From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 206B5C48BE8 for ; Tue, 15 Jun 2021 10:24:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 004B161450 for ; Tue, 15 Jun 2021 10:24:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231555AbhFOK0v (ORCPT ); Tue, 15 Jun 2021 06:26:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231220AbhFOK0t (ORCPT ); Tue, 15 Jun 2021 06:26:49 -0400 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D5615C061574; Tue, 15 Jun 2021 03:24:44 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id r7so35944615edv.12; Tue, 15 Jun 2021 03:24:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TjaB6i8KcUeUiC7lYhVxV/Olnmn95eEJM+cZhPD4C0Y=; b=cbnPlPiC0Rx83GFLUflqeNHgYzJEAm3xXMUb9Wz7NhfX7rwqEx4EEDIvtGaC3m3Hv0 UNqsJP+LBT+8gm2Uq3aUB/Pfstb0PpO0i0NR7uI9cUIYMFsj30DPnFsm3sIhcQ4Guc4e H/T5WOaS/3tyL3daOxiCTLvL2A8Ujd6wp7p9YSXoIo5PIqKL/QpSiOUG8t7D+THq0eKp j14HXAzqEchVot/+2x0Eyj9WFhZIzyweTJkm8KCdSYX0L+Uc9CibfmdOQNYDWn50fHzg tD4QSWEFpOE3iKzwWIVVuTrgEpNtg6bDnmTt/09AI96/244D6dzx8kEsHn7ZU+m4NKhC Fy4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TjaB6i8KcUeUiC7lYhVxV/Olnmn95eEJM+cZhPD4C0Y=; b=ie3Oo16/J+x/YlKUTpT2cx1d94us+xY7RbMT3+Alj6jWdIJR9qZ5nsgsFFa4vnU3uX jYApaLvwA9D5ScM+7fRClwtkCRATaJu7mgSeUhoiOguK2UMpeBsIFWkfUi6qbXSuPZTW JKmWBDjdAidelYOKEeovQczW7CMR2ym9vPOniu3EiEG3s5lgSe5Yp9HtVebYUyCgjdeW pSnHPR+NHYU11AOWGfLQWM6HXvQUZXDCaDVLbAShVbwUuByt4Gd6BwdOXDSUYazQjMSO nEqW482CkpYE/gqlzS+myA2GCfRfCUmTGqgqcw2y8W6Jqr35VhL150IqELTH6CagYBq4 /qAw== X-Gm-Message-State: AOAM533CuUFW3x9XI/3DGqX43KIhnBTJd5CeE1yuVvAee+q8rZhhXgGH pU1YG1DFJsxJYdMxnxeHCs+dFy/oyOfbP8eQhnQ= X-Google-Smtp-Source: ABdhPJzC5dkoL0r1Ed2pK8uwvcgbsL7Ji/Wrjdq+kwtKyvNu3acf7xF77SLRv8n4lhbeiD0Wey0OcT8+DmobYBCsd3I= X-Received: by 2002:aa7:ce86:: with SMTP id y6mr22324805edv.309.1623752683473; Tue, 15 Jun 2021 03:24:43 -0700 (PDT) MIME-Version: 1.0 References: <20210614153712.2172662-1-mudongliangabcd@gmail.com> In-Reply-To: From: Dongliang Mu Date: Tue, 15 Jun 2021 18:24:17 +0800 Message-ID: Subject: Re: [PATCH] net: usb: fix possible use-after-free in smsc75xx_bind To: Greg KH Cc: Steve Glendinning , "David S. Miller" , Jakub Kicinski , Pavel Skripkin , netdev@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 15, 2021 at 6:10 PM Dongliang Mu wrote: > > On Tue, Jun 15, 2021 at 5:44 PM Greg KH wrote: > > > > On Tue, Jun 15, 2021 at 03:56:32PM +0800, Dongliang Mu wrote: > > > On Tue, Jun 15, 2021 at 3:38 PM Greg KH wrote: > > > > > > > > On Mon, Jun 14, 2021 at 11:37:12PM +0800, Dongliang Mu wrote: > > > > > The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") > > > > > fails to clean up the work scheduled in smsc75xx_reset-> > > > > > smsc75xx_set_multicast, which leads to use-after-free if the work is > > > > > scheduled to start after the deallocation. In addition, this patch also > > > > > removes one dangling pointer - dev->data[0]. > > > > > > > > > > This patch calls cancel_work_sync to cancel the schedule work and set > > > > > the dangling pointer to NULL. > > > > > > > > > > Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") > > > > > Signed-off-by: Dongliang Mu > > > > > --- > > > > > drivers/net/usb/smsc75xx.c | 3 +++ > > > > > 1 file changed, 3 insertions(+) > > > > > > > > > > diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c > > > > > index b286993da67c..f81740fcc8d5 100644 > > > > > --- a/drivers/net/usb/smsc75xx.c > > > > > +++ b/drivers/net/usb/smsc75xx.c > > > > > @@ -1504,7 +1504,10 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) > > > > > return 0; > > > > > > > > > > err: > > > > > + cancel_work_sync(&pdata->set_multicast); > > > > > kfree(pdata); > > > > > + pdata = NULL; > > > > > > > > Why do you have to set pdata to NULL afterward? > > > > > > > > > > It does not have to. pdata will be useless when the function exits. I > > > just referred to the implementation of smsc75xx_unbind. > > > > It's wrong there too :) > > /: I will fix such two sites in the v2 patch. Hi gregkh, If the schedule_work is not invoked, can I call ``cancel_work_sync(&pdata->set_multicast)''? If not, is there any method to verify if the schedule_work is already called? Best regards, Dongliang Mu