1. Patchew
  2. linux
  3. View series

[PATCH] media: pvrusb2: fix URB leak in pvr2_send_request_ex

Szymon Wilczek posted 1 patch 1 month, 2 weeks ago 
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH] media: pvrusb2: fix URB leak in pvr2_send_request_ex
Posted by Szymon Wilczek 1 month, 2 weeks ago 
When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a 'URB submitted while active' warning in usb_submit_urb().

Fix this by ensuring the write URB is unlinked and waited upon if the read URB submission fails.

Reported-by: syzbot+405dcd13121ff75a9e16@syzkaller.appspotmail.com

Closes: https://syzkaller.appspot.com/bug?extid=405dcd13121ff75a9e16
Signed-off-by: Szymon Wilczek <szymonwilczek@gmx.com>
---
 drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index b32bb906a9de..5807734ae26c 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -3709,6 +3709,11 @@ status);
 				   "Failed to submit read-control URB status=%d",
 status);
 			hdw->ctl_read_pend_flag = 0;
+			if (hdw->ctl_write_pend_flag) {
+				usb_unlink_urb(hdw->ctl_write_urb);
+				while (hdw->ctl_write_pend_flag)
+					wait_for_completion(&hdw->ctl_done);
+			}
 			goto done;
 		}
 	}
-- 
2.52.0
Re: [PATCH] media: pvrusb2: fix URB leak in pvr2_send_request_ex
Posted by Mike Isely 1 month, 2 weeks ago 
Acked-By: Mike Isely <isely@pobox.com>

On Sat, 20 Dec 2025, Szymon Wilczek wrote:

> When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a 'URB submitted while active' warning in usb_submit_urb().
> 
> Fix this by ensuring the write URB is unlinked and waited upon if the read URB submission fails.
> 
> Reported-by: syzbot+405dcd13121ff75a9e16@syzkaller.appspotmail.com
> 
> Closes: https://syzkaller.appspot.com/bug?extid=405dcd13121ff75a9e16
> Signed-off-by: Szymon Wilczek <szymonwilczek@gmx.com>
> ---
>  drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> index b32bb906a9de..5807734ae26c 100644
> --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> @@ -3709,6 +3709,11 @@ status);
>  				   "Failed to submit read-control URB status=%d",
>  status);
>  			hdw->ctl_read_pend_flag = 0;
> +			if (hdw->ctl_write_pend_flag) {
> +				usb_unlink_urb(hdw->ctl_write_urb);
> +				while (hdw->ctl_write_pend_flag)
> +					wait_for_completion(&hdw->ctl_done);
> +			}
>  			goto done;
>  		}
>  	}
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.