usb: usbtmc: Flush anchored URBs in usbtmc_release

commit 8a768552f7a8276fb9e01d49773d2094ace7c8f1 upstream. When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw_down() to allow anchored URBs to be completed. Fixes: 4f3c8d6eddc2 ("usb: usbtmc: Support Read Status Byte with SRQ per file") Reported-by: syzbot+9a3c54f52bd1edbd975f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a3c54f52bd1edbd975f Cc: stable <stable@kernel.org> Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com> Link: https://patch.msgid.link/20260312-usbtmc-flush-release-v1-1-5755e9f4336f@igalia.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Heitor Alves de Siqueira <halves@igalia.com> 2026-03-12 09:27:28 -0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-11 14:29:49 +0200
commit: d40198de50232e04c14c6e2092e896766c95ea48 (patch)
tree: 3711cd29eb38a6d784990ae6a96360d093be3def
parent: a6e5461f076c2ef63159f18e5cdbd30b50f0bc15 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
index 4cee3fa74e0d..2aa964dbb353 100644
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -254,6 +254,9 @@ static int usbtmc_release(struct inode *inode, struct file *file)
 	list_del(&file_data->file_elem);
 
 	spin_unlock_irq(&file_data->data->dev_lock);
+
+	/* flush anchored URBs */
+	usbtmc_draw_down(file_data);
 	mutex_unlock(&file_data->data->io_mutex);
 
 	kref_put(&file_data->data->kref, usbtmc_delete);
author	Heitor Alves de Siqueira <halves@igalia.com>	2026-03-12 09:27:28 -0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-04-11 14:29:49 +0200
commit	d40198de50232e04c14c6e2092e896766c95ea48 (patch)
tree	3711cd29eb38a6d784990ae6a96360d093be3def
parent	a6e5461f076c2ef63159f18e5cdbd30b50f0bc15 (diff)