From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24DF5C04A6B for ; Mon, 6 May 2019 14:47:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EC16F2087F for ; Mon, 6 May 2019 14:47:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557154063; bh=X/bvWcZjlXeIMLrwmuCEXq0NPlqn86uuGONRxZlPlzQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=C49JaMbpzF2HYh1zHVGFwsUqrQhdaVYEDndFhLI9lr+LOn5kUOSGdbwK2OnfxTl5D NucvqlGq7YInGJCF6qw5/OgJq3XrTNEiLF18e55gRGJHs7cjQwjJkzKnjZZnPSs6pU CHnTeFeIx2dWFcDfli9taejfvUiob6XrU2+mE+94= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729363AbfEFOrl (ORCPT ); Mon, 6 May 2019 10:47:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:47088 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728468AbfEFOrk (ORCPT ); Mon, 6 May 2019 10:47:40 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6F3662087F; Mon, 6 May 2019 14:47:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557154059; bh=X/bvWcZjlXeIMLrwmuCEXq0NPlqn86uuGONRxZlPlzQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LWCfcaBCAoxEhG3nMIIwfsRJh3EKmYj3WnvQNTbHLe6E+xfkiR1o6LNBORBHlSA7o E3RFXwlAX1RVf0gxd8156FWMlXBCFfoPzYP6/u9+V6I1CUhv7tetnsrGlkcJlONmlO zaRcOItPppVqaDXKT94RaIjPLhTXk0hxeGdJkJyM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com Subject: [PATCH 4.9 22/62] USB: yurex: Fix protection fault after device removal Date: Mon, 6 May 2019 16:32:53 +0200 Message-Id: <20190506143052.974180184@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190506143051.102535767@linuxfoundation.org> References: <20190506143051.102535767@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream. The syzkaller USB fuzzer found a general-protection-fault bug in the yurex driver. The fault occurs when a device has been unplugged; the driver's interrupt-URB handler logs an error message referring to the device by name, after the device has been unregistered and its name deallocated. This problem is caused by the fact that the interrupt URB isn't cancelled until the driver's private data structure is released, which can happen long after the device is gone. The cure is to make sure that the interrupt URB is killed before yurex_disconnect() returns; this is exactly the sort of thing that usb_poison_urb() was meant for. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -324,6 +324,7 @@ static void yurex_disconnect(struct usb_ usb_deregister_dev(interface, &yurex_class); /* prevent more I/O from starting */ + usb_poison_urb(dev->urb); mutex_lock(&dev->io_mutex); dev->interface = NULL; mutex_unlock(&dev->io_mutex);