Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2557754yba; Mon, 6 May 2019 08:00:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqwKu9SegzrtUifcxagmjVY4Fq8EO37C8kie4T7pu6rO7SvCwaSGa63rIGKGSiwhz3Tm0v8e X-Received: by 2002:a17:902:a503:: with SMTP id s3mr32239597plq.16.1557154830497; Mon, 06 May 2019 08:00:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557154830; cv=none; d=google.com; s=arc-20160816; b=O4uyD7uX/GzR9lHCHMWAPzMVCGrGzucIU+vD38GkWmKtw0KTnKW4fFMuflc7328gKh 8nJ1XHiDv9h1F7PxorTbUR72lImfd5vIqsyNCYkBggEnRWplecCVolQrsJfHqaSFGgQQ JWMDA0iH9QuadczhcsMUigiSRbZKS974PHxvXTHBIspPKxn0MrW2F/PWz34ToJ9n3Qr3 HsdK/eYmm+wMIVscObm+P66D1dh3h7MGp4kZ8JL2qLsmfzBSY0OA5c1qagsGXzjtSUSW u4jB1kL8LwiB0REyCNeNG53dJnhTmK5ysiVDSNTnLGhKniAOlAWnDsh4Yom6df5w0k/8 xaBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=UZKWC38LX2EnBIQ8cFFA+yvU9TqbgQ+jzuVHnm7kFPk=; b=KIAgmjDTlG10cw7U+jKwbIg4e0RvpvTMWP118m85Gpm+fvw7/UyXX7sZLeVoYQmW6K b3tV2OsG3+0fn+Pz6AyLJ7XNOQ5MRe1Loxcc4kilm+nc8YY744TBx5eG198W4Z9xDxut g1sFwreyw1R+ETWefz85fUV95nLD33CpMu15g9CbCdENlKA8217Br1+NfzpYEu8afKsu WTb2HMe2lK5KDOu3Xb8WAVL0gJa9A7uHF2MizvwJa8l705g7gwDDW/3PMlaJhdrQAYhr tRJYMAMu8NdTPd46zokRuftmAhE2F2qrUk2nz2IWS866yjzryA5+Tla156KjeKZsyvKc 9msg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=aH24t3sm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g129si14525804pfb.181.2019.05.06.08.00.05; Mon, 06 May 2019 08:00:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=aH24t3sm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727873AbfEFO6D (ORCPT + 99 others); Mon, 6 May 2019 10:58:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:40186 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728081AbfEFOoI (ORCPT ); Mon, 6 May 2019 10:44:08 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EA58920449; Mon, 6 May 2019 14:44:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557153847; bh=N9J1O/dinkSCatUPCOSKp6J9RJCLyqj8e+wbFW+y2hU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aH24t3smp9HE9oNkBHig2RkZKXCOOBtvkKbvWxrq2wwbteF4sGTMiOfmQM6OKy/Db QmIvz8ARbESxIfUNBV8AwEMh32+rsY9pJIP/oJTIKf2yCp3wt9vZU4+Ea7pCnNjOEu gstGKlYaqrpUyPK6O43xEqKreFkLOxpYSg2UjBdQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com Subject: [PATCH 4.14 19/75] USB: yurex: Fix protection fault after device removal Date: Mon, 6 May 2019 16:32:27 +0200 Message-Id: <20190506143054.895240578@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190506143053.287515952@linuxfoundation.org> References: <20190506143053.287515952@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream. The syzkaller USB fuzzer found a general-protection-fault bug in the yurex driver. The fault occurs when a device has been unplugged; the driver's interrupt-URB handler logs an error message referring to the device by name, after the device has been unregistered and its name deallocated. This problem is caused by the fact that the interrupt URB isn't cancelled until the driver's private data structure is released, which can happen long after the device is gone. The cure is to make sure that the interrupt URB is killed before yurex_disconnect() returns; this is exactly the sort of thing that usb_poison_urb() was meant for. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -318,6 +318,7 @@ static void yurex_disconnect(struct usb_ usb_deregister_dev(interface, &yurex_class); /* prevent more I/O from starting */ + usb_poison_urb(dev->urb); mutex_lock(&dev->io_mutex); dev->interface = NULL; mutex_unlock(&dev->io_mutex);