From patchwork Sun Oct 25 17:45:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 287442 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42D73C388F7 for ; Sun, 25 Oct 2020 17:47:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 082872222F for ; Sun, 25 Oct 2020 17:47:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603648077; bh=noUNEYlylHnzHTY2CrwJfTMODh4hhkeYQ9BH/0VZmYs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=A8Q1Zj5B7781WBQcm1a2mhmdbMSyRlc5W7mxq4tPd7NF6n3G+hzUYUS6wC7NZtrys wqgBLwK/AIxcEKga9uLp/TY6IAGsOfXY0smku9xD45T09Ge+tRKgJSwHgcKiOmhUOO 8yBkGaTDRWlgTCzL2WeLfyCeaPBbVeZGUCKLRpw4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1417855AbgJYRrx (ORCPT ); Sun, 25 Oct 2020 13:47:53 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:44306 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1417714AbgJYRqk (ORCPT ); Sun, 25 Oct 2020 13:46:40 -0400 Received: by mail-lf1-f67.google.com with SMTP id b1so8902342lfp.11; Sun, 25 Oct 2020 10:46:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mLH2jEE7RKRcoLwhkzgaqRtvr7bnr4NSOoTQehYo+/Y=; b=Xjxtzz1LK6LO3HD8pQsXTS/iV5qEUHxTR5bytGUfmHoF8eBnUMAiH7orhn63C+NJ8F gWi9oxbpP2XcugGYtZngexfeeUWYCSr1EjUUlSmZrQoeqvopAH8DjbXMrHP6LI/8V1lL OZELH7DMyJLcaiw403lRxTDPPBWl1krq0enjnw4Fy5ghApqxIcjPA6qIZJ90Tm8ubipA bHlSr0AfVZdihzhVZJOVYPKXKN3GyYhFJVFKi2/1lkWoeETiyPXa2Gqw5ceSN3jyVqG6 BAnS/GFPkWUUgNEDEf4zCDVWfnAjDSEQNZbaUMNbjsqnd8Pe7fWcJeFKce/T3MMv+p5N 0DgQ== X-Gm-Message-State: AOAM5312DOIdYYyBQbyDeaEuN8M4n47LabFdFiRGlwfCSKONv4YDPgJd iKZjhzHAHUy7RLF/MTdMbl25HdCoSjPswQ== X-Google-Smtp-Source: ABdhPJwIu5JxZA5EikW7OmQwczCYOMug3Pz2X03kVWfXjycmiVx42exfzXnPBhNcDMbR5/FXYpDbzg== X-Received: by 2002:ac2:5a03:: with SMTP id q3mr4135228lfn.527.1603647997449; Sun, 25 Oct 2020 10:46:37 -0700 (PDT) Received: from xi.terra (c-beaee455.07-184-6d6c6d4.bbcust.telenor.se. [85.228.174.190]) by smtp.gmail.com with ESMTPSA id l6sm799335lfk.267.2020.10.25.10.46.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Oct 2020 10:46:34 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.93.0.4) (envelope-from ) id 1kWk6I-0007HP-P6; Sun, 25 Oct 2020 18:46:38 +0100 From: Johan Hovold To: linux-usb@vger.kernel.org Cc: "Ahmed S . Darwish" , Sebastian Andrzej Siewior , Thomas Gleixner , linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org Subject: [PATCH 04/14] USB: serial: keyspan_pda: fix write-wakeup use-after-free Date: Sun, 25 Oct 2020 18:45:50 +0100 Message-Id: <20201025174600.27896-5-johan@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201025174600.27896-1-johan@kernel.org> References: <20201025174600.27896-1-johan@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The driver's deferred write wakeup was never flushed on disconnect, something which could lead to the driver port data being freed while the wakeup work is still scheduled. Fix this by using the usb-serial write wakeup which gets cancelled properly on disconnect. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold --- drivers/usb/serial/keyspan_pda.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c index d6ebde779e85..d91180ab5f3b 100644 --- a/drivers/usb/serial/keyspan_pda.c +++ b/drivers/usb/serial/keyspan_pda.c @@ -43,8 +43,7 @@ struct keyspan_pda_private { int tx_room; int tx_throttled; - struct work_struct wakeup_work; - struct work_struct unthrottle_work; + struct work_struct unthrottle_work; struct usb_serial *serial; struct usb_serial_port *port; }; @@ -97,15 +96,6 @@ static const struct usb_device_id id_table_fake_xircom[] = { }; #endif -static void keyspan_pda_wakeup_write(struct work_struct *work) -{ - struct keyspan_pda_private *priv = - container_of(work, struct keyspan_pda_private, wakeup_work); - struct usb_serial_port *port = priv->port; - - tty_port_tty_wakeup(&port->port); -} - static void keyspan_pda_request_unthrottle(struct work_struct *work) { struct keyspan_pda_private *priv = @@ -183,7 +173,7 @@ static void keyspan_pda_rx_interrupt(struct urb *urb) case 2: /* tx unthrottle interrupt */ priv->tx_throttled = 0; /* queue up a wakeup at scheduler time */ - schedule_work(&priv->wakeup_work); + usb_serial_port_softint(port); break; default: break; @@ -563,7 +553,7 @@ static void keyspan_pda_write_bulk_callback(struct urb *urb) priv = usb_get_serial_port_data(port); /* queue up a wakeup at scheduler time */ - schedule_work(&priv->wakeup_work); + usb_serial_port_softint(port); } @@ -715,7 +705,6 @@ static int keyspan_pda_port_probe(struct usb_serial_port *port) if (!priv) return -ENOMEM; - INIT_WORK(&priv->wakeup_work, keyspan_pda_wakeup_write); INIT_WORK(&priv->unthrottle_work, keyspan_pda_request_unthrottle); priv->serial = port->serial; priv->port = port;