Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp9180042pxu; Mon, 28 Dec 2020 08:34:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJxUEYNmOrGXnsh2tDRTX+WVDjRM9YsrUZPbQmL/IXsmEcLt+dRoCRjMEm5GYfMjzW64rfGu X-Received: by 2002:a50:9f4e:: with SMTP id b72mr43237556edf.200.1609173244931; Mon, 28 Dec 2020 08:34:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609173244; cv=none; d=google.com; s=arc-20160816; b=JUk5RIIjvLLhlz6ajLbpeq6nJhZ8xliOgjNZokx5RmTc89E1BSjE82CUMtwjJW9aMs jG16DSh9rMzu3wN1uaMWb2xu15ujyacns0K7iNcpzwuwJRcpxaSJyVlj81X/UArq+bsM 2WER/HGKOhCb0c8FGNn+RY0vSp6IRRp+Exff93u4LiaBrhUpurjGtPfcpMc5oyaWeHxZ yytFIGSibyk2mJfjOC1P0gMFnC0diBW92TKv6GCLy0NCoJ4591jfDUlVK2stZlzqXRze 9Cp2SeozdItJWXwP/CKahd5PM5PDkG8TgpLzVP4vc/6TEkXCz52Pu74VbKa3ifFe4GC1 Yf8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JLYeLZDvv1+9cVScPR9HVkqhbFlFVIWkKa3ceB+sZQ4=; b=WhgYTI4KmSSMh+E5oj2X6wXL/xt7kmuC2hoDgZfhAX82EnHpKn1tV0iH+LJrDN2GOT cOvO7mDcUlH7FyZMjw3kUCo7scsWJxl3cFfYB+x/L48mZzxcycJfZ1+FUO+qlwBJ8BE+ JWnQm8pntdIUWEKHN4ET/oJtBDAGw8kVixJyU2XwLFeNblSXBh+tH6FyObpreym4t9mD HHevp6x7GHXbZQj2TJdpHZyHU7oWO0qZSVfXk1aRYD/QPhTxQZUlwgfpClGXwMF2qVZB 40EweIaHOCC0w43D3Qz7Gsv/hFmA2NkKIPq3dyaDvpv1OVf6GXXNaS+GtQJ+jfrlR/Wg Y0Ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=b+oVZusG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o18si18483341eje.528.2020.12.28.08.33.42; Mon, 28 Dec 2020 08:34:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=b+oVZusG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729681AbgL1NGh (ORCPT + 99 others); Mon, 28 Dec 2020 08:06:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:33926 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730744AbgL1NGI (ORCPT ); Mon, 28 Dec 2020 08:06:08 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 64DA422AAA; Mon, 28 Dec 2020 13:05:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1609160728; bh=/PTLzEj6cYwZZ5m034J/AABUbzuJX3HoHvn9889b3d0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b+oVZusG3A77u1nF+y0JqN1sQoBCttZ/BFVyBydQDtSSORFRDdLGME27TYNAVaNiP gnfvVgsmyhidgc3ASlwb0zbTScR2yP4KAfvw12lT8a6ejBWTDs9LsnqMtxD9Ro6ElQ JHRtB/gYuk7PCmE3dGdi+un5Ko7N6PYMop6md6ms= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sebastian Andrzej Siewior , Johan Hovold Subject: [PATCH 4.9 149/175] USB: serial: keyspan_pda: fix tx-unthrottle use-after-free Date: Mon, 28 Dec 2020 13:50:02 +0100 Message-Id: <20201228124900.477268222@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201228124853.216621466@linuxfoundation.org> References: <20201228124853.216621466@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 49fbb8e37a961396a5b6c82937c70df91de45e9d upstream. The driver's transmit-unthrottle work was never flushed on disconnect, something which could lead to the driver port data being freed while the unthrottle work is still scheduled. Fix this by cancelling the unthrottle work when shutting down the port. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Acked-by: Sebastian Andrzej Siewior Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/keyspan_pda.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/usb/serial/keyspan_pda.c +++ b/drivers/usb/serial/keyspan_pda.c @@ -651,8 +651,12 @@ error: } static void keyspan_pda_close(struct usb_serial_port *port) { + struct keyspan_pda_private *priv = usb_get_serial_port_data(port); + usb_kill_urb(port->write_urb); usb_kill_urb(port->interrupt_in_urb); + + cancel_work_sync(&priv->unthrottle_work); }