| From ef61eb43ada6c1d6b94668f0f514e4c268093ff3 Mon Sep 17 00:00:00 2001 |
| From: Alan Stern <stern@rowland.harvard.edu> |
| Date: Tue, 23 Apr 2019 14:48:29 -0400 |
| Subject: USB: yurex: Fix protection fault after device removal |
| |
| From: Alan Stern <stern@rowland.harvard.edu> |
| |
| commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream. |
| |
| The syzkaller USB fuzzer found a general-protection-fault bug in the |
| yurex driver. The fault occurs when a device has been unplugged; the |
| driver's interrupt-URB handler logs an error message referring to the |
| device by name, after the device has been unregistered and its name |
| deallocated. |
| |
| This problem is caused by the fact that the interrupt URB isn't |
| cancelled until the driver's private data structure is released, which |
| can happen long after the device is gone. The cure is to make sure |
| that the interrupt URB is killed before yurex_disconnect() returns; |
| this is exactly the sort of thing that usb_poison_urb() was meant for. |
| |
| Signed-off-by: Alan Stern <stern@rowland.harvard.edu> |
| Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com |
| CC: <stable@vger.kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/misc/yurex.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/drivers/usb/misc/yurex.c |
| +++ b/drivers/usb/misc/yurex.c |
| @@ -314,6 +314,7 @@ static void yurex_disconnect(struct usb_ |
| usb_deregister_dev(interface, &yurex_class); |
| |
| /* prevent more I/O from starting */ |
| + usb_poison_urb(dev->urb); |
| mutex_lock(&dev->io_mutex); |
| dev->interface = NULL; |
| mutex_unlock(&dev->io_mutex); |