ep_write() acquires data->lock mutex in get_ready_ep() and releases it on
all paths except for one: when usb_endpoint_xfer_isoc() failed. The
patch adds mutex_unlock(&data->lock) at that path.
It is similar to commit 00cc7a5faf25b3ba5cf30fcffc62249bdd152006 for ep_read(),
it was not fixed at that time by accident.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/usb/gadget/inode.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index a01383f..a56876a 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -431,8 +431,10 @@ ep_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
/* halt any endpoint by doing a "wrong direction" i/o call */
if (!usb_endpoint_dir_in(&data->desc)) {
- if (usb_endpoint_xfer_isoc(&data->desc))
+ if (usb_endpoint_xfer_isoc(&data->desc)) {
+ mutex_unlock(&data->lock);
return -EINVAL;
+ }
DBG (data->dev, "%s halt\n", data->name);
spin_lock_irq (&data->dev->lock);
if (likely (data->ep != NULL))
--
1.7.4.1
Hello.
On 26-05-2011 10:32, Alexey Khoroshilov wrote:
> ep_write() acquires data->lock mutex in get_ready_ep() and releases it on
> all paths except for one: when usb_endpoint_xfer_isoc() failed. The
> patch adds mutex_unlock(&data->lock) at that path.
> It is similar to commit 00cc7a5faf25b3ba5cf30fcffc62249bdd152006 for ep_read(),
Please specify that commit's summary in parens.
> it was not fixed at that time by accident.
> Found by Linux Driver Verification project (linuxtesting.org).
> Signed-off-by: Alexey Khoroshilov<[email protected]>
WBR, Sergei
On 05/26/2011 01:59 PM, Sergei Shtylyov wrote:
>> It is similar to commit 00cc7a5faf25b3ba5cf30fcffc62249bdd152006 for
>> ep_read(),
>
> Please specify that commit's summary in parens.
Done. Thank you.
ep_write() acquires data->lock mutex in get_ready_ep() and releases it
on all paths except for one: when usb_endpoint_xfer_isoc() failed. The
patch adds mutex_unlock(&data->lock) at that path.
It is similar to commit 00cc7a5 ("usb-gadget: unlock data->lock mutex on error path in ep_read()"),
it was not fixed at that time by accident.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/usb/gadget/inode.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index a01383f..a56876a 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -431,8 +431,10 @@ ep_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
/* halt any endpoint by doing a "wrong direction" i/o call */
if (!usb_endpoint_dir_in(&data->desc)) {
- if (usb_endpoint_xfer_isoc(&data->desc))
+ if (usb_endpoint_xfer_isoc(&data->desc)) {
+ mutex_unlock(&data->lock);
return -EINVAL;
+ }
DBG (data->dev, "%s halt\n", data->name);
spin_lock_irq (&data->dev->lock);
if (likely (data->ep != NULL))
-- 1.7.4.1