On Tue, 26 Nov 2019, Pete Zaitcev wrote:
> On Tue, 26 Nov 2019 10:20:14 -0500 (EST)
> Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
>
> > > Signed-off-by: Pete Zaitcev <zaitcev@xxxxxxxxxx>
> > > Reported-by: syzbot+56f9673bb4cdcbeb0e92@xxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > Reviewed-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
>
> Thanks.
>
> > Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger")
>
> Indeed... Either I didn't think that one through, or the copy_to_user
> used not to take the mmap_sem.
copy_to_user doesn't, but the fault handler does (the core handler, not
the fault routine in mon_bin.c). After all, it doesn't want the memory
map to change while a page is being read in to satisfy the fault.
Alan Stern
