From nobody Mon Jun  8 06:35:52 2026
Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com
 [209.85.222.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5146B32E151
	for <linux-kernel@vger.kernel.org>; Mon,  1 Jun 2026 06:19:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780294750; cv=none;
 b=A707iKKUscd9fTHN9J1i1+m9ibAvVkwpbI1JO7QbGdYCEfLDgxoAHDQeRTRsylb2VBc8IA0i51wvCDqfDU+i2iI8AyZLWUW49mNSzQtKcdzIug8D///5FLOP6xew5TrMO6APKRT5oHBNAbv9NUGwm2E9uknuXJH3E5Y5Yw8zduU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780294750; c=relaxed/simple;
	bh=oHcTUnvcqcLOAHz2qJNyRgXXzrx6u+8K/6YrOn16UZo=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=P2HJDenZRaQ5r2RPyb7DclAkY0+EeuKj5MUzAigNs2ruENFvYdLXZolS6HWwDNinvsskQk9pFWUqD7lps1LHwpr9pfXI64/JYGT9tJyxKoES2SC1zs8KPvoWho05CimSV1hKpbIuI5IS5b5B1rWjUNqdN+2hATQzUbgwnCk2rmM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=i9r1smC8; arc=none smtp.client-ip=209.85.222.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="i9r1smC8"
Received: by mail-qk1-f178.google.com with SMTP id
 af79cd13be357-91550fe1619so128030585a.3
        for <linux-kernel@vger.kernel.org>;
 Sun, 31 May 2026 23:19:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780294748; x=1780899548;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=Mog99DukFxhQ0S5r2LtJJo8E1/PcR+R6fPQRmzy6lXQ=;
        b=i9r1smC8IDSEL6xxcBv1Zb02XPUlk7eXH1d0wiI16C8hhSC9vvrRog9GGHZgjh5QhY
         mc4n+kVtT2NogNJHma9/DB9516sX4alNzdgvKUN2RQn4yuSp+TtVvL9+RnUzpbGkM/dL
         s9B1d40FGG2YixiUvrDtJw7EXmsgtx0j1kAl9FCcA22wS7FBhsUH2Mi3+1NYsSL6QGZC
         5aPHbUrbMUWsMrvRAzTQno2jP8G9YjkllVYK/Tf7D00ge4F2W0lXciqB+h2Y+K9O8NV5
         OhBraWI3bGsC9vvry11oHlufKq15SmIISTyYxg7Iy/yO94ktRP3Fst9siXjWd8twRxPc
         SKHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780294748; x=1780899548;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Mog99DukFxhQ0S5r2LtJJo8E1/PcR+R6fPQRmzy6lXQ=;
        b=HfoJ68nb/X8Q/GCkS4x4p+ELHAqXiL3LG2ebU0iWbIDan0YF87+ZyqS9fPNfzQHCyL
         AGPsRMR0np7Ln7pNsOZ4SVcqxRksoiYTcJ9gLpSY+1L1gHSzRX4tLnh4BxIr5+LO+v3s
         MUgjryEThD81HjY8safSQ//mX+vJaLdX2+1aNwr2in5oDk1lvKTLdsfyzxr0c/0mhVp4
         JA2ALaVO0TIcBLYthjk6vU2/Eej2JYD2RSc9kYrXjv8AtkKxsC9zD+/cG/9jJs71Jkm7
         MwtAJR1SfPuZRNg0xXUnpfmgwm93HOuOfrzTqAwrnG51LTMxEnToAiMJHG7aoyZLxzei
         zXtw==
X-Forwarded-Encrypted: i=1;
 AFNElJ/ntXY41H374/PNj0b3ZqSmNvdmXzMOBIkCyjxWWpGgMegNkZ/4faG7/hcy5beWjrxONItaL/NqfRERjuM=@vger.kernel.org
X-Gm-Message-State: AOJu0Yyp58dkIWlGXb5HvUcK/Q+xwijoxe9sifjRL7hrc7sXtAnYf6Ea
	yoQx/3QFBBxrEwpMpCAFE+YkUd8MhO+ixO5eeXI93NQoTbICOMQj0fUD
X-Gm-Gg: Acq92OHdhrMFAZL0C2XvLEEub6vfJqxD1gjbQ8ViMRMbsDhQN3RHp5F6hh7DNUaMbEs
	2JKLHpBLGt4r+ENruhzAeoe6WE+2mlIFFDE7TuFbv02oS/OE1LUxUfEFVzXWLnpQq1Xba2lpST7
	2tJfV1cqmanuJbZKQZvYD6k5q7wQcU+H3hDgNZg/hiqRP2GcN75lleSrNp7NTxtdKBidcqxuHgs
	ub6MNBqgtKzHH0TThjxiyMa4MyupNDoUfu4OAu4OlUm88SUN0kHvSKM6IAdrjqT3NkVwWj0y+g/
	ihLTg07dk03IO5MaohihBoGUL/qUAJBWL/OU7p0HzLAC9xOCEaUTm4EwkKEF2bSeX9G6BMUoI7F
	GTXvhjR0c1tlq9rlUYtT/1e0RhfquEC/nIGKiD5+CLyxbCHYuoBlkJLlxg9giFMy+zxyH67m2Sd
	yoLIMdYCwxx/2lliEihRx+F0/0JZgWxF7IkrkzdHQi2GohJbiuG7e/gqVD3GTQExevTtL+7hnER
	pK5lscSxGps6rR46PnU
X-Received: by 2002:a05:620a:2610:b0:8f8:cdd0:df82 with SMTP id
 af79cd13be357-9153dcb4b99mr1645770485a.58.1780294748269;
        Sun, 31 May 2026 23:19:08 -0700 (PDT)
Received: from Mac.mynetworksettings.com
 ([2600:4041:42f2:d000:5598:1322:a565:857b])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-91532448099sm928020885a.7.2026.05.31.23.19.07
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Sun, 31 May 2026 23:19:07 -0700 (PDT)
From: Rohith Matam <rohithmatham@gmail.com>
To: mchehab@kernel.org
Cc: duoming@zju.edu.cn,
	hverkuil@kernel.org,
	linux-media@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Rohith Matam <rohithmatham@gmail.com>,
	syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com
Subject: [PATCH] media: usb: siano: initialize URB work once
Date: Mon,  1 Jun 2026 02:18:55 -0400
Message-ID: <20260601061855.47423-1-rohithmatham@gmail.com>
X-Mailer: git-send-email 2.54.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

smsusb_onresponse() reinitializes the URB work item immediately before
scheduling it. If teardown races with a queued work item,
cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ
still set and trip the workqueue warning reported by syzbot.

Initialize each work item once when the URB is allocated, then schedule
and cancel that initialized work item for the lifetime of the URB. With
the work item always initialized, smsusb_stop_streaming() can cancel it
unconditionally.

Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by =
do_submit_urb")
Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D0d6ef2b7ceb6014d756c
Signed-off-by: Rohith Matam <rohithmatham@gmail.com>
---
 drivers/media/usb/siano/smsusb.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/sms=
usb.c
index 0fdc2e095..4e80ccc20 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -143,7 +143,6 @@ static void smsusb_onresponse(struct urb *urb)
=20
=20
 exit_and_resubmit:
-	INIT_WORK(&surb->wq, do_submit_urb);
 	schedule_work(&surb->wq);
 }
=20
@@ -179,8 +178,7 @@ static void smsusb_stop_streaming(struct smsusb_device_=
t *dev)
=20
 	for (i =3D 0; i < MAX_URBS; i++) {
 		usb_kill_urb(dev->surbs[i].urb);
-		if (dev->surbs[i].wq.func)
-			cancel_work_sync(&dev->surbs[i].wq);
+		cancel_work_sync(&dev->surbs[i].wq);
=20
 		if (dev->surbs[i].cb) {
 			smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
@@ -471,6 +469,7 @@ static int smsusb_init_device(struct usb_interface *int=
f, int board_id)
 		dev->surbs[i].urb =3D usb_alloc_urb(0, GFP_KERNEL);
 		if (!dev->surbs[i].urb)
 			goto err_unregister_device;
+		INIT_WORK(&dev->surbs[i].wq, do_submit_urb);
 	}
=20
 	pr_debug("smsusb_start_streaming(...).\n");
--=20
2.47.0