| Message ID | 20191121103710.28204-1-oneukum@suse.com |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | nfc: port100: handle command failure cleanly | expand |
From: Oliver Neukum <oneukum@suse.com> Date: Thu, 21 Nov 2019 11:37:10 +0100 > If starting the transfer of a command suceeds but the transfer for the reply > fails, it is not enough to initiate killing the transfer for the > command may still be running. You need to wait for the killing to finish > before you can reuse URB and buffer. > > Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com > Signed-off-by: Oliver Neukum <oneukum@suse.com> Applied.
diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c index 145ddf3f0a45..604dba4f18af 100644 --- a/drivers/nfc/port100.c +++ b/drivers/nfc/port100.c @@ -783,7 +783,7 @@ static int port100_send_frame_async(struct port100 *dev, struct sk_buff *out, rc = port100_submit_urb_for_ack(dev, GFP_KERNEL); if (rc) - usb_unlink_urb(dev->out_urb); + usb_kill_urb(dev->out_urb); exit: mutex_unlock(&dev->out_urb_lock);
If starting the transfer of a command suceeds but the transfer for the reply fails, it is not enough to initiate killing the transfer for the command may still be running. You need to wait for the killing to finish before you can reuse URB and buffer. Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum <oneukum@suse.com> --- drivers/nfc/port100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)