Commit ef61eb43 authored by Alan Stern's avatar Alan Stern Committed by Greg Kroah-Hartman

USB: yurex: Fix protection fault after device removal

The syzkaller USB fuzzer found a general-protection-fault bug in the
yurex driver.  The fault occurs when a device has been unplugged; the
driver's interrupt-URB handler logs an error message referring to the
device by name, after the device has been unregistered and its name
deallocated.

This problem is caused by the fact that the interrupt URB isn't
cancelled until the driver's private data structure is released, which
can happen long after the device is gone.  The cure is to make sure
that the interrupt URB is killed before yurex_disconnect() returns;
this is exactly the sort of thing that usb_poison_urb() was meant for.
Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent c409ca3b
...@@ -314,6 +314,7 @@ static void yurex_disconnect(struct usb_interface *interface) ...@@ -314,6 +314,7 @@ static void yurex_disconnect(struct usb_interface *interface)
usb_deregister_dev(interface, &yurex_class); usb_deregister_dev(interface, &yurex_class);
/* prevent more I/O from starting */ /* prevent more I/O from starting */
usb_poison_urb(dev->urb);
mutex_lock(&dev->io_mutex); mutex_lock(&dev->io_mutex);
dev->interface = NULL; dev->interface = NULL;
mutex_unlock(&dev->io_mutex); mutex_unlock(&dev->io_mutex);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment