USB: yurex: Fix protection fault after device removal [Linux 5.1]

USB: yurex: Fix protection fault after device removal [Linux 5.1]

This Linux kernel change "USB: yurex: Fix protection fault after device removal" is included in the Linux 5.1 release. This change is authored by Alan Stern <stern [at] rowland.harvard.edu> on Tue Apr 23 14:48:29 2019 -0400. The commit for this change in Linux stable tree is ef61eb4 (patch).

USB: yurex: Fix protection fault after device removal

The syzkaller USB fuzzer found a general-protection-fault bug in the
yurex driver.  The fault occurs when a device has been unplugged; the
driver's interrupt-URB handler logs an error message referring to the
device by name, after the device has been unregistered and its name
deallocated.

This problem is caused by the fact that the interrupt URB isn't
cancelled until the driver's private data structure is released, which
can happen long after the device is gone.  The cure is to make sure
that the interrupt URB is killed before yurex_disconnect() returns;
this is exactly the sort of thing that usb_poison_urb() was meant for.

Signed-off-by: Alan Stern <[email protected]>
Reported-and-tested-by: [email protected]
CC: <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

There is one line of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/usb/misc/yurex.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
index 6d9fd5f..7b306aa 100644
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -314,6 +314,7 @@ static void yurex_disconnect(struct usb_interface *interface)
    usb_deregister_dev(interface, &yurex_class);

    /* prevent more I/O from starting */
+   usb_poison_urb(dev->urb);
    mutex_lock(&dev->io_mutex);
    dev->interface = NULL;
    mutex_unlock(&dev->io_mutex);

Leave a Reply

Your email address will not be published. Required fields are marked *