[PATCH] USB: serial: opticon: fix UAF in write callback during port removal

[Fan Wu]

The opticon driver anchors write URBs to priv->anchor in opticon_write()
and frees priv in opticon_port_remove() without first killing these
anchored URBs. The completion callback opticon_write_control_callback()
may dereference priv via usb_get_serial_port_data() and access
priv->lock, priv->outstanding_urbs, and priv->outstanding_bytes after
it has been freed.

If a write URB is in flight when the port is removed:

    CPU 0 (remove path)              CPU 1 (URB completion)
    ---------------------            ---------------------
    opticon_port_remove()
      kfree(priv)  <--+
                     |  --> opticon_write_control_callback()
                     |        priv = usb_get_serial_port_data()
                     |        spin_lock_irqsave(&priv->lock)
                     |        --priv->outstanding_urbs  // possible UAF
    return           |
                     usb_free_urb()

Fix this by calling usb_kill_anchored_urbs(&priv->anchor) before
kfree(priv) so that all in-flight URBs have finished before the private
data is freed.

Note that opticon_close() already correctly kills anchored URBs; this
fix addresses the port_remove path which was overlooked.

Fixes: 648d4e16567e ("USB: serial: opticon: add write support")
Signed-off-by: Fan Wu <fanwu01@xxxxxxxxxx>
---
 drivers/usb/serial/opticon.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c
index e2bed477ad57..80e332e14384 100644
--- a/drivers/usb/serial/opticon.c
+++ b/drivers/usb/serial/opticon.c
@@ -370,6 +370,7 @@ static void opticon_port_remove(struct usb_serial_port *port)
 {
 	struct opticon_private *priv = usb_get_serial_port_data(port);
 
+	usb_kill_anchored_urbs(&priv->anchor);
 	kfree(priv);
 }
 
-- 
2.34.1