[PATCH 3.14 13/37] usbnet: cleanup after bind() in probe()

From: Greg Kroah-Hartman
Date: Sun Apr 17 2016 - 22:29:38 EST

3.14-stable review patch. If anyone has any objections, please let me know.


From: Oliver Neukum <oneukum@xxxxxxxx>

[ Upstream commit 1666984c8625b3db19a9abc298931d35ab7bc64b ]

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum <ONeukum@xxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
drivers/net/usb/usbnet.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1718,6 +1718,13 @@ out3:
if (info->unbind)
info->unbind (dev, udev);
+ /* subdrivers must undo all they did in bind() if they
+ * fail it, but we may fail later and a deferred kevent
+ * may trigger an error resubmitting itself and, worse,
+ * schedule a timer. So we kill it all just in case.
+ */
+ cancel_work_sync(&dev->kevent);
+ del_timer_sync(&dev->delay);
return status;