Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp432685yba; Wed, 15 May 2019 04:02:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqxTRj56pjhYwTRhOjNLu1L0ITgQVyIEqmlmvqFyLxCjM1EIBYRNUVjI9MARJK1RBPT/8yc6 X-Received: by 2002:a63:fa4a:: with SMTP id g10mr43644941pgk.147.1557918132579; Wed, 15 May 2019 04:02:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557918132; cv=none; d=google.com; s=arc-20160816; b=ZvwFCNR6JQtFevNmKIIjZ5VfK/z3XMpzCdLz2spVzn8yMGe04omJXZN7n37MTiDhaL ZwJ15SiuhhGVLGpSfvppC9mfQmFfmT3RHBuK4wsRp3GKBHsiHtYClfXgRVdW+bkGPIeN KO25l6tz6d6/dqvv1x6pR96lrxFMssd41ZkIyj626TwbcOG0ObQKfAb2zVOq2Zb58KMB WJqlFy1s4R1nujJEOkoa6AWqp97xE4QAZ0elXrE9t46/UTNTBSfForcBUvZh3vifI6N0 NGC2/Jzf2tmlkL8N8EvLoOtN6scPQoH0Jj1eS1vy4aALKhf65707tdamzis2m57nMc12 S62Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ytPMfxrm7VzIeXkmiifK0jW14rsmSs9v3P5lCtljhU8=; b=QtSPMiDdMBYsOYutHf2+0utE/gQ37Skvq0XqdNxgzc84piy5x7CBJwor/FyRuc9vzH vDuqzquWpp+Wisam61x2Zv0LMsCEwS5D+ed3i1yxi32NJueLhtb2bX0CDRQcyDBe9xAA bXVJtufBAQc6VCewxDRfZE9xtefffX9cc+g67hnPzuKIhbVX0mxVLpsl31QCgKacRf8H wC/FofPMTL2cpKIn2+VPeymNYvTL7duI7Y8v0dqJqQiZWnfFf22uGIZGjGlvq/VC1DWa 398YfCwAvCqxdLMnUuFatksZzG0hDBqDHV6MSjawUuhvp7LgEzIkJWsnCq2eQfkxVK4K 0tOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="K/BhjFlW"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w207si1861825pff.69.2019.05.15.04.01.56; Wed, 15 May 2019 04:02:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="K/BhjFlW"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727032AbfEOK67 (ORCPT + 99 others); Wed, 15 May 2019 06:58:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:55334 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727014AbfEOK65 (ORCPT ); Wed, 15 May 2019 06:58:57 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 77B70216F4; Wed, 15 May 2019 10:58:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557917936; bh=UaSRcyMnz8YwZQ5JXfK4M9gajoohZJeJ7Jei2hd85AU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K/BhjFlWYx8E+0zGXTqEt2c0fm/qsv9lBG0g0pBkV2J8Eltz/4ZVEJQuIQHI9bFKc tGCPCWfwUABhnPTMxKrHckm/Gfh8fspJh44BftMyQn0jpOKR73kIZbRZYhZzM+4jri UmgBeHqfX1DosahUoMMgwHXf592U+KeIcRNu/1W4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com Subject: [PATCH 3.18 32/86] USB: yurex: Fix protection fault after device removal Date: Wed, 15 May 2019 12:55:09 +0200 Message-Id: <20190515090649.318699162@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090642.339346723@linuxfoundation.org> References: <20190515090642.339346723@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alan Stern commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream. The syzkaller USB fuzzer found a general-protection-fault bug in the yurex driver. The fault occurs when a device has been unplugged; the driver's interrupt-URB handler logs an error message referring to the device by name, after the device has been unregistered and its name deallocated. This problem is caused by the fact that the interrupt URB isn't cancelled until the driver's private data structure is released, which can happen long after the device is gone. The cure is to make sure that the interrupt URB is killed before yurex_disconnect() returns; this is exactly the sort of thing that usb_poison_urb() was meant for. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_ usb_deregister_dev(interface, &yurex_class); /* prevent more I/O from starting */ + usb_poison_urb(dev->urb); mutex_lock(&dev->io_mutex); dev->interface = NULL; mutex_unlock(&dev->io_mutex);