| Message ID | 20210804145801.2762-1-paskripkin@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | input: cm109: fix URB submitted while active | expand |
On 8/4/21 5:58 PM, Pavel Skripkin wrote: > Syzbot reported, that dev->urb_ctl was submitted while active. The > problem was in missing validation check. We should check, that dev->urb_ctl > is not pending before sumbitting it again. > > Fail log: > > URB 00000000cfeee59c submitted while active > WARNING: CPU: 1 PID: 8459 at drivers/usb/core/urb.c:378 usb_submit_urb+0x1271/0x1540 drivers/usb/core/urb.c:378 > ... > Call Trace: > <IRQ> > cm109_urb_irq_callback+0x44f/0xaa0 drivers/input/misc/cm109.c:422 > __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1656 > usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1726 > > Reported-and-tested-by: syzbot+2d6d691af5ab4b7e66df@syzkaller.appspotmail.com > Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109 chipset") > Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> > --- Gentle ping :) With regards, Pavel Skripkin > drivers/input/misc/cm109.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/input/misc/cm109.c b/drivers/input/misc/cm109.c > index f515fae465c3..60bddadbbe3a 100644 > --- a/drivers/input/misc/cm109.c > +++ b/drivers/input/misc/cm109.c > @@ -406,7 +406,7 @@ static void cm109_urb_irq_callback(struct urb *urb) > > dev->irq_urb_pending = 0; > > - if (likely(!dev->shutdown)) { > + if (likely(!dev->shutdown) && likely(!dev->ctl_urb_pending)) { > > if (dev->buzzer_state) > dev->ctl_data->byte[HID_OR0] |= BUZZER_ON; >
On 8/18/21 14:07, Pavel Skripkin wrote: > On 8/4/21 5:58 PM, Pavel Skripkin wrote: >> Syzbot reported, that dev->urb_ctl was submitted while active. The >> problem was in missing validation check. We should check, that dev->urb_ctl >> is not pending before sumbitting it again. >> >> Fail log: >> >> URB 00000000cfeee59c submitted while active >> WARNING: CPU: 1 PID: 8459 at drivers/usb/core/urb.c:378 usb_submit_urb+0x1271/0x1540 drivers/usb/core/urb.c:378 >> ... >> Call Trace: >> <IRQ> >> cm109_urb_irq_callback+0x44f/0xaa0 drivers/input/misc/cm109.c:422 >> __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1656 >> usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1726 >> >> Reported-and-tested-by: syzbot+2d6d691af5ab4b7e66df@syzkaller.appspotmail.com >> Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109 chipset") >> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> >> --- > > > Gentle ping :) > > Hi, Dmitry, did you have a chance to review this one? Thanks :) With regards, Pavel Skripkin
diff --git a/drivers/input/misc/cm109.c b/drivers/input/misc/cm109.c index f515fae465c3..60bddadbbe3a 100644 --- a/drivers/input/misc/cm109.c +++ b/drivers/input/misc/cm109.c @@ -406,7 +406,7 @@ static void cm109_urb_irq_callback(struct urb *urb) dev->irq_urb_pending = 0; - if (likely(!dev->shutdown)) { + if (likely(!dev->shutdown) && likely(!dev->ctl_urb_pending)) { if (dev->buzzer_state) dev->ctl_data->byte[HID_OR0] |= BUZZER_ON;
Syzbot reported, that dev->urb_ctl was submitted while active. The problem was in missing validation check. We should check, that dev->urb_ctl is not pending before sumbitting it again. Fail log: URB 00000000cfeee59c submitted while active WARNING: CPU: 1 PID: 8459 at drivers/usb/core/urb.c:378 usb_submit_urb+0x1271/0x1540 drivers/usb/core/urb.c:378 ... Call Trace: <IRQ> cm109_urb_irq_callback+0x44f/0xaa0 drivers/input/misc/cm109.c:422 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1656 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1726 Reported-and-tested-by: syzbot+2d6d691af5ab4b7e66df@syzkaller.appspotmail.com Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109 chipset") Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- drivers/input/misc/cm109.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)