Syzbot reported a use-after-free on disconnect in mcba_usb and a quick
grep revealed a similar issue in usb_8dev.
Compile-tested only.
Johan
Johan Hovold (2):
can: mcba_usb: fix use-after-free on disconnect
can: usb_8dev: fix use-after-free on disconnect
drivers/net/can/usb/mcba_usb.c | 3 +--
drivers/net/can/usb/usb_8dev.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
--
2.23.0
The driver was accessing its driver data after having freed it.
Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
Cc: stable <[email protected]> # 4.12
Cc: Remigiusz Kołłątaj <[email protected]>
Reported-by: [email protected]
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/net/can/usb/mcba_usb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index 19a702ac49e4..21faa2ec4632 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -876,9 +876,8 @@ static void mcba_usb_disconnect(struct usb_interface *intf)
netdev_info(priv->netdev, "device disconnected\n");
unregister_candev(priv->netdev);
- free_candev(priv->netdev);
-
mcba_urb_unlink(priv);
+ free_candev(priv->netdev);
}
static struct usb_driver mcba_usb_driver = {
--
2.23.0
On 10/1/19 12:29 PM, Johan Hovold wrote:
> Syzbot reported a use-after-free on disconnect in mcba_usb and a quick
> grep revealed a similar issue in usb_8dev.
>
> Compile-tested only.
Applied to can.
tnx,
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |