[PATCH 3.10 063/143] usbnet: cleanup after bind() in probe()

From: Willy Tarreau
Date: Sun Jun 05 2016 - 06:32:35 EST

From: Oliver Neukum <oneukum@xxxxxxxx>

commit 1666984c8625b3db19a9abc298931d35ab7bc64b upstream.

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum <ONeukum@xxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Willy Tarreau <w@xxxxxx>
drivers/net/usb/usbnet.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index fb068ad..2255d89 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1622,6 +1622,13 @@ out3:
if (info->unbind)
info->unbind (dev, udev);
+ /* subdrivers must undo all they did in bind() if they
+ * fail it, but we may fail later and a deferred kevent
+ * may trigger an error resubmitting itself and, worse,
+ * schedule a timer. So we kill it all just in case.
+ */
+ cancel_work_sync(&dev->kevent);
+ del_timer_sync(&dev->delay);
return status;