From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Johan Hovold <johan@kernel.org>
Cc: linux-usb@vger.kernel.org, Keith Packard <keithp@keithp.com>,
Juergen Stuber <starblue@users.sourceforge.net>,
stable <stable@vger.kernel.org>
Subject: Re: [PATCH 5/5] USB: yurex: fix NULL-derefs on disconnect
Date: Thu, 10 Oct 2019 14:24:26 +0200 [thread overview]
Message-ID: <20191010122426.GA702899@kroah.com> (raw)
In-Reply-To: <20191010110532.GC27819@localhost>
On Thu, Oct 10, 2019 at 01:05:32PM +0200, Johan Hovold wrote:
> On Wed, Oct 09, 2019 at 05:38:48PM +0200, Johan Hovold wrote:
> > The driver was using its struct usb_interface pointer as an inverted
> > disconnected flag, but was setting it to NULL without making sure all
> > code paths that used it were done with it.
> >
> > Before commit ef61eb43ada6 ("USB: yurex: Fix protection fault after
> > device removal") this included the interrupt-in completion handler, but
> > there are further accesses in dev_err and dev_dbg statements in
> > yurex_write() and the driver-data destructor (sic!).
> >
> > Fix this by unconditionally stopping also the control URB at disconnect
> > and by using a dedicated disconnected flag.
> >
> > Note that we need to take a reference to the struct usb_interface to
> > avoid a use-after-free in the destructor whenever the device was
> > disconnected while the character device was still open.
> >
> > Fixes: aadd6472d904 ("USB: yurex.c: remove dbg() usage")
> > Fixes: 45714104b9e8 ("USB: yurex.c: remove err() usage")
> > Cc: stable <stable@vger.kernel.org> # 3.5: ef61eb43ada6
> > Signed-off-by: Johan Hovold <johan@kernel.org>
>
> Greg, I noticed that you picked up all patches in this series except
> this last one.
>
> Was that one purpose or by mistake?
Mistake, thanks for catching that. Now queued up.
greg k-h
prev parent reply other threads:[~2019-10-10 12:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-09 15:38 [PATCH 0/5] USB: misc: fix disconnect bugs Johan Hovold
2019-10-09 15:38 ` [PATCH 1/5] USB: adutux: fix use-after-free on release Johan Hovold
2019-10-09 15:38 ` [PATCH 2/5] USB: chaoskey: " Johan Hovold
2019-10-09 15:38 ` [PATCH 3/5] USB: ldusb: fix NULL-derefs on driver unbind Johan Hovold
2019-10-09 15:38 ` [PATCH 4/5] USB: legousbtower: fix use-after-free on release Johan Hovold
2019-10-09 15:38 ` [PATCH 5/5] USB: yurex: fix NULL-derefs on disconnect Johan Hovold
2019-10-10 11:05 ` Johan Hovold
2019-10-10 12:24 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191010122426.GA702899@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=keithp@keithp.com \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=starblue@users.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.