* [PATCH] media: usb: siano: initialize URB work once
@ 2026-06-01 6:18 Rohith Matam
2026-06-01 15:09 ` [PATCH v2] media: usb: siano: fix URB work teardown Rohith Matam
0 siblings, 1 reply; 6+ messages in thread
From: Rohith Matam @ 2026-06-01 6:18 UTC (permalink / raw)
To: mchehab
Cc: duoming, hverkuil, linux-media, linux-kernel, Rohith Matam,
syzbot+0d6ef2b7ceb6014d756c
smsusb_onresponse() reinitializes the URB work item immediately before
scheduling it. If teardown races with a queued work item,
cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ
still set and trip the workqueue warning reported by syzbot.
Initialize each work item once when the URB is allocated, then schedule
and cancel that initialized work item for the lifetime of the URB. With
the work item always initialized, smsusb_stop_streaming() can cancel it
unconditionally.
Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb")
Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c
Signed-off-by: Rohith Matam <rohithmatham@gmail.com>
---
drivers/media/usb/siano/smsusb.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 0fdc2e095..4e80ccc20 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -143,7 +143,6 @@ static void smsusb_onresponse(struct urb *urb)
exit_and_resubmit:
- INIT_WORK(&surb->wq, do_submit_urb);
schedule_work(&surb->wq);
}
@@ -179,8 +178,7 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev)
for (i = 0; i < MAX_URBS; i++) {
usb_kill_urb(dev->surbs[i].urb);
- if (dev->surbs[i].wq.func)
- cancel_work_sync(&dev->surbs[i].wq);
+ cancel_work_sync(&dev->surbs[i].wq);
if (dev->surbs[i].cb) {
smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
@@ -471,6 +469,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL);
if (!dev->surbs[i].urb)
goto err_unregister_device;
+ INIT_WORK(&dev->surbs[i].wq, do_submit_urb);
}
pr_debug("smsusb_start_streaming(...).\n");
--
2.47.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH v2] media: usb: siano: fix URB work teardown 2026-06-01 6:18 [PATCH] media: usb: siano: initialize URB work once Rohith Matam @ 2026-06-01 15:09 ` Rohith Matam 2026-06-01 15:26 ` [PATCH v3] media: " Rohith Matam 0 siblings, 1 reply; 6+ messages in thread From: Rohith Matam @ 2026-06-01 15:09 UTC (permalink / raw) To: mchehab Cc: duoming, hverkuil, linux-media, linux-kernel, Rohith Matam, syzbot+0d6ef2b7ceb6014d756c smsusb_onresponse() reinitializes the URB work item immediately before scheduling it. If teardown races with a queued work item, cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ still set and trip the workqueue warning reported by syzbot. The teardown path also has two related lifetime bugs: URB_FREE_BUFFER makes USB core free a smscore-owned buffer, and a work item can submit an URB after usb_kill_urb() has already returned. Initialize each work item once before URB allocation, remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill URBs again after canceling work so any URB submitted by an already-running worker is completed before buffers and the device are freed. Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c Signed-off-by: Rohith Matam <rohithmatham@gmail.com> --- Changes in v2: - Initialize all work items before allocating URBs. - Remove URB_FREE_BUFFER from smscore-owned buffers. - Stop resubmission before teardown and kill URBs again after canceling work. drivers/media/usb/siano/smsusb.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c index 0fdc2e095..e3ca51072 100644 --- a/drivers/media/usb/siano/smsusb.c +++ b/drivers/media/usb/siano/smsusb.c @@ -58,6 +58,7 @@ struct smsusb_device_t { unsigned char in_ep; unsigned char out_ep; enum smsusb_state state; + bool streaming; }; static int smsusb_submit_urb(struct smsusb_device_t *dev, @@ -72,7 +73,8 @@ static void do_submit_urb(struct work_struct *work) struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq); struct smsusb_device_t *dev = surb->dev; - smsusb_submit_urb(dev, surb); + if (READ_ONCE(dev->streaming)) + smsusb_submit_urb(dev, surb); } /* @@ -143,8 +145,8 @@ static void smsusb_onresponse(struct urb *urb) exit_and_resubmit: - INIT_WORK(&surb->wq, do_submit_urb); - schedule_work(&surb->wq); + if (READ_ONCE(dev->streaming)) + schedule_work(&surb->wq); } static int smsusb_submit_urb(struct smsusb_device_t *dev, @@ -168,8 +170,6 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev, smsusb_onresponse, surb ); - surb->urb->transfer_flags |= URB_FREE_BUFFER; - return usb_submit_urb(surb->urb, GFP_ATOMIC); } @@ -177,10 +177,12 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) { int i; + WRITE_ONCE(dev->streaming, false); + for (i = 0; i < MAX_URBS; i++) { usb_kill_urb(dev->surbs[i].urb); - if (dev->surbs[i].wq.func) - cancel_work_sync(&dev->surbs[i].wq); + cancel_work_sync(&dev->surbs[i].wq); + usb_kill_urb(dev->surbs[i].urb); if (dev->surbs[i].cb) { smscore_putbuffer(dev->coredev, dev->surbs[i].cb); @@ -193,6 +195,8 @@ static int smsusb_start_streaming(struct smsusb_device_t *dev) { int i, rc; + WRITE_ONCE(dev->streaming, true); + for (i = 0; i < MAX_URBS; i++) { rc = smsusb_submit_urb(dev, &dev->surbs[i]); if (rc < 0) { @@ -468,6 +472,10 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) /* initialize urbs */ for (i = 0; i < MAX_URBS; i++) { dev->surbs[i].dev = dev; + INIT_WORK(&dev->surbs[i].wq, do_submit_urb); + } + + for (i = 0; i < MAX_URBS; i++) { dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL); if (!dev->surbs[i].urb) goto err_unregister_device; -- 2.54.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v3] media: siano: fix URB work teardown 2026-06-01 15:09 ` [PATCH v2] media: usb: siano: fix URB work teardown Rohith Matam @ 2026-06-01 15:26 ` Rohith Matam 2026-06-01 15:43 ` [PATCH v4] " Rohith Matam 0 siblings, 1 reply; 6+ messages in thread From: Rohith Matam @ 2026-06-01 15:26 UTC (permalink / raw) To: mchehab Cc: duoming, hverkuil, linux-media, linux-kernel, Rohith Matam, syzbot+0d6ef2b7ceb6014d756c smsusb_onresponse() reinitializes the URB work item immediately before scheduling it. If teardown races with a queued work item, cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ still set and trip the workqueue warning reported by syzbot. The teardown path also has related lifetime bugs. URB_FREE_BUFFER makes USB core free a smscore-owned buffer, and a work item can submit an URB after usb_kill_urb() has already returned. If that submission fails, the worker keeps ownership of the smscore buffer and the streaming pipeline loses an URB. Initialize each work item before any error path can tear down the device, remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill URBs again after canceling work so any URB submitted by an already-running worker is completed before buffers and the device are freed. Return the smscore buffer if URB submission fails. smscore_getbuffer() waits in TASK_UNINTERRUPTIBLE, so return buffers to the pool before waking waiters and use wake_up() instead of wake_up_interruptible(). Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c Signed-off-by: Rohith Matam <rohithmatham@gmail.com> --- Changes in v3: - Initialize work items before early probe error paths can call teardown. - Return the smscore buffer when URB submission fails. - Wake buffer waiters after returning the buffer, and use wake_up(). Changes in v2: - Initialize all work items before allocating URBs. - Remove URB_FREE_BUFFER from smscore-owned buffers. - Stop resubmission before teardown and kill URBs again after canceling work. drivers/media/common/siano/smscoreapi.c | 2 +- drivers/media/usb/siano/smsusb.c | 37 +++++++++++++++++++------ 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c index 017629e3c..e256344eb 100644 --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c @@ -1654,8 +1654,8 @@ EXPORT_SYMBOL_GPL(smscore_getbuffer); */ void smscore_putbuffer(struct smscore_device_t *coredev, struct smscore_buffer_t *cb) { - wake_up_interruptible(&coredev->buffer_mng_waitq); list_add_locked(&cb->entry, &coredev->buffers, &coredev->bufferslock); + wake_up(&coredev->buffer_mng_waitq); } EXPORT_SYMBOL_GPL(smscore_putbuffer); diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c index 0fdc2e095..fab64e5fa 100644 --- a/drivers/media/usb/siano/smsusb.c +++ b/drivers/media/usb/siano/smsusb.c @@ -58,6 +58,7 @@ struct smsusb_device_t { unsigned char in_ep; unsigned char out_ep; enum smsusb_state state; + bool streaming; }; static int smsusb_submit_urb(struct smsusb_device_t *dev, @@ -71,8 +72,14 @@ static void do_submit_urb(struct work_struct *work) { struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq); struct smsusb_device_t *dev = surb->dev; + int rc; - smsusb_submit_urb(dev, surb); + if (!READ_ONCE(dev->streaming)) + return; + + rc = smsusb_submit_urb(dev, surb); + if (rc < 0 && READ_ONCE(dev->streaming)) + pr_err("smsusb_submit_urb(...) failed\n"); } /* @@ -143,13 +150,15 @@ static void smsusb_onresponse(struct urb *urb) exit_and_resubmit: - INIT_WORK(&surb->wq, do_submit_urb); - schedule_work(&surb->wq); + if (READ_ONCE(dev->streaming)) + schedule_work(&surb->wq); } static int smsusb_submit_urb(struct smsusb_device_t *dev, struct smsusb_urb_t *surb) { + int rc; + if (!surb->cb) { /* This function can sleep */ surb->cb = smscore_getbuffer(dev->coredev); @@ -168,19 +177,25 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev, smsusb_onresponse, surb ); - surb->urb->transfer_flags |= URB_FREE_BUFFER; + rc = usb_submit_urb(surb->urb, GFP_ATOMIC); + if (rc) { + smscore_putbuffer(dev->coredev, surb->cb); + surb->cb = NULL; + } - return usb_submit_urb(surb->urb, GFP_ATOMIC); + return rc; } static void smsusb_stop_streaming(struct smsusb_device_t *dev) { int i; + WRITE_ONCE(dev->streaming, false); + for (i = 0; i < MAX_URBS; i++) { usb_kill_urb(dev->surbs[i].urb); - if (dev->surbs[i].wq.func) - cancel_work_sync(&dev->surbs[i].wq); + cancel_work_sync(&dev->surbs[i].wq); + usb_kill_urb(dev->surbs[i].urb); if (dev->surbs[i].cb) { smscore_putbuffer(dev->coredev, dev->surbs[i].cb); @@ -193,6 +208,8 @@ static int smsusb_start_streaming(struct smsusb_device_t *dev) { int i, rc; + WRITE_ONCE(dev->streaming, true); + for (i = 0; i < MAX_URBS; i++) { rc = smsusb_submit_urb(dev, &dev->surbs[i]); if (rc < 0) { @@ -401,6 +418,11 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) if (!dev) return -ENOMEM; + for (i = 0; i < MAX_URBS; i++) { + dev->surbs[i].dev = dev; + INIT_WORK(&dev->surbs[i].wq, do_submit_urb); + } + memset(¶ms, 0, sizeof(params)); usb_set_intfdata(intf, dev); dev->udev = interface_to_usbdev(intf); @@ -467,7 +489,6 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) /* initialize urbs */ for (i = 0; i < MAX_URBS; i++) { - dev->surbs[i].dev = dev; dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL); if (!dev->surbs[i].urb) goto err_unregister_device; -- 2.54.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v4] media: siano: fix URB work teardown 2026-06-01 15:26 ` [PATCH v3] media: " Rohith Matam @ 2026-06-01 15:43 ` Rohith Matam 2026-06-01 16:04 ` [PATCH v5] " Rohith Matam 0 siblings, 1 reply; 6+ messages in thread From: Rohith Matam @ 2026-06-01 15:43 UTC (permalink / raw) To: mchehab Cc: duoming, hverkuil, linux-media, linux-kernel, Rohith Matam, syzbot+0d6ef2b7ceb6014d756c smsusb_onresponse() reinitializes the URB work item immediately before scheduling it. If teardown races with a queued work item, cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ still set and trip the workqueue warning reported by syzbot. The teardown path also has related lifetime bugs. URB_FREE_BUFFER makes USB core free a smscore-owned buffer, and a work item can submit an URB after usb_kill_urb() has already returned. If that submission fails, the worker keeps ownership of the smscore buffer and the streaming pipeline loses an URB. Initialize each work item before any error path can tear down the device, remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill URBs again after canceling work so any URB submitted by an already-running worker is completed before buffers and the device are freed. Return the smscore buffer if URB submission fails. During teardown, kill all URBs first and return all held buffers before canceling work so a worker blocked in smscore_getbuffer() can make progress and exit. smscore_getbuffer() waits in TASK_UNINTERRUPTIBLE, so return buffers to the pool before waking waiters and use wake_up() instead of wake_up_interruptible(). Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c Signed-off-by: Rohith Matam <rohithmatham@gmail.com> --- Changes in v4: - During teardown, kill all URBs and return held buffers before canceling workers so smscore_getbuffer() waiters can wake and exit. Changes in v3: - Initialize work items before early probe error paths can call teardown. - Return the smscore buffer when URB submission fails. - Wake buffer waiters after returning the buffer, and use wake_up(). Changes in v2: - Initialize all work items before allocating URBs. - Remove URB_FREE_BUFFER from smscore-owned buffers. - Stop resubmission before teardown and kill URBs again after canceling work. drivers/media/common/siano/smscoreapi.c | 2 +- drivers/media/usb/siano/smsusb.c | 44 ++++++++++++++++++++----- 2 files changed, 36 insertions(+), 10 deletions(-) diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c index 017629e3c..e256344eb 100644 --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c @@ -1654,8 +1654,8 @@ EXPORT_SYMBOL_GPL(smscore_getbuffer); */ void smscore_putbuffer(struct smscore_device_t *coredev, struct smscore_buffer_t *cb) { - wake_up_interruptible(&coredev->buffer_mng_waitq); list_add_locked(&cb->entry, &coredev->buffers, &coredev->bufferslock); + wake_up(&coredev->buffer_mng_waitq); } EXPORT_SYMBOL_GPL(smscore_putbuffer); diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c index 0fdc2e095..c941a05a4 100644 --- a/drivers/media/usb/siano/smsusb.c +++ b/drivers/media/usb/siano/smsusb.c @@ -58,6 +58,7 @@ struct smsusb_device_t { unsigned char in_ep; unsigned char out_ep; enum smsusb_state state; + bool streaming; }; static int smsusb_submit_urb(struct smsusb_device_t *dev, @@ -71,8 +72,14 @@ static void do_submit_urb(struct work_struct *work) { struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq); struct smsusb_device_t *dev = surb->dev; + int rc; - smsusb_submit_urb(dev, surb); + if (!READ_ONCE(dev->streaming)) + return; + + rc = smsusb_submit_urb(dev, surb); + if (rc < 0 && READ_ONCE(dev->streaming)) + pr_err("smsusb_submit_urb(...) failed\n"); } /* @@ -143,13 +150,15 @@ static void smsusb_onresponse(struct urb *urb) exit_and_resubmit: - INIT_WORK(&surb->wq, do_submit_urb); - schedule_work(&surb->wq); + if (READ_ONCE(dev->streaming)) + schedule_work(&surb->wq); } static int smsusb_submit_urb(struct smsusb_device_t *dev, struct smsusb_urb_t *surb) { + int rc; + if (!surb->cb) { /* This function can sleep */ surb->cb = smscore_getbuffer(dev->coredev); @@ -168,31 +177,44 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev, smsusb_onresponse, surb ); - surb->urb->transfer_flags |= URB_FREE_BUFFER; + rc = usb_submit_urb(surb->urb, GFP_ATOMIC); + if (rc) { + smscore_putbuffer(dev->coredev, surb->cb); + surb->cb = NULL; + } - return usb_submit_urb(surb->urb, GFP_ATOMIC); + return rc; } static void smsusb_stop_streaming(struct smsusb_device_t *dev) { int i; - for (i = 0; i < MAX_URBS; i++) { + WRITE_ONCE(dev->streaming, false); + + for (i = 0; i < MAX_URBS; i++) usb_kill_urb(dev->surbs[i].urb); - if (dev->surbs[i].wq.func) - cancel_work_sync(&dev->surbs[i].wq); + for (i = 0; i < MAX_URBS; i++) { if (dev->surbs[i].cb) { smscore_putbuffer(dev->coredev, dev->surbs[i].cb); dev->surbs[i].cb = NULL; } } + + for (i = 0; i < MAX_URBS; i++) + cancel_work_sync(&dev->surbs[i].wq); + + for (i = 0; i < MAX_URBS; i++) + usb_kill_urb(dev->surbs[i].urb); } static int smsusb_start_streaming(struct smsusb_device_t *dev) { int i, rc; + WRITE_ONCE(dev->streaming, true); + for (i = 0; i < MAX_URBS; i++) { rc = smsusb_submit_urb(dev, &dev->surbs[i]); if (rc < 0) { @@ -401,6 +423,11 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) if (!dev) return -ENOMEM; + for (i = 0; i < MAX_URBS; i++) { + dev->surbs[i].dev = dev; + INIT_WORK(&dev->surbs[i].wq, do_submit_urb); + } + memset(¶ms, 0, sizeof(params)); usb_set_intfdata(intf, dev); dev->udev = interface_to_usbdev(intf); @@ -467,7 +494,6 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) /* initialize urbs */ for (i = 0; i < MAX_URBS; i++) { - dev->surbs[i].dev = dev; dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL); if (!dev->surbs[i].urb) goto err_unregister_device; -- 2.54.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v5] media: siano: fix URB work teardown 2026-06-01 15:43 ` [PATCH v4] " Rohith Matam @ 2026-06-01 16:04 ` Rohith Matam 2026-06-01 20:16 ` [PATCH v6] " Rohith Matam 0 siblings, 1 reply; 6+ messages in thread From: Rohith Matam @ 2026-06-01 16:04 UTC (permalink / raw) To: mchehab Cc: duoming, hverkuil, linux-media, linux-kernel, Rohith Matam, syzbot+0d6ef2b7ceb6014d756c smsusb_onresponse() reinitializes the URB work item immediately before scheduling it. If teardown races with a queued work item, cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ still set and trip the workqueue warning reported by syzbot. The teardown path also has related lifetime bugs. URB_FREE_BUFFER makes USB core free a smscore-owned buffer, and a work item can submit an URB after usb_kill_urb() has already returned. If that submission fails, the worker keeps ownership of the smscore buffer and the streaming pipeline loses an URB. Initialize each work item before any error path can tear down the device, remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill URBs again after canceling work so any URB submitted by an already-running worker is completed before buffers and the device are freed. Return the smscore buffer if URB submission fails. During teardown, wake workers blocked in smscore_getbuffer() by adding an abortable buffer wait. Then cancel work before returning any URB-owned buffer to avoid racing with workers that are still using surb->cb. Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c Signed-off-by: Rohith Matam <rohithmatham@gmail.com> --- Changes in v5: - Replace the v4 early-buffer-return ordering with an abortable smscore buffer wait so workers can exit before teardown returns surb->cb. Changes in v4: - During teardown, kill all URBs and return held buffers before canceling workers so smscore_getbuffer() waiters can wake and exit. Changes in v3: - Initialize work items before early probe error paths can call teardown. - Return the smscore buffer when URB submission fails. - Wake buffer waiters after returning the buffer, and use wake_up(). Changes in v2: - Initialize all work items before allocating URBs. - Remove URB_FREE_BUFFER from smscore-owned buffers. - Stop resubmission before teardown and kill URBs again after canceling work. drivers/media/common/siano/smscoreapi.c | 14 ++++++- drivers/media/common/siano/smscoreapi.h | 2 + drivers/media/usb/siano/smsusb.c | 55 +++++++++++++++++++------ 3 files changed, 58 insertions(+), 13 deletions(-) diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c index 017629e3c..23be7347d 100644 --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c @@ -1644,6 +1644,18 @@ struct smscore_buffer_t *smscore_getbuffer(struct smscore_device_t *coredev) } EXPORT_SYMBOL_GPL(smscore_getbuffer); +struct smscore_buffer_t * +smscore_getbuffer_abortable(struct smscore_device_t *coredev, bool *abort) +{ + struct smscore_buffer_t *cb = NULL; + + wait_event(coredev->buffer_mng_waitq, + READ_ONCE(*abort) || (cb = get_entry(coredev))); + + return cb; +} +EXPORT_SYMBOL_GPL(smscore_getbuffer_abortable); + /* * return buffer descriptor to a pool * @@ -1654,8 +1666,8 @@ EXPORT_SYMBOL_GPL(smscore_getbuffer); */ void smscore_putbuffer(struct smscore_device_t *coredev, struct smscore_buffer_t *cb) { - wake_up_interruptible(&coredev->buffer_mng_waitq); list_add_locked(&cb->entry, &coredev->buffers, &coredev->bufferslock); + wake_up(&coredev->buffer_mng_waitq); } EXPORT_SYMBOL_GPL(smscore_putbuffer); diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h index d945a2d6d..f8a9e6ef7 100644 --- a/drivers/media/common/siano/smscoreapi.h +++ b/drivers/media/common/siano/smscoreapi.h @@ -1117,6 +1117,8 @@ extern void smscore_onresponse(struct smscore_device_t *coredev, extern struct smscore_buffer_t *smscore_getbuffer(struct smscore_device_t *coredev); +struct smscore_buffer_t * +smscore_getbuffer_abortable(struct smscore_device_t *coredev, bool *abort); extern void smscore_putbuffer(struct smscore_device_t *coredev, struct smscore_buffer_t *cb); diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c index 0fdc2e095..565543dbd 100644 --- a/drivers/media/usb/siano/smsusb.c +++ b/drivers/media/usb/siano/smsusb.c @@ -58,6 +58,8 @@ struct smsusb_device_t { unsigned char in_ep; unsigned char out_ep; enum smsusb_state state; + bool streaming; + bool stopping; }; static int smsusb_submit_urb(struct smsusb_device_t *dev, @@ -71,8 +73,14 @@ static void do_submit_urb(struct work_struct *work) { struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq); struct smsusb_device_t *dev = surb->dev; + int rc; - smsusb_submit_urb(dev, surb); + if (!READ_ONCE(dev->streaming)) + return; + + rc = smsusb_submit_urb(dev, surb); + if (rc < 0 && READ_ONCE(dev->streaming)) + pr_err("smsusb_submit_urb(...) failed\n"); } /* @@ -143,19 +151,22 @@ static void smsusb_onresponse(struct urb *urb) exit_and_resubmit: - INIT_WORK(&surb->wq, do_submit_urb); - schedule_work(&surb->wq); + if (READ_ONCE(dev->streaming)) + schedule_work(&surb->wq); } static int smsusb_submit_urb(struct smsusb_device_t *dev, struct smsusb_urb_t *surb) { + int rc; + if (!surb->cb) { /* This function can sleep */ - surb->cb = smscore_getbuffer(dev->coredev); + surb->cb = smscore_getbuffer_abortable(dev->coredev, + &dev->stopping); if (!surb->cb) { - pr_err("smscore_getbuffer(...) returned NULL\n"); - return -ENOMEM; + pr_debug("device is stopping\n"); + return -ESHUTDOWN; } } @@ -168,20 +179,33 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev, smsusb_onresponse, surb ); - surb->urb->transfer_flags |= URB_FREE_BUFFER; + rc = usb_submit_urb(surb->urb, GFP_ATOMIC); + if (rc) { + smscore_putbuffer(dev->coredev, surb->cb); + surb->cb = NULL; + } - return usb_submit_urb(surb->urb, GFP_ATOMIC); + return rc; } static void smsusb_stop_streaming(struct smsusb_device_t *dev) { int i; - for (i = 0; i < MAX_URBS; i++) { + WRITE_ONCE(dev->streaming, false); + WRITE_ONCE(dev->stopping, true); + wake_up(&dev->coredev->buffer_mng_waitq); + + for (i = 0; i < MAX_URBS; i++) usb_kill_urb(dev->surbs[i].urb); - if (dev->surbs[i].wq.func) - cancel_work_sync(&dev->surbs[i].wq); + for (i = 0; i < MAX_URBS; i++) + cancel_work_sync(&dev->surbs[i].wq); + + for (i = 0; i < MAX_URBS; i++) + usb_kill_urb(dev->surbs[i].urb); + + for (i = 0; i < MAX_URBS; i++) { if (dev->surbs[i].cb) { smscore_putbuffer(dev->coredev, dev->surbs[i].cb); dev->surbs[i].cb = NULL; @@ -193,6 +217,9 @@ static int smsusb_start_streaming(struct smsusb_device_t *dev) { int i, rc; + WRITE_ONCE(dev->stopping, false); + WRITE_ONCE(dev->streaming, true); + for (i = 0; i < MAX_URBS; i++) { rc = smsusb_submit_urb(dev, &dev->surbs[i]); if (rc < 0) { @@ -401,6 +428,11 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) if (!dev) return -ENOMEM; + for (i = 0; i < MAX_URBS; i++) { + dev->surbs[i].dev = dev; + INIT_WORK(&dev->surbs[i].wq, do_submit_urb); + } + memset(¶ms, 0, sizeof(params)); usb_set_intfdata(intf, dev); dev->udev = interface_to_usbdev(intf); @@ -467,7 +499,6 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) /* initialize urbs */ for (i = 0; i < MAX_URBS; i++) { - dev->surbs[i].dev = dev; dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL); if (!dev->surbs[i].urb) goto err_unregister_device; -- 2.54.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v6] media: siano: fix URB work teardown 2026-06-01 16:04 ` [PATCH v5] " Rohith Matam @ 2026-06-01 20:16 ` Rohith Matam 0 siblings, 0 replies; 6+ messages in thread From: Rohith Matam @ 2026-06-01 20:16 UTC (permalink / raw) To: mchehab Cc: duoming, hverkuil, linux-media, linux-kernel, Rohith Matam, syzbot+0d6ef2b7ceb6014d756c smsusb_onresponse() reinitializes the URB work item immediately before scheduling it. If teardown races with a queued work item, cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ still set and trip the workqueue warning reported by syzbot. The teardown path also has related lifetime bugs. URB_FREE_BUFFER makes USB core free a smscore-owned buffer, and a work item can submit an URB after usb_kill_urb() has already returned. If that submission fails, the worker keeps ownership of the smscore buffer and the streaming pipeline loses an URB. Initialize each work item before any error path can tear down the device, remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill URBs again after canceling work so any URB submitted by an already-running worker is completed before buffers and the device are freed. Return the smscore buffer if URB submission fails. During teardown, wake workers blocked in smscore_getbuffer() by adding an abortable buffer wait. Then cancel work before returning any URB-owned buffer to avoid racing with workers that are still using surb->cb. Guard the wakeup because early probe failure can call teardown before coredev is registered. Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c Signed-off-by: Rohith Matam <rohithmatham@gmail.com> --- Changes in v6: - Guard the buffer waitqueue wakeup for early probe failures before coredev has been registered. Changes in v5: - Replace the v4 early-buffer-return ordering with an abortable smscore buffer wait so workers can exit before teardown returns surb->cb. Changes in v4: - During teardown, kill all URBs and return held buffers before canceling workers so smscore_getbuffer() waiters can wake and exit. Changes in v3: - Initialize work items before early probe error paths can call teardown. - Return the smscore buffer when URB submission fails. - Wake buffer waiters after returning the buffer, and use wake_up(). Changes in v2: - Initialize all work items before allocating URBs. - Remove URB_FREE_BUFFER from smscore-owned buffers. - Stop resubmission before teardown and kill URBs again after canceling work. drivers/media/common/siano/smscoreapi.c | 14 ++++++- drivers/media/common/siano/smscoreapi.h | 2 + drivers/media/usb/siano/smsusb.c | 56 +++++++++++++++++++------ 3 files changed, 59 insertions(+), 13 deletions(-) diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c index 017629e3c..23be7347d 100644 --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c @@ -1644,6 +1644,18 @@ struct smscore_buffer_t *smscore_getbuffer(struct smscore_device_t *coredev) } EXPORT_SYMBOL_GPL(smscore_getbuffer); +struct smscore_buffer_t * +smscore_getbuffer_abortable(struct smscore_device_t *coredev, bool *abort) +{ + struct smscore_buffer_t *cb = NULL; + + wait_event(coredev->buffer_mng_waitq, + READ_ONCE(*abort) || (cb = get_entry(coredev))); + + return cb; +} +EXPORT_SYMBOL_GPL(smscore_getbuffer_abortable); + /* * return buffer descriptor to a pool * @@ -1654,8 +1666,8 @@ EXPORT_SYMBOL_GPL(smscore_getbuffer); */ void smscore_putbuffer(struct smscore_device_t *coredev, struct smscore_buffer_t *cb) { - wake_up_interruptible(&coredev->buffer_mng_waitq); list_add_locked(&cb->entry, &coredev->buffers, &coredev->bufferslock); + wake_up(&coredev->buffer_mng_waitq); } EXPORT_SYMBOL_GPL(smscore_putbuffer); diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h index d945a2d6d..f8a9e6ef7 100644 --- a/drivers/media/common/siano/smscoreapi.h +++ b/drivers/media/common/siano/smscoreapi.h @@ -1117,6 +1117,8 @@ extern void smscore_onresponse(struct smscore_device_t *coredev, extern struct smscore_buffer_t *smscore_getbuffer(struct smscore_device_t *coredev); +struct smscore_buffer_t * +smscore_getbuffer_abortable(struct smscore_device_t *coredev, bool *abort); extern void smscore_putbuffer(struct smscore_device_t *coredev, struct smscore_buffer_t *cb); diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c index 0fdc2e095..98ae94e19 100644 --- a/drivers/media/usb/siano/smsusb.c +++ b/drivers/media/usb/siano/smsusb.c @@ -58,6 +58,8 @@ struct smsusb_device_t { unsigned char in_ep; unsigned char out_ep; enum smsusb_state state; + bool streaming; + bool stopping; }; static int smsusb_submit_urb(struct smsusb_device_t *dev, @@ -71,8 +73,14 @@ static void do_submit_urb(struct work_struct *work) { struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq); struct smsusb_device_t *dev = surb->dev; + int rc; - smsusb_submit_urb(dev, surb); + if (!READ_ONCE(dev->streaming)) + return; + + rc = smsusb_submit_urb(dev, surb); + if (rc < 0 && READ_ONCE(dev->streaming)) + pr_err("smsusb_submit_urb(...) failed\n"); } /* @@ -143,19 +151,22 @@ static void smsusb_onresponse(struct urb *urb) exit_and_resubmit: - INIT_WORK(&surb->wq, do_submit_urb); - schedule_work(&surb->wq); + if (READ_ONCE(dev->streaming)) + schedule_work(&surb->wq); } static int smsusb_submit_urb(struct smsusb_device_t *dev, struct smsusb_urb_t *surb) { + int rc; + if (!surb->cb) { /* This function can sleep */ - surb->cb = smscore_getbuffer(dev->coredev); + surb->cb = smscore_getbuffer_abortable(dev->coredev, + &dev->stopping); if (!surb->cb) { - pr_err("smscore_getbuffer(...) returned NULL\n"); - return -ENOMEM; + pr_debug("device is stopping\n"); + return -ESHUTDOWN; } } @@ -168,20 +179,34 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev, smsusb_onresponse, surb ); - surb->urb->transfer_flags |= URB_FREE_BUFFER; + rc = usb_submit_urb(surb->urb, GFP_ATOMIC); + if (rc) { + smscore_putbuffer(dev->coredev, surb->cb); + surb->cb = NULL; + } - return usb_submit_urb(surb->urb, GFP_ATOMIC); + return rc; } static void smsusb_stop_streaming(struct smsusb_device_t *dev) { int i; - for (i = 0; i < MAX_URBS; i++) { + WRITE_ONCE(dev->streaming, false); + WRITE_ONCE(dev->stopping, true); + if (dev->coredev) + wake_up(&dev->coredev->buffer_mng_waitq); + + for (i = 0; i < MAX_URBS; i++) usb_kill_urb(dev->surbs[i].urb); - if (dev->surbs[i].wq.func) - cancel_work_sync(&dev->surbs[i].wq); + for (i = 0; i < MAX_URBS; i++) + cancel_work_sync(&dev->surbs[i].wq); + + for (i = 0; i < MAX_URBS; i++) + usb_kill_urb(dev->surbs[i].urb); + + for (i = 0; i < MAX_URBS; i++) { if (dev->surbs[i].cb) { smscore_putbuffer(dev->coredev, dev->surbs[i].cb); dev->surbs[i].cb = NULL; @@ -193,6 +218,9 @@ static int smsusb_start_streaming(struct smsusb_device_t *dev) { int i, rc; + WRITE_ONCE(dev->stopping, false); + WRITE_ONCE(dev->streaming, true); + for (i = 0; i < MAX_URBS; i++) { rc = smsusb_submit_urb(dev, &dev->surbs[i]); if (rc < 0) { @@ -401,6 +429,11 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) if (!dev) return -ENOMEM; + for (i = 0; i < MAX_URBS; i++) { + dev->surbs[i].dev = dev; + INIT_WORK(&dev->surbs[i].wq, do_submit_urb); + } + memset(¶ms, 0, sizeof(params)); usb_set_intfdata(intf, dev); dev->udev = interface_to_usbdev(intf); @@ -467,7 +500,6 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) /* initialize urbs */ for (i = 0; i < MAX_URBS; i++) { - dev->surbs[i].dev = dev; dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL); if (!dev->surbs[i].urb) goto err_unregister_device; -- 2.54.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-01 20:16 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-01 6:18 [PATCH] media: usb: siano: initialize URB work once Rohith Matam 2026-06-01 15:09 ` [PATCH v2] media: usb: siano: fix URB work teardown Rohith Matam 2026-06-01 15:26 ` [PATCH v3] media: " Rohith Matam 2026-06-01 15:43 ` [PATCH v4] " Rohith Matam 2026-06-01 16:04 ` [PATCH v5] " Rohith Matam 2026-06-01 20:16 ` [PATCH v6] " Rohith Matam
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox