Re: [PATCH v3] media: siano: fix URB work teardown

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Potential deadlock during device teardown due to unkillable wait in smscore_getbuffer().
--

commit 253a5b71eec477524dcacfed05b5e2e64ea4ebbe
Author: Rohith Matam <rohithmatham@gmail.com>

media: siano: fix URB work teardown

This commit reinitializes URB work items before scheduling to prevent workqueue
warnings during teardown races. It also removes URB_FREE_BUFFER to fix buffer
lifetime issues and adjusts buffer management wakeups.

Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c

> diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
> index 0fdc2e0950b77..fab64e5fa6804 100644
> --- a/drivers/media/usb/siano/smsusb.c
> +++ b/drivers/media/usb/siano/smsusb.c

[ ... ]

> @@ -183,12 +192,15 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev)
>  {
>  	int i;
>  
> +	WRITE_ONCE(dev->streaming, false);
> +
>  	for (i = 0; i < MAX_URBS; i++) {
>  		usb_kill_urb(dev->surbs[i].urb);
> -		if (dev->surbs[i].wq.func)
> -			cancel_work_sync(&dev->surbs[i].wq);
> +		cancel_work_sync(&dev->surbs[i].wq);

[Severity: High]
This is a pre-existing issue, but can this sequence cause a deadlock during
teardown?

When smsusb_stop_streaming is called, it iterates over the URBs and calls
cancel_work_sync sequentially. If a worker thread executing do_submit_urb is
concurrently blocked inside smscore_getbuffer waiting for a buffer, it waits
in TASK_UNINTERRUPTIBLE without an abort condition:

drivers/media/common/siano/smscoreapi.c:smscore_getbuffer() {
        struct smscore_buffer_t *cb = NULL;

        wait_event(coredev->buffer_mng_waitq, (cb = get_entry(coredev)));

        return cb;
}

Because cancel_work_sync is waiting for this worker to finish, the teardown
loop halts and cannot proceed to subsequent URBs to release their buffers
back to the pool via smscore_putbuffer.

Since no more buffers will be returned during teardown, does the worker
sleep forever, causing cancel_work_sync to hang indefinitely?

> +		usb_kill_urb(dev->surbs[i].urb);
>  
>  		if (dev->surbs[i].cb) {
>  			smscore_putbuffer(dev->coredev, dev->surbs[i].cb);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260601152642.55313-1-rohithmatham@gmail.com?part=1