diff mbox series

[4.14,018/136] usblp: poison URBs upon disconnect

Message ID	20200623195304.531664649@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <SRS0=+x35=AE=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Oliver Neukum <oneukum@suse.com>, syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com, Sasha Levin <sashal@kernel.org> Subject: [PATCH 4.14 018/136] usblp: poison URBs upon disconnect Date: Tue, 23 Jun 2020 21:57:54 +0200 Message-Id: <20200623195304.531664649@linuxfoundation.org> In-Reply-To: <20200623195303.601828702@linuxfoundation.org> References: <20200623195303.601828702@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [4.14,002/136] drm/i915: Whitelist context-local timestamp in the gen9 cmdparser [4.14,003/136] power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select [4.14,004/136] clk: sunxi: Fix incorrect usage of round_down() [4.14,007/136] remoteproc: Fix IDR initialisation in rproc_alloc() [4.14,008/136] clk: qcom: msm8916: Fix the address location of pll->config_reg [4.14,009/136] backlight: lp855x: Ensure regulators are disabled on probe failure [4.14,011/136] ARM: integrator: Add some Kconfig selections [4.14,014/136] scsi: qla2xxx: Fix issue with adapters stopping state [4.14,016/136] f2fs: report delalloc reserve as non-free in statfs for project quota [4.14,018/136] usblp: poison URBs upon disconnect [4.14,022/136] vfio/pci: fix memory leaks in alloc_perm_bits() [4.14,023/136] m68k/PCI: Fix a memory leak in an error handling path [4.14,024/136] mfd: wm8994: Fix driver operation if loaded as modules [4.14,025/136] scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event [4.14,027/136] powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 event... [4.14,029/136] powerpc/crashkernel: Take "mem=" option into account [4.14,032/136] mksysmap: Fix the mismatch of .L symbols in System.map [4.14,035/136] scsi: ibmvscsi: Dont send host info in adapter info MAD after LPM [4.14,037/136] staging: rtl8712: fix multiline derefernce warnings [4.14,038/136] scsi: qedi: Do not flush offload work if ARP not resolved [4.14,039/136] ALSA: usb-audio: Improve frames size computation [4.14,043/136] staging: sm750fb: add missing case while setting FB_VISUAL [4.14,045/136] serial: amba-pl011: Make sure we initialize the port.lock spinlock [4.14,046/136] drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver... [4.14,047/136] PCI: rcar: Fix incorrect programming of OB windows [4.14,049/136] scsi: qla2xxx: Fix warning after FC target reset [4.14,052/136] scsi: mpt3sas: Fix double free warnings [4.14,053/136] dlm: remove BUG() before panic() [4.14,054/136] clk: ti: composite: fix memory leak [4.14,055/136] PCI: Fix pci_register_host_bridge() device_register() error handling [4.14,057/136] tty: n_gsm: Fix waking up upper tty layer when room available [4.14,059/136] powerpc/ps3: Fix kexec shutdown hang [4.14,061/136] usb/ohci-platform: Fix a warning when hibernating [4.14,062/136] drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation [4.14,065/136] clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 [4.14,066/136] powerpc/64s/pgtable: fix an undefined behaviour [4.14,067/136] dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a zone [4.14,069/136] IB/cma: Fix ports memory leak in cma_configfs [4.14,071/136] usb: dwc2: gadget: move gadget resume after the core is in L0 state [4.14,073/136] usb: gadget: lpc32xx_udc: dont dereference ep pointer before null check [4.14,075/136] usb: gadget: Fix issue with config_ep_by_speed function [4.14,080/136] NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION [4.14,081/136] powerpc/4xx: Dont unmap NULL mbase [4.14,082/136] extcon: adc-jack: Fix an error handling path in adc_jack_probe() [4.14,086/136] gfs2: Allow lock_nolock mount to specify jid=X [4.14,087/136] scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj [4.14,090/136] pinctrl: freescale: imx: Fix an error handling path in imx_pinctrl_probe() [4.14,091/136] crypto: omap-sham - add proper load balancing support for multicore [4.14,092/136] geneve: change from tx_error to tx_dropped on missing metadata [4.14,093/136] lib/zlib: remove outdated and incorrect pre-increment optimization [4.14,094/136] include/linux/bitops.h: avoid clang shift-count-overflow warnings [4.14,095/136] elfnote: mark all .note sections SHF_ALLOC [4.14,097/136] blktrace: use errno instead of bi_status [4.14,098/136] blktrace: fix endianness in get_pdu_int() [4.14,099/136] blktrace: fix endianness for blk_log_remap() [4.14,100/136] gfs2: fix use-after-free on transaction ail lists [4.14,101/136] selftests/net: in timestamping, strncpy needs to preserve null byte [4.14,104/136] usb/xhci-plat: Set PM runtime as active on resume [4.14,105/136] usb/ehci-platform: Set PM runtime as active on resume [4.14,107/136] bcache: fix potential deadlock problem in btree_gc_coalesce [4.14,108/136] block: Fix use-after-free in blkdev_get() [4.14,110/136] libata: Use per port sync for detach [4.14,113/136] drm/qxl: Use correct notify port address when creating cursor ring [4.14,114/136] selinux: fix double free [4.14,116/136] drm/dp_mst: Increase ACT retry timeout to 3s [4.14,120/136] mtd: rawnand: diskonchip: Fix the probe error path [4.14,122/136] mtd: rawnand: xway: Fix the probe error path [4.14,123/136] mtd: rawnand: orion: Fix the probe error path [4.14,125/136] mtd: rawnand: oxnas: Fix the probe error path [4.14,126/136] mtd: rawnand: socrates: Fix the probe error path [4.14,129/136] mtd: rawnand: tmio: Fix the probe error path [4.14,130/136] crypto: algif_skcipher - Cap recv SG list at ctx->used [4.14,133/136] e1000e: Do not wake up the system via WOL if device wakeup is disabled

Commit Message

Greg Kroah-Hartman June 23, 2020, 7:57 p.m. UTC

From: Oliver Neukum <oneukum@suse.com>

[ Upstream commit 296a193b06120aa6ae7cf5c0d7b5e5b55968026e ]

syzkaller reported an URB that should have been killed to be active.
We do not understand it, but this should fix the issue if it is real.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20200507085806.5793-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/class/usblp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
index 5e456a83779d5..b0471ce34011a 100644
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -481,7 +481,8 @@  static int usblp_release(struct inode *inode, struct file *file)
 	usb_autopm_put_interface(usblp->intf);
 
 	if (!usblp->present)		/* finish cleanup from disconnect */
-		usblp_cleanup(usblp);
+		usblp_cleanup(usblp);	/* any URBs must be dead */
+
 	mutex_unlock(&usblp_mutex);
 	return 0;
 }
@@ -1388,9 +1389,11 @@  static void usblp_disconnect(struct usb_interface *intf)
 
 	usblp_unlink_urbs(usblp);
 	mutex_unlock(&usblp->mut);
+	usb_poison_anchored_urbs(&usblp->urbs);
 
 	if (!usblp->used)
 		usblp_cleanup(usblp);
+
 	mutex_unlock(&usblp_mutex);
 }