrote:
> Syzbot reported a use-after-free on disconnect in mcba_usb and a quick
> grep revealed a similar issue in usb_8dev.
>
> Compile-tested only.
Applied to can.
tnx,
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-10-04 20:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-01 10:29 [PATCH 0/2] can: fix use-after-free on USB disconnect Johan Hovold
2019-10-01 10:29 ` [PATCH 1/2] can: mcba_usb: fix use-after-free on disconnect Johan Hovold
2019-10-01 10:29 ` [PATCH 2/2] can: usb_8dev: " Johan Hovold
2019-10-04 20:45 ` [PATCH 0/2] can: fix use-after-free on USB disconnect Marc Kleine-Budde
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).