Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
usb: image: mdc800: kill download URB on timeout
mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active.
A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb():
“URB submitted while active”
Check the return value of wait_event_timeout() and kill the URB if it indicates timeout, ensuring the URB is complete before its status is inspected or the URB is resubmitted.
Similar to
- commit 372c93131998 (“USB: yurex: fix control-URB timeout handling”)
- commit b98d5000c505 (“media: rc: iguanair: handle timeouts”)
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
- Affected packages:
- linux @ 5.4.0 (+15 more)
In the Linux kernel, the following vulnerability has been resolved:
usb: image: mdc800: kill download URB on timeout
mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active.
A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb():
“URB submitted while active”
Check the return value of wait_event_timeout() and kill the URB if it indicates timeout, ensuring the URB is complete before its status is inspected or the URB is resubmitted.
Similar to
- commit 372c93131998 (“USB: yurex: fix control-URB timeout handling”)
- commit b98d5000c505 (“media: rc: iguanair: handle timeouts”)