Am Freitag, den 18.10.2019, 07:53 -0700 schrieb syzbot: > Hello, > > syzbot found the following crash on: > > HEAD commit: 22be26f7 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=102b65cf600000 > kernel config: https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5 > dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143b9060e00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d3b94b600000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+9ca7a12fd736d93e0232@xxxxxxxxxxxxxxxxxxxxxxxxx #syz test: https://github.com/google/kasan.git 22be26f7 >From c322de1808b3f43b2248457281634c9d22500840 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum@xxxxxxxx> Date: Mon, 18 Nov 2019 14:41:51 +0100 Subject: [PATCH] si470x: prevent resubmission Starting IO to a device is not necessarily a NOP in every error case. So we need to terminate all IO in every case of probe failure with absolute certainty. Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> --- drivers/media/radio/si470x/radio-si470x-usb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c index fedff68d8c49..07e9ddbb5937 100644 --- a/drivers/media/radio/si470x/radio-si470x-usb.c +++ b/drivers/media/radio/si470x/radio-si470x-usb.c @@ -734,7 +734,8 @@ static int si470x_usb_driver_probe(struct usb_interface *intf, /* start radio */ retval = si470x_start_usb(radio); if (retval < 0) - goto err_buf; + /* the urb may be running even after an error */ + goto err_all; /* set initial frequency */ si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */ @@ -749,7 +750,7 @@ static int si470x_usb_driver_probe(struct usb_interface *intf, return 0; err_all: - usb_kill_urb(radio->int_in_urb); + usb_poison_urb(radio->int_in_urb); err_buf: kfree(radio->buffer); err_ctrl: -- 2.16.4
