Commit 2d2d99ec authored by Raghuram Chary J's avatar Raghuram Chary J Committed by David S. Miller

lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write)

Description:
Crash was reported with syzkaller pointing to lan78xx_write_reg routine.

Root-cause:
Proper cleanup of workqueues and init/setup routines was not happening
in failure conditions.

Fix:
Handled the error conditions by cleaning up the queues and init/setup
routines.

Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarRaghuram Chary J <raghuramchary.jallipalli@microchip.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 020295d9
...@@ -2873,8 +2873,7 @@ static int lan78xx_bind(struct lan78xx_net *dev, struct usb_interface *intf) ...@@ -2873,8 +2873,7 @@ static int lan78xx_bind(struct lan78xx_net *dev, struct usb_interface *intf)
if (ret < 0) { if (ret < 0) {
netdev_warn(dev->net, netdev_warn(dev->net,
"lan78xx_setup_irq_domain() failed : %d", ret); "lan78xx_setup_irq_domain() failed : %d", ret);
kfree(pdata); goto out1;
return ret;
} }
dev->net->hard_header_len += TX_OVERHEAD; dev->net->hard_header_len += TX_OVERHEAD;
...@@ -2882,14 +2881,32 @@ static int lan78xx_bind(struct lan78xx_net *dev, struct usb_interface *intf) ...@@ -2882,14 +2881,32 @@ static int lan78xx_bind(struct lan78xx_net *dev, struct usb_interface *intf)
/* Init all registers */ /* Init all registers */
ret = lan78xx_reset(dev); ret = lan78xx_reset(dev);
if (ret) {
netdev_warn(dev->net, "Registers INIT FAILED....");
goto out2;
}
ret = lan78xx_mdio_init(dev); ret = lan78xx_mdio_init(dev);
if (ret) {
netdev_warn(dev->net, "MDIO INIT FAILED.....");
goto out2;
}
dev->net->flags |= IFF_MULTICAST; dev->net->flags |= IFF_MULTICAST;
pdata->wol = WAKE_MAGIC; pdata->wol = WAKE_MAGIC;
return ret; return ret;
out2:
lan78xx_remove_irq_domain(dev);
out1:
netdev_warn(dev->net, "Bind routine FAILED");
cancel_work_sync(&pdata->set_multicast);
cancel_work_sync(&pdata->set_vlan);
kfree(pdata);
return ret;
} }
static void lan78xx_unbind(struct lan78xx_net *dev, struct usb_interface *intf) static void lan78xx_unbind(struct lan78xx_net *dev, struct usb_interface *intf)
...@@ -2901,6 +2918,8 @@ static void lan78xx_unbind(struct lan78xx_net *dev, struct usb_interface *intf) ...@@ -2901,6 +2918,8 @@ static void lan78xx_unbind(struct lan78xx_net *dev, struct usb_interface *intf)
lan78xx_remove_mdio(dev); lan78xx_remove_mdio(dev);
if (pdata) { if (pdata) {
cancel_work_sync(&pdata->set_multicast);
cancel_work_sync(&pdata->set_vlan);
netif_dbg(dev, ifdown, dev->net, "free pdata"); netif_dbg(dev, ifdown, dev->net, "free pdata");
kfree(pdata); kfree(pdata);
pdata = NULL; pdata = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment