Linux Kernel URB Leak Vulnerability in PVRUSB2 Media Driver

A vulnerability has been identified in the Linux kernel's PVRUSB2 media driver, specifically in the function 'pvr2_send_request_ex'. When this function successfully submits a write USB Request Block (URB) but fails to submit the corresponding read URB—such as when it returns an 'out of memory' error—it immediately exits without waiting for the write URB to finish. This behavior can lead to a URB leak, as the driver reuses the same URB structure. Consequently, a later call to 'pvr2_send_request_ex' may try to submit a write URB that is still active, causing a warning about a 'URB submitted while active' in 'usb_submit_urb'. The vulnerability arises because the driver does not properly manage the lifecycle of the URBs when an error occurs during the read URB submission.

Impact

The vulnerability can cause a URB leak, where USB request blocks are not properly completed before being reused, leading to potential instability or unexpected behavior in the driver.

Reproduction

To reproduce this vulnerability, call the 'pvr2_send_request_ex' function and ensure that it successfully submits a write URB but fails to submit the read URB, such as by causing the function to return an 'out of memory' error. The function will then return immediately without waiting for the write URB to complete, creating a situation where the same URB structure is reused without proper management, and the still-active write URB submission triggers a warning about URB management.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.