[thirdparty/kernel/stable-queue.git] / queue-4.4 / usb-yurex-fix-protection-fault-after-device-removal.patch

From ef61eb43ada6c1d6b94668f0f514e4c268093ff3 Mon Sep 17 00:00:00 2001
From: Alan Stern <stern@rowland.harvard.edu>
Date: Tue, 23 Apr 2019 14:48:29 -0400
Subject: USB: yurex: Fix protection fault after device removal

From: Alan Stern <stern@rowland.harvard.edu>

commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream.

The syzkaller USB fuzzer found a general-protection-fault bug in the
yurex driver.  The fault occurs when a device has been unplugged; the
driver's interrupt-URB handler logs an error message referring to the
device by name, after the device has been unregistered and its name
deallocated.

This problem is caused by the fact that the interrupt URB isn't
cancelled until the driver's private data structure is released, which
can happen long after the device is gone.  The cure is to make sure
that the interrupt URB is killed before yurex_disconnect() returns;
this is exactly the sort of thing that usb_poison_urb() was meant for.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/yurex.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_
 	usb_deregister_dev(interface, &yurex_class);
 
 	/* prevent more I/O from starting */
+	usb_poison_urb(dev->urb);
 	mutex_lock(&dev->io_mutex);
 	dev->interface = NULL;
 	mutex_unlock(&dev->io_mutex);
Commit	Line	Data
7a0a7a4a GKH	1	From ef61eb43ada6c1d6b94668f0f514e4c268093ff3 Mon Sep 17 00:00:00 2001
	2	From: Alan Stern <stern@rowland.harvard.edu>
	3	Date: Tue, 23 Apr 2019 14:48:29 -0400
	4	Subject: USB: yurex: Fix protection fault after device removal
	5
	6	From: Alan Stern <stern@rowland.harvard.edu>
	7
	8	commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream.
	9
	10	The syzkaller USB fuzzer found a general-protection-fault bug in the
	11	yurex driver. The fault occurs when a device has been unplugged; the
	12	driver's interrupt-URB handler logs an error message referring to the
	13	device by name, after the device has been unregistered and its name
	14	deallocated.
	15
	16	This problem is caused by the fact that the interrupt URB isn't
	17	cancelled until the driver's private data structure is released, which
	18	can happen long after the device is gone. The cure is to make sure
	19	that the interrupt URB is killed before yurex_disconnect() returns;
	20	this is exactly the sort of thing that usb_poison_urb() was meant for.
	21
	22	Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
	23	Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com
	24	CC: <stable@vger.kernel.org>
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26
	27	---
	28	drivers/usb/misc/yurex.c \| 1 +
	29	1 file changed, 1 insertion(+)
	30
	31	--- a/drivers/usb/misc/yurex.c
	32	+++ b/drivers/usb/misc/yurex.c
	33	@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_
	34	usb_deregister_dev(interface, &yurex_class);
	35
	36	/* prevent more I/O from starting */
	37	+ usb_poison_urb(dev->urb);
	38	mutex_lock(&dev->io_mutex);
	39	dev->interface = NULL;
	40	mutex_unlock(&dev->io_mutex);