tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

usb: usbtmc: Flush anchored URBs in usbtmc_release

When calling usbtmc_release, pending anchored URBs must be flushed or
killed to prevent use-after-free errors (e.g. in the HCD giveback
path). Call usbtmc_draw_down() to allow anchored URBs to be completed.

Fixes: 4f3c8d6eddc2 ("usb: usbtmc: Support Read Status Byte with SRQ per file")
Reported-by: syzbot+9a3c54f52bd1edbd975f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9a3c54f52bd1edbd975f
Cc: stable <stable@kernel.org>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260312-usbtmc-flush-release-v1-1-5755e9f4336f@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Heitor Alves de Siqueira and committed by
Greg Kroah-Hartman 8a768552 e1eabb07

+3
+3
drivers/usb/class/usbtmc.c
··· 254 254 list_del(&file_data->file_elem); 255 255 256 256 spin_unlock_irq(&file_data->data->dev_lock); 257 + 258 + /* flush anchored URBs */ 259 + usbtmc_draw_down(file_data); 257 260 mutex_unlock(&file_data->data->io_mutex); 258 261 259 262 kref_put(&file_data->data->kref, usbtmc_delete);