CVE-2022-50220

In the Linux kernel, the following vulnerability has been resolved:

usbnet: Fix linkwatch use-after-free on disconnect

usbnet uses the work usbnetdeferredkevent() to perform tasks which may sleep. On disconnect, completion of the work was originally awaited in ->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":

https://git.kernel.org/tglx/history/c/0f138bbfd83c

The change was made because back then, the kernel's workqueue implementation did not allow waiting for a single work. One had to wait for completion of all work by calling flushscheduledwork(), and that could deadlock when waiting for usbnetdeferredkevent() with rtnlmutex held in ->ndostop().

The commit solved one problem but created another: It causes a use-after-free in USB Ethernet drivers aqc111.c, asixdevices.c, ax88179178a.c, ch9200.c and smsc75xx.c:

• If the drivers receive a link change interrupt immediately before disconnect, they raise EVENTLINKRESET in their (non-sleepable) ->status() callback and schedule usbnetdeferredkevent().
• usbnetdeferredkevent() invokes the driver's ->linkreset() callback, which calls netifcarrier_{on,off}().
• That in turn schedules the work linkwatch_event().

Because usbnetdeferredkevent() is awaited after unregisternetdev(), netifcarrier_{on,off}() may operate on an unregistered netdev and linkwatchevent() may run after freenetdev(), causing a use-after-free.

In 2010, usbnet was changed to only wait for a single instance of usbnetdeferredkevent() instead of all work by commit 23f333a2bfaf ("drivers/net: don't use flushscheduledwork()").

Unfortunately the commit neglected to move the wait back to ->ndo_stop(). Rectify that omission at long last.