r8a66597_irq() processes sudmac part (r8a66597_sudmac_irq()) before locking r8a66597->lock.
But transfer_complete(), that is called inside (r8a66597_sudmac_irq()->sudmac_finish()->transfer_complete()),
expects r8a66597->lock is locked. As a result unheld spinlock can be unlocked.
The patch just moves locking before calling r8a66597_sudmac_irq().
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/usb/gadget/r8a66597-udc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/r8a66597-udc.c b/drivers/usb/gadget/r8a66597-udc.c
index 7ff7d9c..2dd213c 100644
--- a/drivers/usb/gadget/r8a66597-udc.c
+++ b/drivers/usb/gadget/r8a66597-udc.c
@@ -1469,11 +1469,11 @@ static irqreturn_t r8a66597_irq(int irq, void *_r8a66597)
u16 savepipe;
u16 mask0;
+ spin_lock(&r8a66597->lock);
+
if (r8a66597_is_sudmac(r8a66597))
r8a66597_sudmac_irq(r8a66597);
- spin_lock(&r8a66597->lock);
-
intsts0 = r8a66597_read(r8a66597, INTSTS0);
intenb0 = r8a66597_read(r8a66597, INTENB0);
--
1.7.9.5
HI,
On Thu, May 30, 2013 at 12:51:37AM +0400, Alexey Khoroshilov wrote:
> r8a66597_irq() processes sudmac part (r8a66597_sudmac_irq()) before locking r8a66597->lock.
> But transfer_complete(), that is called inside (r8a66597_sudmac_irq()->sudmac_finish()->transfer_complete()),
> expects r8a66597->lock is locked. As a result unheld spinlock can be unlocked.
>
> The patch just moves locking before calling r8a66597_sudmac_irq().
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <[email protected]>
should this go to stable ? Looks like this bug has been there since
2.6.32.
--
balbi
Hi,
(2013/05/30 8:58), Felipe Balbi wrote:
> HI,
>
> On Thu, May 30, 2013 at 12:51:37AM +0400, Alexey Khoroshilov wrote:
>> r8a66597_irq() processes sudmac part (r8a66597_sudmac_irq()) before locking r8a66597->lock.
>> But transfer_complete(), that is called inside (r8a66597_sudmac_irq()->sudmac_finish()->transfer_complete()),
>> expects r8a66597->lock is locked. As a result unheld spinlock can be unlocked.
>>
>> The patch just moves locking before calling r8a66597_sudmac_irq().
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Alexey Khoroshilov <[email protected]>
>
> should this go to stable ? Looks like this bug has been there since
> 2.6.32.
>
Because non SMP CPUs have sudmac for now, this may not go to stable, I think.
Best regards,
Yoshihiro Shimoda