drivers/media/common/siano/smscoreapi.c | 2 +- drivers/media/usb/siano/smsusb.c | 44 ++++++++++++++++++++----- 2 files changed, 36 insertions(+), 10 deletions(-)
smsusb_onresponse() reinitializes the URB work item immediately before
scheduling it. If teardown races with a queued work item,
cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ
still set and trip the workqueue warning reported by syzbot.
The teardown path also has related lifetime bugs. URB_FREE_BUFFER makes
USB core free a smscore-owned buffer, and a work item can submit an URB
after usb_kill_urb() has already returned. If that submission fails, the
worker keeps ownership of the smscore buffer and the streaming pipeline
loses an URB.
Initialize each work item before any error path can tear down the device,
remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill
URBs again after canceling work so any URB submitted by an already-running
worker is completed before buffers and the device are freed. Return the
smscore buffer if URB submission fails.
During teardown, kill all URBs first and return all held buffers before
canceling work so a worker blocked in smscore_getbuffer() can make
progress and exit. smscore_getbuffer() waits in TASK_UNINTERRUPTIBLE, so
return buffers to the pool before waking waiters and use wake_up()
instead of wake_up_interruptible().
Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb")
Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c
Signed-off-by: Rohith Matam <rohithmatham@gmail.com>
---
Changes in v4:
- During teardown, kill all URBs and return held buffers before canceling
workers so smscore_getbuffer() waiters can wake and exit.
Changes in v3:
- Initialize work items before early probe error paths can call teardown.
- Return the smscore buffer when URB submission fails.
- Wake buffer waiters after returning the buffer, and use wake_up().
Changes in v2:
- Initialize all work items before allocating URBs.
- Remove URB_FREE_BUFFER from smscore-owned buffers.
- Stop resubmission before teardown and kill URBs again after canceling work.
drivers/media/common/siano/smscoreapi.c | 2 +-
drivers/media/usb/siano/smsusb.c | 44 ++++++++++++++++++++-----
2 files changed, 36 insertions(+), 10 deletions(-)
diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c
index 017629e3c..e256344eb 100644
--- a/drivers/media/common/siano/smscoreapi.c
+++ b/drivers/media/common/siano/smscoreapi.c
@@ -1654,8 +1654,8 @@ EXPORT_SYMBOL_GPL(smscore_getbuffer);
*/
void smscore_putbuffer(struct smscore_device_t *coredev,
struct smscore_buffer_t *cb) {
- wake_up_interruptible(&coredev->buffer_mng_waitq);
list_add_locked(&cb->entry, &coredev->buffers, &coredev->bufferslock);
+ wake_up(&coredev->buffer_mng_waitq);
}
EXPORT_SYMBOL_GPL(smscore_putbuffer);
diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 0fdc2e095..c941a05a4 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -58,6 +58,7 @@ struct smsusb_device_t {
unsigned char in_ep;
unsigned char out_ep;
enum smsusb_state state;
+ bool streaming;
};
static int smsusb_submit_urb(struct smsusb_device_t *dev,
@@ -71,8 +72,14 @@ static void do_submit_urb(struct work_struct *work)
{
struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq);
struct smsusb_device_t *dev = surb->dev;
+ int rc;
- smsusb_submit_urb(dev, surb);
+ if (!READ_ONCE(dev->streaming))
+ return;
+
+ rc = smsusb_submit_urb(dev, surb);
+ if (rc < 0 && READ_ONCE(dev->streaming))
+ pr_err("smsusb_submit_urb(...) failed\n");
}
/*
@@ -143,13 +150,15 @@ static void smsusb_onresponse(struct urb *urb)
exit_and_resubmit:
- INIT_WORK(&surb->wq, do_submit_urb);
- schedule_work(&surb->wq);
+ if (READ_ONCE(dev->streaming))
+ schedule_work(&surb->wq);
}
static int smsusb_submit_urb(struct smsusb_device_t *dev,
struct smsusb_urb_t *surb)
{
+ int rc;
+
if (!surb->cb) {
/* This function can sleep */
surb->cb = smscore_getbuffer(dev->coredev);
@@ -168,31 +177,44 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev,
smsusb_onresponse,
surb
);
- surb->urb->transfer_flags |= URB_FREE_BUFFER;
+ rc = usb_submit_urb(surb->urb, GFP_ATOMIC);
+ if (rc) {
+ smscore_putbuffer(dev->coredev, surb->cb);
+ surb->cb = NULL;
+ }
- return usb_submit_urb(surb->urb, GFP_ATOMIC);
+ return rc;
}
static void smsusb_stop_streaming(struct smsusb_device_t *dev)
{
int i;
- for (i = 0; i < MAX_URBS; i++) {
+ WRITE_ONCE(dev->streaming, false);
+
+ for (i = 0; i < MAX_URBS; i++)
usb_kill_urb(dev->surbs[i].urb);
- if (dev->surbs[i].wq.func)
- cancel_work_sync(&dev->surbs[i].wq);
+ for (i = 0; i < MAX_URBS; i++) {
if (dev->surbs[i].cb) {
smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
dev->surbs[i].cb = NULL;
}
}
+
+ for (i = 0; i < MAX_URBS; i++)
+ cancel_work_sync(&dev->surbs[i].wq);
+
+ for (i = 0; i < MAX_URBS; i++)
+ usb_kill_urb(dev->surbs[i].urb);
}
static int smsusb_start_streaming(struct smsusb_device_t *dev)
{
int i, rc;
+ WRITE_ONCE(dev->streaming, true);
+
for (i = 0; i < MAX_URBS; i++) {
rc = smsusb_submit_urb(dev, &dev->surbs[i]);
if (rc < 0) {
@@ -401,6 +423,11 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
if (!dev)
return -ENOMEM;
+ for (i = 0; i < MAX_URBS; i++) {
+ dev->surbs[i].dev = dev;
+ INIT_WORK(&dev->surbs[i].wq, do_submit_urb);
+ }
+
memset(¶ms, 0, sizeof(params));
usb_set_intfdata(intf, dev);
dev->udev = interface_to_usbdev(intf);
@@ -467,7 +494,6 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
/* initialize urbs */
for (i = 0; i < MAX_URBS; i++) {
- dev->surbs[i].dev = dev;
dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL);
if (!dev->surbs[i].urb)
goto err_unregister_device;
--
2.54.0smsusb_onresponse() reinitializes the URB work item immediately before
scheduling it. If teardown races with a queued work item,
cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ
still set and trip the workqueue warning reported by syzbot.
The teardown path also has related lifetime bugs. URB_FREE_BUFFER makes
USB core free a smscore-owned buffer, and a work item can submit an URB
after usb_kill_urb() has already returned. If that submission fails, the
worker keeps ownership of the smscore buffer and the streaming pipeline
loses an URB.
Initialize each work item before any error path can tear down the device,
remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill
URBs again after canceling work so any URB submitted by an already-running
worker is completed before buffers and the device are freed. Return the
smscore buffer if URB submission fails.
During teardown, wake workers blocked in smscore_getbuffer() by adding an
abortable buffer wait. Then cancel work before returning any URB-owned
buffer to avoid racing with workers that are still using surb->cb.
Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb")
Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c
Signed-off-by: Rohith Matam <rohithmatham@gmail.com>
---
Changes in v5:
- Replace the v4 early-buffer-return ordering with an abortable smscore
buffer wait so workers can exit before teardown returns surb->cb.
Changes in v4:
- During teardown, kill all URBs and return held buffers before canceling
workers so smscore_getbuffer() waiters can wake and exit.
Changes in v3:
- Initialize work items before early probe error paths can call teardown.
- Return the smscore buffer when URB submission fails.
- Wake buffer waiters after returning the buffer, and use wake_up().
Changes in v2:
- Initialize all work items before allocating URBs.
- Remove URB_FREE_BUFFER from smscore-owned buffers.
- Stop resubmission before teardown and kill URBs again after canceling work.
drivers/media/common/siano/smscoreapi.c | 14 ++++++-
drivers/media/common/siano/smscoreapi.h | 2 +
drivers/media/usb/siano/smsusb.c | 55 +++++++++++++++++++------
3 files changed, 58 insertions(+), 13 deletions(-)
diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c
index 017629e3c..23be7347d 100644
--- a/drivers/media/common/siano/smscoreapi.c
+++ b/drivers/media/common/siano/smscoreapi.c
@@ -1644,6 +1644,18 @@ struct smscore_buffer_t *smscore_getbuffer(struct smscore_device_t *coredev)
}
EXPORT_SYMBOL_GPL(smscore_getbuffer);
+struct smscore_buffer_t *
+smscore_getbuffer_abortable(struct smscore_device_t *coredev, bool *abort)
+{
+ struct smscore_buffer_t *cb = NULL;
+
+ wait_event(coredev->buffer_mng_waitq,
+ READ_ONCE(*abort) || (cb = get_entry(coredev)));
+
+ return cb;
+}
+EXPORT_SYMBOL_GPL(smscore_getbuffer_abortable);
+
/*
* return buffer descriptor to a pool
*
@@ -1654,8 +1666,8 @@ EXPORT_SYMBOL_GPL(smscore_getbuffer);
*/
void smscore_putbuffer(struct smscore_device_t *coredev,
struct smscore_buffer_t *cb) {
- wake_up_interruptible(&coredev->buffer_mng_waitq);
list_add_locked(&cb->entry, &coredev->buffers, &coredev->bufferslock);
+ wake_up(&coredev->buffer_mng_waitq);
}
EXPORT_SYMBOL_GPL(smscore_putbuffer);
diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h
index d945a2d6d..f8a9e6ef7 100644
--- a/drivers/media/common/siano/smscoreapi.h
+++ b/drivers/media/common/siano/smscoreapi.h
@@ -1117,6 +1117,8 @@ extern void smscore_onresponse(struct smscore_device_t *coredev,
extern
struct smscore_buffer_t *smscore_getbuffer(struct smscore_device_t *coredev);
+struct smscore_buffer_t *
+smscore_getbuffer_abortable(struct smscore_device_t *coredev, bool *abort);
extern void smscore_putbuffer(struct smscore_device_t *coredev,
struct smscore_buffer_t *cb);
diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 0fdc2e095..565543dbd 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -58,6 +58,8 @@ struct smsusb_device_t {
unsigned char in_ep;
unsigned char out_ep;
enum smsusb_state state;
+ bool streaming;
+ bool stopping;
};
static int smsusb_submit_urb(struct smsusb_device_t *dev,
@@ -71,8 +73,14 @@ static void do_submit_urb(struct work_struct *work)
{
struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq);
struct smsusb_device_t *dev = surb->dev;
+ int rc;
- smsusb_submit_urb(dev, surb);
+ if (!READ_ONCE(dev->streaming))
+ return;
+
+ rc = smsusb_submit_urb(dev, surb);
+ if (rc < 0 && READ_ONCE(dev->streaming))
+ pr_err("smsusb_submit_urb(...) failed\n");
}
/*
@@ -143,19 +151,22 @@ static void smsusb_onresponse(struct urb *urb)
exit_and_resubmit:
- INIT_WORK(&surb->wq, do_submit_urb);
- schedule_work(&surb->wq);
+ if (READ_ONCE(dev->streaming))
+ schedule_work(&surb->wq);
}
static int smsusb_submit_urb(struct smsusb_device_t *dev,
struct smsusb_urb_t *surb)
{
+ int rc;
+
if (!surb->cb) {
/* This function can sleep */
- surb->cb = smscore_getbuffer(dev->coredev);
+ surb->cb = smscore_getbuffer_abortable(dev->coredev,
+ &dev->stopping);
if (!surb->cb) {
- pr_err("smscore_getbuffer(...) returned NULL\n");
- return -ENOMEM;
+ pr_debug("device is stopping\n");
+ return -ESHUTDOWN;
}
}
@@ -168,20 +179,33 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev,
smsusb_onresponse,
surb
);
- surb->urb->transfer_flags |= URB_FREE_BUFFER;
+ rc = usb_submit_urb(surb->urb, GFP_ATOMIC);
+ if (rc) {
+ smscore_putbuffer(dev->coredev, surb->cb);
+ surb->cb = NULL;
+ }
- return usb_submit_urb(surb->urb, GFP_ATOMIC);
+ return rc;
}
static void smsusb_stop_streaming(struct smsusb_device_t *dev)
{
int i;
- for (i = 0; i < MAX_URBS; i++) {
+ WRITE_ONCE(dev->streaming, false);
+ WRITE_ONCE(dev->stopping, true);
+ wake_up(&dev->coredev->buffer_mng_waitq);
+
+ for (i = 0; i < MAX_URBS; i++)
usb_kill_urb(dev->surbs[i].urb);
- if (dev->surbs[i].wq.func)
- cancel_work_sync(&dev->surbs[i].wq);
+ for (i = 0; i < MAX_URBS; i++)
+ cancel_work_sync(&dev->surbs[i].wq);
+
+ for (i = 0; i < MAX_URBS; i++)
+ usb_kill_urb(dev->surbs[i].urb);
+
+ for (i = 0; i < MAX_URBS; i++) {
if (dev->surbs[i].cb) {
smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
dev->surbs[i].cb = NULL;
@@ -193,6 +217,9 @@ static int smsusb_start_streaming(struct smsusb_device_t *dev)
{
int i, rc;
+ WRITE_ONCE(dev->stopping, false);
+ WRITE_ONCE(dev->streaming, true);
+
for (i = 0; i < MAX_URBS; i++) {
rc = smsusb_submit_urb(dev, &dev->surbs[i]);
if (rc < 0) {
@@ -401,6 +428,11 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
if (!dev)
return -ENOMEM;
+ for (i = 0; i < MAX_URBS; i++) {
+ dev->surbs[i].dev = dev;
+ INIT_WORK(&dev->surbs[i].wq, do_submit_urb);
+ }
+
memset(¶ms, 0, sizeof(params));
usb_set_intfdata(intf, dev);
dev->udev = interface_to_usbdev(intf);
@@ -467,7 +499,6 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
/* initialize urbs */
for (i = 0; i < MAX_URBS; i++) {
- dev->surbs[i].dev = dev;
dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL);
if (!dev->surbs[i].urb)
goto err_unregister_device;
--
2.54.0smsusb_onresponse() reinitializes the URB work item immediately before
scheduling it. If teardown races with a queued work item,
cancel_work_sync() can observe workqueue state with WORK_STRUCT_PWQ
still set and trip the workqueue warning reported by syzbot.
The teardown path also has related lifetime bugs. URB_FREE_BUFFER makes
USB core free a smscore-owned buffer, and a work item can submit an URB
after usb_kill_urb() has already returned. If that submission fails, the
worker keeps ownership of the smscore buffer and the streaming pipeline
loses an URB.
Initialize each work item before any error path can tear down the device,
remove URB_FREE_BUFFER, stop resubmission before killing URBs, and kill
URBs again after canceling work so any URB submitted by an already-running
worker is completed before buffers and the device are freed. Return the
smscore buffer if URB submission fails.
During teardown, wake workers blocked in smscore_getbuffer() by adding an
abortable buffer wait. Then cancel work before returning any URB-owned
buffer to avoid racing with workers that are still using surb->cb. Guard
the wakeup because early probe failure can call teardown before coredev is
registered.
Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb")
Reported-by: syzbot+0d6ef2b7ceb6014d756c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0d6ef2b7ceb6014d756c
Signed-off-by: Rohith Matam <rohithmatham@gmail.com>
---
Changes in v6:
- Guard the buffer waitqueue wakeup for early probe failures before
coredev has been registered.
Changes in v5:
- Replace the v4 early-buffer-return ordering with an abortable smscore
buffer wait so workers can exit before teardown returns surb->cb.
Changes in v4:
- During teardown, kill all URBs and return held buffers before canceling
workers so smscore_getbuffer() waiters can wake and exit.
Changes in v3:
- Initialize work items before early probe error paths can call teardown.
- Return the smscore buffer when URB submission fails.
- Wake buffer waiters after returning the buffer, and use wake_up().
Changes in v2:
- Initialize all work items before allocating URBs.
- Remove URB_FREE_BUFFER from smscore-owned buffers.
- Stop resubmission before teardown and kill URBs again after canceling work.
drivers/media/common/siano/smscoreapi.c | 14 ++++++-
drivers/media/common/siano/smscoreapi.h | 2 +
drivers/media/usb/siano/smsusb.c | 56 +++++++++++++++++++------
3 files changed, 59 insertions(+), 13 deletions(-)
diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c
index 017629e3c..23be7347d 100644
--- a/drivers/media/common/siano/smscoreapi.c
+++ b/drivers/media/common/siano/smscoreapi.c
@@ -1644,6 +1644,18 @@ struct smscore_buffer_t *smscore_getbuffer(struct smscore_device_t *coredev)
}
EXPORT_SYMBOL_GPL(smscore_getbuffer);
+struct smscore_buffer_t *
+smscore_getbuffer_abortable(struct smscore_device_t *coredev, bool *abort)
+{
+ struct smscore_buffer_t *cb = NULL;
+
+ wait_event(coredev->buffer_mng_waitq,
+ READ_ONCE(*abort) || (cb = get_entry(coredev)));
+
+ return cb;
+}
+EXPORT_SYMBOL_GPL(smscore_getbuffer_abortable);
+
/*
* return buffer descriptor to a pool
*
@@ -1654,8 +1666,8 @@ EXPORT_SYMBOL_GPL(smscore_getbuffer);
*/
void smscore_putbuffer(struct smscore_device_t *coredev,
struct smscore_buffer_t *cb) {
- wake_up_interruptible(&coredev->buffer_mng_waitq);
list_add_locked(&cb->entry, &coredev->buffers, &coredev->bufferslock);
+ wake_up(&coredev->buffer_mng_waitq);
}
EXPORT_SYMBOL_GPL(smscore_putbuffer);
diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h
index d945a2d6d..f8a9e6ef7 100644
--- a/drivers/media/common/siano/smscoreapi.h
+++ b/drivers/media/common/siano/smscoreapi.h
@@ -1117,6 +1117,8 @@ extern void smscore_onresponse(struct smscore_device_t *coredev,
extern
struct smscore_buffer_t *smscore_getbuffer(struct smscore_device_t *coredev);
+struct smscore_buffer_t *
+smscore_getbuffer_abortable(struct smscore_device_t *coredev, bool *abort);
extern void smscore_putbuffer(struct smscore_device_t *coredev,
struct smscore_buffer_t *cb);
diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 0fdc2e095..98ae94e19 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -58,6 +58,8 @@ struct smsusb_device_t {
unsigned char in_ep;
unsigned char out_ep;
enum smsusb_state state;
+ bool streaming;
+ bool stopping;
};
static int smsusb_submit_urb(struct smsusb_device_t *dev,
@@ -71,8 +73,14 @@ static void do_submit_urb(struct work_struct *work)
{
struct smsusb_urb_t *surb = container_of(work, struct smsusb_urb_t, wq);
struct smsusb_device_t *dev = surb->dev;
+ int rc;
- smsusb_submit_urb(dev, surb);
+ if (!READ_ONCE(dev->streaming))
+ return;
+
+ rc = smsusb_submit_urb(dev, surb);
+ if (rc < 0 && READ_ONCE(dev->streaming))
+ pr_err("smsusb_submit_urb(...) failed\n");
}
/*
@@ -143,19 +151,22 @@ static void smsusb_onresponse(struct urb *urb)
exit_and_resubmit:
- INIT_WORK(&surb->wq, do_submit_urb);
- schedule_work(&surb->wq);
+ if (READ_ONCE(dev->streaming))
+ schedule_work(&surb->wq);
}
static int smsusb_submit_urb(struct smsusb_device_t *dev,
struct smsusb_urb_t *surb)
{
+ int rc;
+
if (!surb->cb) {
/* This function can sleep */
- surb->cb = smscore_getbuffer(dev->coredev);
+ surb->cb = smscore_getbuffer_abortable(dev->coredev,
+ &dev->stopping);
if (!surb->cb) {
- pr_err("smscore_getbuffer(...) returned NULL\n");
- return -ENOMEM;
+ pr_debug("device is stopping\n");
+ return -ESHUTDOWN;
}
}
@@ -168,20 +179,34 @@ static int smsusb_submit_urb(struct smsusb_device_t *dev,
smsusb_onresponse,
surb
);
- surb->urb->transfer_flags |= URB_FREE_BUFFER;
+ rc = usb_submit_urb(surb->urb, GFP_ATOMIC);
+ if (rc) {
+ smscore_putbuffer(dev->coredev, surb->cb);
+ surb->cb = NULL;
+ }
- return usb_submit_urb(surb->urb, GFP_ATOMIC);
+ return rc;
}
static void smsusb_stop_streaming(struct smsusb_device_t *dev)
{
int i;
- for (i = 0; i < MAX_URBS; i++) {
+ WRITE_ONCE(dev->streaming, false);
+ WRITE_ONCE(dev->stopping, true);
+ if (dev->coredev)
+ wake_up(&dev->coredev->buffer_mng_waitq);
+
+ for (i = 0; i < MAX_URBS; i++)
usb_kill_urb(dev->surbs[i].urb);
- if (dev->surbs[i].wq.func)
- cancel_work_sync(&dev->surbs[i].wq);
+ for (i = 0; i < MAX_URBS; i++)
+ cancel_work_sync(&dev->surbs[i].wq);
+
+ for (i = 0; i < MAX_URBS; i++)
+ usb_kill_urb(dev->surbs[i].urb);
+
+ for (i = 0; i < MAX_URBS; i++) {
if (dev->surbs[i].cb) {
smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
dev->surbs[i].cb = NULL;
@@ -193,6 +218,9 @@ static int smsusb_start_streaming(struct smsusb_device_t *dev)
{
int i, rc;
+ WRITE_ONCE(dev->stopping, false);
+ WRITE_ONCE(dev->streaming, true);
+
for (i = 0; i < MAX_URBS; i++) {
rc = smsusb_submit_urb(dev, &dev->surbs[i]);
if (rc < 0) {
@@ -401,6 +429,11 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
if (!dev)
return -ENOMEM;
+ for (i = 0; i < MAX_URBS; i++) {
+ dev->surbs[i].dev = dev;
+ INIT_WORK(&dev->surbs[i].wq, do_submit_urb);
+ }
+
memset(¶ms, 0, sizeof(params));
usb_set_intfdata(intf, dev);
dev->udev = interface_to_usbdev(intf);
@@ -467,7 +500,6 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
/* initialize urbs */
for (i = 0; i < MAX_URBS; i++) {
- dev->surbs[i].dev = dev;
dev->surbs[i].urb = usb_alloc_urb(0, GFP_KERNEL);
if (!dev->surbs[i].urb)
goto err_unregister_device;
--
2.54.0© 2016 - 2026 Red Hat, Inc.