Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp9279379pxu;
        Mon, 28 Dec 2020 11:13:45 -0800 (PST)
X-Google-Smtp-Source: ABdhPJw61VxAc6DI5qyCsrJotqef5ZNhrlh0agjj/3RWB7WZ9zZ3gxxvX1ZiZ6GHIl1xMwgLiHyx
X-Received: by 2002:a17:907:4126:: with SMTP id mx6mr42112376ejb.91.1609182824796;
        Mon, 28 Dec 2020 11:13:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1609182824; cv=none;
        d=google.com; s=arc-20160816;
        b=UZEAlZIdWJnKF160v+gH6QUShHNb+w+qd6bOdRIdxAgd4YMCrA9p1VMFhK6b6uJKrR
         tctOmN77dtQ6aDhFdLdbRA1FaOgodysVUMvq4sMHtbRvmQ3UyJaJigREOqBIPNeoI68+
         y1GFHgoK+5Yf4G6MP1nAr7E0PLstZfOksDRQYi67D6dtXCINiUNRnGzzOwxCf4R8VftX
         kqMTh11q4kcHnTX/DMwoGgZnLRzemfpCn6AzUod9wLemHblR1TJ3HawJz9GpRBbn/i0N
         2svG/zzJfuHudL1cEjkpnhN0oLr1B/BeQZ25yvzcEjCLPPBRrmXmgxKY2RRhdji0VCV8
         QzLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=QZLvzUzOLGn7sVcaDhKpc2BxN5x8uk8zX4EFVjLfnxs=;
        b=tsIYfUYN0xU4wuiqnwTJrQCJkJlW78tDj8UYCTsYqW4yprp6i683SVq4e1FwvrdmTz
         QSpQ4Wfc0TD33ea7fn+Dfct47r1kRebI3n4KQyzBofpw8B0sVHzByPtAcTTZF0jH6DGm
         jOFYeVi0HTqXO7DdhDKNdYZCifPfSvsWak1Cv0i5iO5WHuyfWdeAUFL75RbT7hMviKkx
         xL4i2DZ0DcCbUwBT2zaYpZYOyYP5M7FrOpc1bR/H57A8RaYIkU4xa5v0YTf3/JegacDC
         ymtu0puwiurOhpQQayv1Tqd+RmBoVvAo9abiyVMIbWKuZmmQaJPeYRYlqXk6MLeNA6rV
         +RBg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HSmaXsRu;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v1si11641036ejd.298.2020.12.28.11.13.22;
        Mon, 28 Dec 2020 11:13:44 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HSmaXsRu;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2405295AbgL1Nzm (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Mon, 28 Dec 2020 08:55:42 -0500
Received: from mail.kernel.org ([198.145.29.99]:57338 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2405291AbgL1Nzk (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Dec 2020 08:55:40 -0500
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8738D20731;
        Mon, 28 Dec 2020 13:54:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1609163700;
        bh=ZVH6mPmmfFa3nYou8QGvUJ84cqwMDtba7EMR8XuKack=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=HSmaXsRuVX3piHxnFn02XnBYp3a9gCCCgH/nlXrW8Vgoye/PwHNISAy/HJSUm++XQ
         ejCJv0AQLPdIKFHPxOiUzcYAaB5Y5X+4cNznNMFxDYUQrJ2yR+n2Nmtr3VI/U+baId
         JDcNcWVV6X6bFEMDADef5qFAfzG6ZuXVZWOvENdc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Johan Hovold <johan@kernel.org>
Subject: [PATCH 5.4 370/453] USB: serial: keyspan_pda: fix tx-unthrottle use-after-free
Date:   Mon, 28 Dec 2020 13:50:06 +0100
Message-Id: <20201228124955.016539993@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201228124937.240114599@linuxfoundation.org>
References: <20201228124937.240114599@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Johan Hovold <johan@kernel.org>

commit 49fbb8e37a961396a5b6c82937c70df91de45e9d upstream.

The driver's transmit-unthrottle work was never flushed on disconnect,
something which could lead to the driver port data being freed while the
unthrottle work is still scheduled.

Fix this by cancelling the unthrottle work when shutting down the port.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/keyspan_pda.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -647,8 +647,12 @@ error:
 }
 static void keyspan_pda_close(struct usb_serial_port *port)
 {
+	struct keyspan_pda_private *priv = usb_get_serial_port_data(port);
+
 	usb_kill_urb(port->write_urb);
 	usb_kill_urb(port->interrupt_in_urb);
+
+	cancel_work_sync(&priv->unthrottle_work);
 }