+++ /dev/null
-From ef61eb43ada6c1d6b94668f0f514e4c268093ff3 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Tue, 23 Apr 2019 14:48:29 -0400
-Subject: USB: yurex: Fix protection fault after device removal
-
-From: Alan Stern <stern@rowland.harvard.edu>
-
-commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream.
-
-The syzkaller USB fuzzer found a general-protection-fault bug in the
-yurex driver. The fault occurs when a device has been unplugged; the
-driver's interrupt-URB handler logs an error message referring to the
-device by name, after the device has been unregistered and its name
-deallocated.
-
-This problem is caused by the fact that the interrupt URB isn't
-cancelled until the driver's private data structure is released, which
-can happen long after the device is gone. The cure is to make sure
-that the interrupt URB is killed before yurex_disconnect() returns;
-this is exactly the sort of thing that usb_poison_urb() was meant for.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com
-CC: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/usb/misc/yurex.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/usb/misc/yurex.c
-+++ b/drivers/usb/misc/yurex.c
-@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_
- usb_deregister_dev(interface, &yurex_class);
-
- /* prevent more I/O from starting */
-+ usb_poison_urb(dev->urb);
- mutex_lock(&dev->io_mutex);
- dev->interface = NULL;
- mutex_unlock(&dev->io_mutex);
projects / thirdparty / kernel / stable-queue.git / blobdiff