From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1E70C10F03 for ; Thu, 25 Apr 2019 09:12:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 65007218B0 for ; Thu, 25 Apr 2019 09:12:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556183559; bh=fK5CysZ2Z4lMZidOHFndYw5LMNRsfh5zBYP1VQmxAww=; h=Subject:To:From:Date:List-ID:From; b=wGyWsgCeqErHmD5S2Ygau7kCOO1tonJuITUG237P4/2hFFt8DLw2fo0ZRzPdT/79O Xh/0WwH6CFNQdCW8T4bXvHv0ZohTzdtuyWofnKwneqQGu70w2jdGN3L8aDAa1nS9mn QEqWEoQAUYeiuKUsSRcqjUof6h2ENwnN23eyms9s= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726887AbfDYJMj (ORCPT ); Thu, 25 Apr 2019 05:12:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:44998 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726330AbfDYJMi (ORCPT ); Thu, 25 Apr 2019 05:12:38 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9886C217FA; Thu, 25 Apr 2019 09:12:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556183558; bh=fK5CysZ2Z4lMZidOHFndYw5LMNRsfh5zBYP1VQmxAww=; h=Subject:To:From:Date:From; b=FQgoa2IPNI/lj3g4dspzzj04bth35FPxQFCpoqRqy7tdqUMtTflyLsIS5+HygQ1SA juyHs7Q/fzjty+tXVuMBwOK7cR5kMJnz+KLGE9ATq6MI1zkbd6c17rIL4Tflrid7Ei bD3g1UmB/okFvU0tGdwaXMugBCykEXteI+ogaN0Y= Subject: patch "USB: yurex: Fix protection fault after device removal" added to usb-linus To: stern@rowland.harvard.edu, gregkh@linuxfoundation.org, stable@vger.kernel.org From: Date: Thu, 25 Apr 2019 11:12:25 +0200 Message-ID: <155618354524944@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org This is a note to let you know that I've just added the patch titled USB: yurex: Fix protection fault after device removal to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From ef61eb43ada6c1d6b94668f0f514e4c268093ff3 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Tue, 23 Apr 2019 14:48:29 -0400 Subject: USB: yurex: Fix protection fault after device removal The syzkaller USB fuzzer found a general-protection-fault bug in the yurex driver. The fault occurs when a device has been unplugged; the driver's interrupt-URB handler logs an error message referring to the device by name, after the device has been unregistered and its name deallocated. This problem is caused by the fact that the interrupt URB isn't cancelled until the driver's private data structure is released, which can happen long after the device is gone. The cure is to make sure that the interrupt URB is killed before yurex_disconnect() returns; this is exactly the sort of thing that usb_poison_urb() was meant for. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 6d9fd5f64903..7b306aa22d25 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -314,6 +314,7 @@ static void yurex_disconnect(struct usb_interface *interface) usb_deregister_dev(interface, &yurex_class); /* prevent more I/O from starting */ + usb_poison_urb(dev->urb); mutex_lock(&dev->io_mutex); dev->interface = NULL; mutex_unlock(&dev->io_mutex); -- 2.21.0