[PATCH] ieee802154: atusb: fix use-after-free at disconnect

[Johan Hovold]

The disconnect callback was accessing the hardware-descriptor private
data after having having freed it.

Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver")
Cc: stable <sta...@vger.kernel.org> # 4.2
Cc: Alexander Aring <alex....@gmail.com>
Reported-by: syzbot+f4509a...@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <jo...@kernel.org>
---

#syz test: https://github.com/google/kasan.git f0df5c1b

drivers/net/ieee802154/atusb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
index ceddb424f887..0dd0ba915ab9 100644
--- a/drivers/net/ieee802154/atusb.c
+++ b/drivers/net/ieee802154/atusb.c
@@ -1137,10 +1137,11 @@ static void atusb_disconnect(struct usb_interface *interface)

ieee802154_unregister_hw(atusb->hw);

+ usb_put_dev(atusb->usb_dev);
+
ieee802154_free_hw(atusb->hw);

usb_set_intfdata(interface, NULL);
- usb_put_dev(atusb->usb_dev);

pr_debug("%s done\n", __func__);
}
--
2.23.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+f4509a...@syzkaller.appspotmail.com

Tested on:

commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=f4509a9138a1472e7e80
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f3ebb5600000

Note: testing is done by a robot and is best-effort only.

[Stefan Schmidt]

Hello.

This patch has been applied to the wpan tree and will be
part of the next pull request to net.

Thanks a lot for having a look at this!

regards
Stefan Schmidt