git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From foo@baz Tue Apr 10 23:19:36 CEST 2018
   2 From: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
   3 Date: Tue, 27 Mar 2018 14:51:16 +0530
   4 Subject: lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write)
   5
   6 From: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
   7
   8
   9 [ Upstream commit 2d2d99ec13f62d5d2cecb6169dfdb6bbe05356d0 ]
  10
  11 Description:
  12 Crash was reported with syzkaller pointing to lan78xx_write_reg routine.
  13
  14 Root-cause:
  15 Proper cleanup of workqueues and init/setup routines was not happening
  16 in failure conditions.
  17
  18 Fix:
  19 Handled the error conditions by cleaning up the queues and init/setup
  20 routines.
  21
  22 Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
  23 Reported-by: Andrey Konovalov <andreyknvl@google.com>
  24 Signed-off-by: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
  25 Signed-off-by: David S. Miller <davem@davemloft.net>
  26 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  27 ---
  28  drivers/net/usb/lan78xx.c |   23 +++++++++++++++++++++--
  29  1 file changed, 21 insertions(+), 2 deletions(-)
  30
  31 --- a/drivers/net/usb/lan78xx.c
  32 +++ b/drivers/net/usb/lan78xx.c
  33 @@ -2863,8 +2863,7 @@ static int lan78xx_bind(struct lan78xx_n
  34         if (ret < 0) {
  35                 netdev_warn(dev->net,
  36                             "lan78xx_setup_irq_domain() failed : %d", ret);
  37 -               kfree(pdata);
  38 -               return ret;
  39 +               goto out1;
  40         }
  41
  42         dev->net->hard_header_len += TX_OVERHEAD;
  43 @@ -2872,14 +2871,32 @@ static int lan78xx_bind(struct lan78xx_n
  44
  45         /* Init all registers */
  46         ret = lan78xx_reset(dev);
  47 +       if (ret) {
  48 +               netdev_warn(dev->net, "Registers INIT FAILED....");
  49 +               goto out2;
  50 +       }
  51
  52         ret = lan78xx_mdio_init(dev);
  53 +       if (ret) {
  54 +               netdev_warn(dev->net, "MDIO INIT FAILED.....");
  55 +               goto out2;
  56 +       }
  57
  58         dev->net->flags |= IFF_MULTICAST;
  59
  60         pdata->wol = WAKE_MAGIC;
  61
  62         return ret;
  63 +
  64 +out2:
  65 +       lan78xx_remove_irq_domain(dev);
  66 +
  67 +out1:
  68 +       netdev_warn(dev->net, "Bind routine FAILED");
  69 +       cancel_work_sync(&pdata->set_multicast);
  70 +       cancel_work_sync(&pdata->set_vlan);
  71 +       kfree(pdata);
  72 +       return ret;
  73  }
  74
  75  static void lan78xx_unbind(struct lan78xx_net *dev, struct usb_interface *intf)
  76 @@ -2891,6 +2908,8 @@ static void lan78xx_unbind(struct lan78x
  77         lan78xx_remove_mdio(dev);
  78
  79         if (pdata) {
  80 +               cancel_work_sync(&pdata->set_multicast);
  81 +               cancel_work_sync(&pdata->set_vlan);
  82                 netif_dbg(dev, ifdown, dev->net, "free pdata");
  83                 kfree(pdata);
  84                 pdata = NULL;