| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260105040710.1965-1-hdanton@sina.com>
Date: Mon, 5 Jan 2026 12:07:08 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+e69c25cf38a53d0cf64c@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [usb?] BUG: corrupted list in usb_hcd_link_urb_to_ep (5)
> Date: Sat, 03 Jan 2026 23:03:24 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: aacb0a6d604a Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16578f92580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a11e0f726bfb6765
> dashboard link: https://syzkaller.appspot.com/bug?extid=e69c25cf38a53d0cf64c
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1627369a580000
#syz test
--- x/drivers/input/misc/cm109.c
+++ y/drivers/input/misc/cm109.c
@@ -562,15 +562,18 @@ static int cm109_input_open(struct input
dev->ctl_data->byte[HID_OR2] = dev->keybit;
dev->ctl_data->byte[HID_OR3] = 0x00;
+ spin_lock_irq(&dev->ctl_submit_lock);
dev->ctl_urb_pending = 1;
- error = usb_submit_urb(dev->urb_ctl, GFP_KERNEL);
+ error = usb_submit_urb(dev->urb_ctl, GFP_ATOMIC);
if (!error) {
dev->open = 1;
+ spin_unlock_irq(&dev->ctl_submit_lock);
return 0;
}
+ dev->ctl_urb_pending = 0;
+ spin_unlock_irq(&dev->ctl_submit_lock);
}
- dev->ctl_urb_pending = 0;
usb_autopm_put_interface(dev->intf);
dev_err(&dev->intf->dev, "%s: usb_submit_urb (urb_ctl) failed %d\n",
--
Powered by blists - more mailing lists