Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp9169208pxu;
        Mon, 28 Dec 2020 08:17:36 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzqG7I6zfmfURWdcNj0X8QUsOPMq+jarjTkgWPbHqlSeTdXcfDT/1tblPy5tlbPXQcsNXHF
X-Received: by 2002:a05:6402:31b5:: with SMTP id dj21mr43773041edb.90.1609172255778;
        Mon, 28 Dec 2020 08:17:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1609172255; cv=none;
        d=google.com; s=arc-20160816;
        b=Ry4NXy7NRNQD1qxursJzKwD6rZGmS3OM6ceBVyy2+fqp/oYNYMO1dVtF2NGvnnebPe
         L3P20ZpIRQq7tUQJqJHIRCDR+JLtoDu/j8wq+3po6vWR9CYBh7ClCwbfBdVobpmdXvPy
         ZUHAzBG72yyIzzrgLMG63LPiwPvXL44Hz6gCzU66YRzegmhgTE2siBSfanA/a8vVAaLc
         8kf3yHcN4jKGqD2SOWyGM/xJJ6Zj3XvOmSB+IWBscXfYSz94FK22N7SIZjbOyPyjm/w7
         DNaiwSRcJ1OnAHuffj+zesSt0HW4JRbJk6SEjOS+5OZjLjalGMpmJF6JfyOV/tD6etQl
         mzDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=JLYeLZDvv1+9cVScPR9HVkqhbFlFVIWkKa3ceB+sZQ4=;
        b=B+kblARGPgM+oe2+G85vpje5hsMURbHdx0XaQDuplGRO2YGmTnEAr2koUGScIVz0Rk
         mqRuAk/g4CFMJ7MwyTStJ8C8LAd/zYJHKvEGLKbLOidMrFGeYptu7n/oZmE1LaXKj3I3
         dTjaU82Cn1u5Ls42wGK5hXTGVDrs4uopjOr3U/yIR/d65YhjGT0sDIVBti52Pd0ADl6o
         Y5oA6NSEJjth7NxwRXjFuTuCuRrCCcKJIV3N+X3sr/2RvhYqXtGgN0aDqAbSxhoxf/O+
         UNVQBcs9hcioDi3smRfeqEV7m8AzejvD+lQjkv3YM87M1AkbNDE0aOjVZx3FzTl49uD5
         nNKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ec8Mr3y6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id do13si18642305ejc.286.2020.12.28.08.17.12;
        Mon, 28 Dec 2020 08:17:35 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ec8Mr3y6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2633114AbgL1QPP (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Mon, 28 Dec 2020 11:15:15 -0500
Received: from mail.kernel.org ([198.145.29.99]:46694 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732488AbgL1NS3 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Dec 2020 08:18:29 -0500
Received: by mail.kernel.org (Postfix) with ESMTPSA id D871520728;
        Mon, 28 Dec 2020 13:18:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1609161493;
        bh=/PTLzEj6cYwZZ5m034J/AABUbzuJX3HoHvn9889b3d0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Ec8Mr3y6XcH4FHai4KcKnHlIXScAKOnnYTUvp9DT3iXycynXnoqQEtQ8Q0XOT4QRO
         b+JfkvdB4/FvCBjvmsmbbygfpL0gfecCrmttZerh4Av4KnMfvvfh/le1vImViZ+3NH
         9t4nAWhLz61lVeYgvCPXQNiWqP02hKAF7RoF1QJ4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Johan Hovold <johan@kernel.org>
Subject: [PATCH 4.14 204/242] USB: serial: keyspan_pda: fix tx-unthrottle use-after-free
Date:   Mon, 28 Dec 2020 13:50:09 +0100
Message-Id: <20201228124914.727564931@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201228124904.654293249@linuxfoundation.org>
References: <20201228124904.654293249@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Johan Hovold <johan@kernel.org>

commit 49fbb8e37a961396a5b6c82937c70df91de45e9d upstream.

The driver's transmit-unthrottle work was never flushed on disconnect,
something which could lead to the driver port data being freed while the
unthrottle work is still scheduled.

Fix this by cancelling the unthrottle work when shutting down the port.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/keyspan_pda.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -651,8 +651,12 @@ error:
 }
 static void keyspan_pda_close(struct usb_serial_port *port)
 {
+	struct keyspan_pda_private *priv = usb_get_serial_port_data(port);
+
 	usb_kill_urb(port->write_urb);
 	usb_kill_urb(port->interrupt_in_urb);
+
+	cancel_work_sync(&priv->unthrottle_work);
 }