Loading
[CVE-2020-12464] USB: core: Fix free-while-in-use bug in the USB S-Glibrary
FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug in the USB scatter-gather library. This bug occurs when cancellation of the S-G transfer races with transfer completion. When that happens, usb_sg_cancel() may continue to access the transfer's URBs after usb_sg_wait() has freed them. The fix is to take such a reference by incrementing the transfer's io->count field while the cancellation is in progres and decrementing it afterward. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. Change-Id: I0515468e3899b344b7133b631870b2f8f1523269