Re: [PATCH net] net: usb: usbnet: fix use-after-free in race on workqueue
From: Andrew Lunn
Date: Fri Jun 27 2025 - 03:41:12 EST
On Fri, Jun 27, 2025 at 03:11:55PM +0900, Peter GJ. Park wrote:
> >On 6/25/25 11:33 AM, Peter GJ. Park wrote:
> >> When usbnet_disconnect() queued while usbnet_probe() processing, it
> >> results to free_netdev before kevent gets to run on workqueue, thus
> >> workqueue does assign_work() with referencing freeed memory address.
> >>
> >> For graceful disconnect and to prevent use-after-free of netdev
> >> pointer, the fix adds canceling work and timer those are placed by
> >> usbnet_probe()
> >>
> >> Signed-off-by: Peter GJ. Park <gyujoon.park@xxxxxxxxxxx>
> >
> >You should include a suitable fixes tag, and you should have specified the target tree ('net' in this case) in the prefix subjext
> Prefix net added to subject, but for fixes tag, by looking git blame, the last line of usbnet_disconnect()are based on initial commit,
> thus I couldn't put the fixes tag for it. Please let me know how can I handle this.
By initial commit, do you mean:
commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (tag: v2.6.12-rc2)
Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxx>
Date: Sat Apr 16 15:20:36 2005 -0700
Linux-2.6.12-rc2
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.
Let it rip!
Then use that as the Fixes: tag. The Fixes: tag is a guide to
developers who do the backport. Nobody is going to backport this to
2.6.12, but it does make it clear that LTS 5.4.294 could get this
patch.
Andrew