Commit 4b12709
most: usb: Fix use-after-free in hdm_disconnect
hdm_disconnect() calls most_deregister_interface(), which eventually
unregisters the MOST interface device with device_unregister(iface->dev).
If that drops the last reference, the device core may call release_mdev()
immediately while hdm_disconnect() is still executing.
The old code also freed several mdev-owned allocations in
hdm_disconnect() and then performed additional put_device() calls.
Depending on refcount order, this could lead to use-after-free or
double-free when release_mdev() ran (or when unregister paths also
performed puts).
Fix by moving the frees of mdev-owned allocations into release_mdev(),
so they happen exactly once when the device is truly released, and by
dropping the extra put_device() calls in hdm_disconnect() that are
redundant after device_unregister() and most_deregister_interface().
This addresses the KASAN slab-use-after-free reported by syzbot in
hdm_disconnect(). See report and stack traces in the bug link below.
Reported-by: [email protected]
Cc: stable <[email protected]>
Closes: https://syzkaller.appspot.com/bug?extid=916742d5d24f6c254761
Fixes: 97a6f77 ("drivers: most: add USB adapter driver")
Signed-off-by: Victoria Votokina <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>1 parent d90eeb8 commit 4b12709
1 file changed
+4
-7
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
929 | 929 | | |
930 | 930 | | |
931 | 931 | | |
| 932 | + | |
| 933 | + | |
| 934 | + | |
| 935 | + | |
932 | 936 | | |
933 | 937 | | |
934 | 938 | | |
| |||
1121 | 1125 | | |
1122 | 1126 | | |
1123 | 1127 | | |
1124 | | - | |
1125 | | - | |
1126 | | - | |
1127 | | - | |
1128 | | - | |
1129 | | - | |
1130 | | - | |
1131 | 1128 | | |
1132 | 1129 | | |
1133 | 1130 | | |
| |||
0 commit comments