Commit 8a768552 authored Mar 12, 2026 by Heitor Alves de Siqueira Committed by Greg Kroah-Hartman Mar 18, 2026

usb: usbtmc: Flush anchored URBs in usbtmc_release

When calling usbtmc_release, pending anchored URBs must be flushed or
killed to prevent use-after-free errors (e.g. in the HCD giveback
path). Call usbtmc_draw_down() to allow anchored URBs to be completed.

Fixes: 4f3c8d6e ("usb: usbtmc: Support Read Status Byte with SRQ per file")
Reported-by: <syzbot+9a3c54f52bd1edbd975f@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=9a3c54f52bd1edbd975f

Cc: stable <stable@kernel.org>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260312-usbtmc-flush-release-v1-1-5755e9f4336f@igalia.com

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent e1eabb07

drivers/usb/class/usbtmc.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -254,6 +254,9 @@ static int usbtmc_release(struct inode inode, struct file file)
		list_del(&file_data->file_elem);

		spin_unlock_irq(&file_data->data->dev_lock);

		/* flush anchored URBs */
		usbtmc_draw_down(file_data);
		mutex_unlock(&file_data->data->io_mutex);

		kref_put(&file_data->data->kref, usbtmc_delete);