CVE-2022-49501

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbnet: Run unregister_netdev() before unbind() again<br /> <br /> Commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()")<br /> sought to fix a use-after-free on disconnect of USB Ethernet adapters.<br /> <br /> It turns out that a different fix is necessary to address the issue:<br /> https://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/<br /> <br /> So the commit was not necessary.<br /> <br /> The commit made binding and unbinding of USB Ethernet asymmetrical:<br /> Before, usbnet_probe() first invoked the -&gt;bind() callback and then<br /> register_netdev(). usbnet_disconnect() mirrored that by first invoking<br /> unregister_netdev() and then -&gt;unbind().<br /> <br /> Since the commit, the order in usbnet_disconnect() is reversed and no<br /> longer mirrors usbnet_probe().<br /> <br /> One consequence is that a PHY disconnected (and stopped) in -&gt;unbind()<br /> is afterwards stopped once more by unregister_netdev() as it closes the<br /> netdev before unregistering. That necessitates a contortion in -&gt;stop()<br /> because the PHY may only be stopped if it hasn&amp;#39;t already been<br /> disconnected.<br /> <br /> Reverting the commit allows making the call to phy_stop() unconditional<br /> in -&gt;stop().