]>
Commit | Line | Data |
---|---|---|
7a0a7a4a GKH |
1 | From ef61eb43ada6c1d6b94668f0f514e4c268093ff3 Mon Sep 17 00:00:00 2001 |
2 | From: Alan Stern <stern@rowland.harvard.edu> | |
3 | Date: Tue, 23 Apr 2019 14:48:29 -0400 | |
4 | Subject: USB: yurex: Fix protection fault after device removal | |
5 | ||
6 | From: Alan Stern <stern@rowland.harvard.edu> | |
7 | ||
8 | commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream. | |
9 | ||
10 | The syzkaller USB fuzzer found a general-protection-fault bug in the | |
11 | yurex driver. The fault occurs when a device has been unplugged; the | |
12 | driver's interrupt-URB handler logs an error message referring to the | |
13 | device by name, after the device has been unregistered and its name | |
14 | deallocated. | |
15 | ||
16 | This problem is caused by the fact that the interrupt URB isn't | |
17 | cancelled until the driver's private data structure is released, which | |
18 | can happen long after the device is gone. The cure is to make sure | |
19 | that the interrupt URB is killed before yurex_disconnect() returns; | |
20 | this is exactly the sort of thing that usb_poison_urb() was meant for. | |
21 | ||
22 | Signed-off-by: Alan Stern <stern@rowland.harvard.edu> | |
23 | Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com | |
24 | CC: <stable@vger.kernel.org> | |
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
26 | ||
27 | --- | |
28 | drivers/usb/misc/yurex.c | 1 + | |
29 | 1 file changed, 1 insertion(+) | |
30 | ||
31 | --- a/drivers/usb/misc/yurex.c | |
32 | +++ b/drivers/usb/misc/yurex.c | |
33 | @@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_ | |
34 | usb_deregister_dev(interface, &yurex_class); | |
35 | ||
36 | /* prevent more I/O from starting */ | |
37 | + usb_poison_urb(dev->urb); | |
38 | mutex_lock(&dev->io_mutex); | |
39 | dev->interface = NULL; | |
40 | mutex_unlock(&dev->io_mutex); |