1. Patchew
  2. linux
  3. View series

[PATCH] media: usb: siano: do not free urb-specific transfer buffer

Nikita Zhandarovich posted 1 patch 6 months, 3 weeks ago 
drivers/media/usb/siano/smsusb.c | 1 -
1 file changed, 1 deletion(-)
[PATCH] media: usb: siano: do not free urb-specific transfer buffer
Posted by Nikita Zhandarovich 6 months, 3 weeks ago 
Since siano driver uses separately allocated buffers for urb tranfers,
such as smscore_buffer_t *cb, and deals with them accordingly
via calls to smscore_putbuffer() in smsusb_stop_streaming(), there is
no need to attempt to free urb->transfer_buffer by adding a
URB_FREE_BUFFER to urb transfer flags. As syzkaller shows, it triggers
a warning which will bring about proper crash on systems with
'panic_on_warn' set.

Therefore, skip the flag setting step to fix the issue. This change
was tested exclusively with syz-repros and KMEMLEAK sanitizer.

The idea for this patch was originally devised by Hillf Danton.

Suggested-by: Hillf Danton <hdanton@sina.com>
Reported-by: syzbot+b466336413a1fba398a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b466336413a1fba398a5
Fixes: 564246fd3ff4 ("media: siano: Fix coherent memory allocation failure on arm64")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
---
 drivers/media/usb/siano/smsusb.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 2c8179a84991..a78b1c233aad 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -168,7 +168,6 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev,
 		smsusb_onresponse,
 		surb
 	);
-	surb->urb->transfer_flags |= URB_FREE_BUFFER;
 
 	return usb_submit_urb(surb->urb, GFP_ATOMIC);
 }
Re: [PATCH] media: usb: siano: do not free urb-specific transfer buffer
Posted by Nikita Zhandarovich 6 months, 1 week ago 
Gentle ping...

On 5/22/25 17:00, Nikita Zhandarovich wrote:
> Since siano driver uses separately allocated buffers for urb tranfers,
> such as smscore_buffer_t *cb, and deals with them accordingly
> via calls to smscore_putbuffer() in smsusb_stop_streaming(), there is
> no need to attempt to free urb->transfer_buffer by adding a
> URB_FREE_BUFFER to urb transfer flags. As syzkaller shows, it triggers
> a warning which will bring about proper crash on systems with
> 'panic_on_warn' set.
> 
> Therefore, skip the flag setting step to fix the issue. This change
> was tested exclusively with syz-repros and KMEMLEAK sanitizer.
> 
> The idea for this patch was originally devised by Hillf Danton.
> 
> Suggested-by: Hillf Danton <hdanton@sina.com>
> Reported-by: syzbot+b466336413a1fba398a5@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b466336413a1fba398a5
> Fixes: 564246fd3ff4 ("media: siano: Fix coherent memory allocation failure on arm64")
> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
> ---
>  drivers/media/usb/siano/smsusb.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
> index 2c8179a84991..a78b1c233aad 100644
> --- a/drivers/media/usb/siano/smsusb.c
> +++ b/drivers/media/usb/siano/smsusb.c
> @@ -168,7 +168,6 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev,
>  		smsusb_onresponse,
>  		surb
>  	);
> -	surb->urb->transfer_flags |= URB_FREE_BUFFER;
>  
>  	return usb_submit_urb(surb->urb, GFP_ATOMIC);
>  }

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.