1. Patchew
  2. linux
  3. View series

[PATCH] usb: usbtmc: Flush anchored URBs in usbtmc_release

Heitor Alves de Siqueira posted 1 patch 3 weeks, 5 days ago 
drivers/usb/class/usbtmc.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] usb: usbtmc: Flush anchored URBs in usbtmc_release
Posted by Heitor Alves de Siqueira 3 weeks, 5 days ago 
When calling usbtmc_release, pending anchored URBs must be flushed or
killed to prevent use-after-free errors (e.g. in the HCD giveback
path). Call usbtmc_draw_down() to allow anchored URBs to be completed.

Fixes: 4f3c8d6eddc2 ("usb: usbtmc: Support Read Status Byte with SRQ per file")
Reported-by: syzbot+9a3c54f52bd1edbd975f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9a3c54f52bd1edbd975f
Cc: stable@vger.kernel.org
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
---
 drivers/usb/class/usbtmc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
index 2526a0e03cde..3d6daa8b748e 100644
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -254,6 +254,9 @@ static int usbtmc_release(struct inode *inode, struct file *file)
 	list_del(&file_data->file_elem);
 
 	spin_unlock_irq(&file_data->data->dev_lock);
+
+	/* flush anchored URBs */
+	usbtmc_draw_down(file_data);
 	mutex_unlock(&file_data->data->io_mutex);
 
 	kref_put(&file_data->data->kref, usbtmc_delete);

---
base-commit: b29fb8829bff243512bb8c8908fd39406f9fd4c3
change-id: 20260311-usbtmc-flush-release-5d9c60e1a3ec

Best regards,
-- 
Heitor Alves de Siqueira <halves@igalia.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.