git.baikalelectronics.ru Git - kernel.git/commit

author	Alan Stern <stern@rowland.harvard.edu>
	Tue, 23 Apr 2019 18:48:29 +0000 (14:48 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 25 Apr 2019 09:11:41 +0000 (11:11 +0200)
commit	ea48ba59e479709fd9e87f07bfc84f7949a943ee
tree	6baba96101522d8530b2ce1532848f7d5ad5f13a	tree \| snapshot
parent	f91f46e9d074980c971ae968cb0fb8e7713868dc	commit \| diff

USB: yurex: Fix protection fault after device removal

The syzkaller USB fuzzer found a general-protection-fault bug in the
yurex driver. The fault occurs when a device has been unplugged; the
driver's interrupt-URB handler logs an error message referring to the
device by name, after the device has been unregistered and its name
deallocated.

This problem is caused by the fact that the interrupt URB isn't
cancelled until the driver's private data structure is released, which
can happen long after the device is gone. The cure is to make sure
that the interrupt URB is killed before yurex_disconnect() returns;
this is exactly the sort of thing that usb_poison_urb() was meant for.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>