Message ID | Pine.LNX.4.44L0.1904231446530.1461-100000@iolanthe.rowland.org (mailing list archive) |
---|---|
State | Mainlined |
Commit | ef61eb43ada6c1d6b94668f0f514e4c268093ff3 |
Headers | show |
Series | USB: yurex: Fix protection fault after device removal | expand |
Index: usb-devel/drivers/usb/misc/yurex.c =================================================================== --- usb-devel.orig/drivers/usb/misc/yurex.c +++ usb-devel/drivers/usb/misc/yurex.c @@ -314,6 +314,7 @@ static void yurex_disconnect(struct usb_ usb_deregister_dev(interface, &yurex_class); /* prevent more I/O from starting */ + usb_poison_urb(dev->urb); mutex_lock(&dev->io_mutex); dev->interface = NULL; mutex_unlock(&dev->io_mutex);
The syzkaller USB fuzzer found a general-protection-fault bug in the yurex driver. The fault occurs when a device has been unplugged; the driver's interrupt-URB handler logs an error message referring to the device by name, after the device has been unregistered and its name deallocated. This problem is caused by the fact that the interrupt URB isn't cancelled until the driver's private data structure is released, which can happen long after the device is gone. The cure is to make sure that the interrupt URB is killed before yurex_disconnect() returns; this is exactly the sort of thing that usb_poison_urb() was meant for. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com CC: <stable@vger.kernel.org> --- [as1896] drivers/usb/misc/yurex.c | 1 + 1 file changed, 1 insertion(+)