b835a71ef6
Syzbot reports an use-after-free in workqueue context: BUG: KASAN: use-after-free in mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737 mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737 __smsc95xx_mdio_read drivers/net/usb/smsc95xx.c:217 [inline] smsc95xx_mdio_read+0x583/0x870 drivers/net/usb/smsc95xx.c:278 check_carrier+0xd1/0x2e0 drivers/net/usb/smsc95xx.c:644 process_one_work+0x777/0xf90 kernel/workqueue.c:2274 worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420 kthread+0x2df/0x300 kernel/kthread.c:255 It looks like that smsc95xx_unbind() is freeing the structures that are still in use by the concurrently running workqueue callback. Thus switch to using cancel_delayed_work_sync() to ensure the work callback really is no longer active. Reported-by: syzbot+29dc7d4ae19b703ff947@syzkaller.appspotmail.com Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| aqc111.c | ||
| aqc111.h | ||
| asix.h | ||
| asix_common.c | ||
| asix_devices.c | ||
| ax88172a.c | ||
| ax88179_178a.c | ||
| catc.c | ||
| cdc-phonet.c | ||
| cdc_eem.c | ||
| cdc_ether.c | ||
| cdc_mbim.c | ||
| cdc_ncm.c | ||
| cdc_subset.c | ||
| ch9200.c | ||
| cx82310_eth.c | ||
| dm9601.c | ||
| gl620a.c | ||
| hso.c | ||
| huawei_cdc_ncm.c | ||
| int51x1.c | ||
| ipheth.c | ||
| kalmia.c | ||
| kaweth.c | ||
| lan78xx.c | ||
| lan78xx.h | ||
| lg-vl600.c | ||
| mcs7830.c | ||
| net1080.c | ||
| pegasus.c | ||
| pegasus.h | ||
| plusb.c | ||
| qmi_wwan.c | ||
| r8152.c | ||
| rndis_host.c | ||
| rtl8150.c | ||
| sierra_net.c | ||
| smsc75xx.c | ||
| smsc75xx.h | ||
| smsc95xx.c | ||
| smsc95xx.h | ||
| sr9700.c | ||
| sr9700.h | ||
| sr9800.c | ||
| sr9800.h | ||
| usbnet.c | ||
| zaurus.c | ||