| Message ID | 20230124091149.18647-1-quic_ugoswami@quicinc.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 921deb9da15851425ccbb6ee409dc2fd8fbdfe6b |
| Headers | show |
| Series | usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait | expand |
On Tue, Jan 24, 2023 at 02:41:49PM +0530, Udipto Goswami wrote: > __ffs_ep0_queue_wait executes holding the spinlock of &ffs->ev.waitq.lock > and unlocks it after the assignments to usb_request are done. > However in the code if the request is already NULL we bail out returning > -EINVAL but never unlocked the spinlock. > > Fix this by adding spin_unlock_irq &ffs->ev.waitq.lock before returning. > > Fixes: 6a19da111057("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait") > Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com> Reviewed-by: John Keeping <john@metanate.com> > --- > drivers/usb/gadget/function/f_fs.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index 523a961b910b..8ad354741380 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -279,8 +279,10 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len) > struct usb_request *req = ffs->ep0req; > int ret; > > - if (!req) > + if (!req) { > + spin_unlock_irq(&ffs->ev.waitq.lock); > return -EINVAL; > + } > > req->zero = len < le16_to_cpu(ffs->ev.setup.wLength); > > -- > 2.17.1 >
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 523a961b910b..8ad354741380 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -279,8 +279,10 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len) struct usb_request *req = ffs->ep0req; int ret; - if (!req) + if (!req) { + spin_unlock_irq(&ffs->ev.waitq.lock); return -EINVAL; + } req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
__ffs_ep0_queue_wait executes holding the spinlock of &ffs->ev.waitq.lock and unlocks it after the assignments to usb_request are done. However in the code if the request is already NULL we bail out returning -EINVAL but never unlocked the spinlock. Fix this by adding spin_unlock_irq &ffs->ev.waitq.lock before returning. Fixes: 6a19da111057("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait") Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com> --- drivers/usb/gadget/function/f_fs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)