From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f182.google.com (mail-qt1-f182.google.com [209.85.160.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 04C063D890B for ; Mon, 1 Jun 2026 15:09:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780326581; cv=none; b=p3g2GIXO1tsCNqKZApRpziHv4lJmu/bWOOfkwqk53yVJzM96SGhHA7v/6HONiaRYTBLXpR89dQA/4847PFZkNEz0NkGwxIZiJA7xsaNm5j8NEnIZqP31+WueRXxgDgSBeyHMrQagy0A0wOSnC8ARIsocrcTauM4/58eQohNdQhE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780326581; c=relaxed/simple; bh=ux/l2r9lqBMN5d9LUxEofokoFYoBUlP9gw41ZIX3yOI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TFr5OV4reyjCR+DK4yFUUo8Dra+DWTrE+oOsK7UnooB8bMlF5Ly69TunguwJadP8yYXiWWNeBBHLNTKNC+JjbaatTe8BMxQ9Ap/Doa3LjesFtoVpy7BWmx4ep8PFz1p7l/TvLjNDkUSBYG7dv3WlhqsxL+xvjT8u6TGk29IrZUY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ku614tos; arc=none smtp.client-ip=209.85.160.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ku614tos" Received: by mail-qt1-f182.google.com with SMTP id d75a77b69052e-517583cb07aso8966231cf.2 for ; Mon, 01 Jun 2026 08:09:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780326578; x=1780931378; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=W2ebOdxHchr4hjPg1aJ0yJAo9tx+BE+yBY+QV1SbZL0=; b=Ku614tosGtmyoSxuhMmM5+Q2Va9sdtRrA3gLd2AQbpnAUmVdcFPkAiZaYCThr41HxP dnQKuzqNxT0uUwaM+lexvBpoTQ/KU5cV6ezxOxwU31JsoW0UcAeNmJuPaFUb6VgYPoWg OGtiw/QcPyrfvwMtylk/p59GuW4fwv7Iw7igG2GwfgjK4Ku2hm5Z4BCWLNpXBS7oJdrY u87MlLACQdvbZhF+/PFhhvbGOGYNKpccOFKG2ZvXL8ps9oO1Vm6f0Qu0hfTamDJKzspr /i//INqKK4XlwY7Ms6ukrqh60BlZYidtvvF+BmdtZRiGPiSXE9Fd/p5SXzhn2/2UKdAG 1ZWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780326578; x=1780931378; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=W2ebOdxHchr4hjPg1aJ0yJAo9tx+BE+yBY+QV1SbZL0=; b=I558aZnmPfS/4akwRamxY4uAASr0MCtrdsWPM0rg6u01qWvim/aJ1Flu9Xh4tXsmX9 7cNbhgKMi+UZbpBTHoS3Mnn4sTUic9vPHFTCgE3moSdsOvl7vZbL50JVOCqGNqH6V7u2 H1gCCmFeJ70IpwIp7MBJpQbDTvgZJHbPQFyVeMCFusiWLg10oyoKkCjWKVXKGU8aahzY OLlSyrajzsamXhnxkimuMbfxJN5cx63isdYk5diQQZYztoP0YqM3z3ieM5eSkZ7CAqVg i3mUwwA7q611HanCAJ+B4fSeuqL3btbDPtrMEGCbBuGD6nYq1Zaoe0ucP6nO3QtsckTl m06A== X-Forwarded-Encrypted: i=1; AFNElJ8jOjMoHzZ1ZD9kJUuJQIWY8rGOmKkRDAiysgCu1Om4W+f7ERmIC7lQp5Vd8sAI2val2INtOnsWTfquAT0=@vger.kernel.org X-Gm-Message-State: AOJu0YzN8IJw6OpG+wmPRoAkrNh3VNqktvJ5aSRXZMxi5DVrmfSoJhYH SddYkM+x6Q2M48PBQF5rVgjGZVV53puA0h1Af8vsa/VJnDt8pzPBlsLv X-Gm-Gg: Acq92OFfgz0JinDSbTvrQFKJxh50eck24lAfTjKfwKU2gQGCS3jMYxJDpUB10QX8QvY YgKlL9mLGDuBFBnzsQ3h5sY97jITwU028+9H26XtkJezcyR/qnkfZTPSzXL5pgOtkzhwfKS1KIB b9J3BWqZXcbbUJ3AJgLLr/g5uxxfNUP9PuRTVW+0ujyd7Ff3vA212LhBTUF8rc0yMGEEy6kb6f5 M8YDJIQXdZGXvBG4il1xjVeByrGPWuKjsrlqewGZlk7+qkJXKNJ01L5CnpRn17lB6HlIW1yDZKp 95+NhhBi7msmUxPPHEBLPTdKC9B72oLOaaF2MQaD9FQeZmqjuu+CArpSRCyUDbu/GBqsPrXQFo5 jZqI8hQ73U7XUvZnfkj+fcsy+gyfHxim+9aCttssW0Q6UikDCuxoHu0inzIWisH0cHTIaXE4wYN uvIGPChFjUiPYL+3fFHqIttTuiNiKLGaLHK3YLMRKx6ph8u9AXo9JgeR7vrjgW4Rl3cffWYlcRS H7YqKpIyHlGgYk= X-Received: by 2002:a05:622a:d0f:b0:516:e36f:e18a with SMTP id d75a77b69052e-5173a6e5ccdmr155225501cf.2.1780326577489; Mon, 01 Jun 2026 08:09:37 -0700 (PDT) Received: from localhost.localdomain ([2600:4041:42f2:d000:5598:1322:a565:857b]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-5175c83a1b9sm13769841cf.11.2026.06.01.08.09.36 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 01 Jun 2026 08:09:37 -0700 (PDT) From: Rohith Matam To: mchehab@kernel.org Cc: duoming@zju.edu.cn, hverkuil@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Rohith Matam , syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com Subject: [PATCH v2] media: usb: siano: fix URB work teardown Date: Mon, 1 Jun 2026 11:09:22 -0400 Message-ID: <20260601150922.52822-1-rohithmatham@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260601061855.47423-1-rohithmatham@gmail.com> References: <20260601061855.47423-1-rohithmatham@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit smsusb_onresponse() reinitializes the URB work item immediately before scheduling it. If teardown races with a queued work item, cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ still set and trip the workqueue warning reported by syzbot. The teardown path also has two related lifetime bugs: URB_FREE_BUFFER makes USB core free a smscore-owned buffer, and a work item can submit an URB after usb_kill_urb() has already returned. Initialize each work item once before URB allocation, remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill URBs again after canceling work so any URB submitted by an already-running worker is completed before buffers and the device are freed. Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c Signed-off-by: Rohith Matam --- Changes in v2: - Initialize all work items before allocating URBs. - Remove URB_FREE_BUFFER from smscore-owned buffers. - Stop resubmission before teardown and kill URBs again after canceling work. drivers/media/usb/siano/smsusb.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c index 0fdc2e095..e3ca51072 100644 --- a/drivers/media/usb/siano/smsusb.c +++ b/drivers/media/usb/siano/smsusb.c @@ -58,6 +58,7 @@ struct smsusb_device_t { unsigned char in_ep; unsigned char out_ep; enum smsusb_state state; + bool streaming; }; static int smsusb_submit_urb(struct smsusb_device_t *dev, @@ -72,7 +73,8 @@ static void do_submit_urb(struct work_struct *work) struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq); struct smsusb_device_t *dev = surb->dev; - smsusb_submit_urb(dev, surb); + if (READ_ONCE(dev->streaming)) + smsusb_submit_urb(dev, surb); } /* @@ -143,8 +145,8 @@ static void smsusb_onresponse(struct urb *urb) exit_and_resubmit: - INIT_WORK(&surb->wq, do_submit_urb); - schedule_work(&surb->wq); + if (READ_ONCE(dev->streaming)) + schedule_work(&surb->wq); } static int smsusb_submit_urb(struct smsusb_device_t *dev, @@ -168,8 +170,6 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev, smsusb_onresponse, surb ); - surb->urb->transfer_flags |= URB_FREE_BUFFER; - return usb_submit_urb(surb->urb, GFP_ATOMIC); } @@ -177,10 +177,12 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) { int i; + WRITE_ONCE(dev->streaming, false); + for (i = 0; i < MAX_URBS; i++) { usb_kill_urb(dev->surbs[i].urb); - if (dev->surbs[i].wq.func) - cancel_work_sync(&dev->surbs[i].wq); + cancel_work_sync(&dev->surbs[i].wq); + usb_kill_urb(dev->surbs[i].urb); if (dev->surbs[i].cb) { smscore_putbuffer(dev->coredev, dev->surbs[i].cb); @@ -193,6 +195,8 @@ static int smsusb_start_streaming(struct smsusb_device_t *dev) { int i, rc; + WRITE_ONCE(dev->streaming, true); + for (i = 0; i < MAX_URBS; i++) { rc = smsusb_submit_urb(dev, &dev->surbs[i]); if (rc < 0) { @@ -468,6 +472,10 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) /* initialize urbs */ for (i = 0; i < MAX_URBS; i++) { dev->surbs[i].dev = dev; + INIT_WORK(&dev->surbs[i].wq, do_submit_urb); + } + + for (i = 0; i < MAX_URBS; i++) { dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL); if (!dev->surbs[i].urb) goto err_unregister_device; -- 2.54.0