| Message ID | Y+4ehE7/GgnRZuo0@kili (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | usb: gadget: uvc: unlock on an error paths | expand |
Thanks Dan. This one was tackled by Yang already actually: https://lore.kernel.org/linux-usb/20230213070926.776447-1-yangyingliang@huawei.com/ On 16/02/2023 12:16, Dan Carpenter wrote: > This code accidentally returns without dropping the "su_mutex" if > kstrtou8() fails. It's probably better to just do the kstrtou8() before > taking the lock. > > Fixes: b3c839bd8a07 ("usb: gadget: uvc: Make bSourceID read/write") > Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs") > Signed-off-by: Dan Carpenter <error27@gmail.com> > --- > drivers/usb/gadget/function/uvc_configfs.c | 31 +++++++++++----------- > 1 file changed, 16 insertions(+), 15 deletions(-) > > diff --git a/drivers/usb/gadget/function/uvc_configfs.c b/drivers/usb/gadget/function/uvc_configfs.c > index 18c6a1461b7e..a59c1a95bfcd 100644 > --- a/drivers/usb/gadget/function/uvc_configfs.c > +++ b/drivers/usb/gadget/function/uvc_configfs.c > @@ -590,6 +590,10 @@ static ssize_t uvcg_default_output_b_source_id_store(struct config_item *item, > int result; > u8 num; > > + result = kstrtou8(page, 0, &num); > + if (result) > + return result; > + > mutex_lock(su_mutex); /* for navigating configfs hierarchy */ > > opts_item = group->cg_item.ci_parent->ci_parent-> > @@ -597,10 +601,6 @@ static ssize_t uvcg_default_output_b_source_id_store(struct config_item *item, > opts = to_f_uvc_opts(opts_item); > cd = &opts->uvc_output_terminal; > > - result = kstrtou8(page, 0, &num); > - if (result) > - return result; > - > mutex_lock(&opts->lock); > cd->bSourceID = num; > mutex_unlock(&opts->lock); > @@ -707,15 +707,15 @@ static ssize_t uvcg_extension_b_num_controls_store(struct config_item *item, > int ret; > u8 num; > > + ret = kstrtou8(page, 0, &num); > + if (ret) > + return ret; > + > mutex_lock(su_mutex); > > opts_item = item->ci_parent->ci_parent->ci_parent; > opts = to_f_uvc_opts(opts_item); > > - ret = kstrtou8(page, 0, &num); > - if (ret) > - return ret; > - > mutex_lock(&opts->lock); > xu->desc.bNumControls = num; > mutex_unlock(&opts->lock); > @@ -742,14 +742,15 @@ static ssize_t uvcg_extension_b_nr_in_pins_store(struct config_item *item, > int ret; > u8 num; > > + ret = kstrtou8(page, 0, &num); > + if (ret) > + return ret; > + > mutex_lock(su_mutex); > > opts_item = item->ci_parent->ci_parent->ci_parent; > opts = to_f_uvc_opts(opts_item); > > - ret = kstrtou8(page, 0, &num); > - if (ret) > - return ret; > > mutex_lock(&opts->lock); > > @@ -795,15 +796,15 @@ static ssize_t uvcg_extension_b_control_size_store(struct config_item *item, > int ret; > u8 num; > > + ret = kstrtou8(page, 0, &num); > + if (ret) > + return ret; > + > mutex_lock(su_mutex); > > opts_item = item->ci_parent->ci_parent->ci_parent; > opts = to_f_uvc_opts(opts_item); > > - ret = kstrtou8(page, 0, &num); > - if (ret) > - return ret; > - > mutex_lock(&opts->lock); > > if (num == xu->desc.bControlSize) {
diff --git a/drivers/usb/gadget/function/uvc_configfs.c b/drivers/usb/gadget/function/uvc_configfs.c index 18c6a1461b7e..a59c1a95bfcd 100644 --- a/drivers/usb/gadget/function/uvc_configfs.c +++ b/drivers/usb/gadget/function/uvc_configfs.c @@ -590,6 +590,10 @@ static ssize_t uvcg_default_output_b_source_id_store(struct config_item *item, int result; u8 num; + result = kstrtou8(page, 0, &num); + if (result) + return result; + mutex_lock(su_mutex); /* for navigating configfs hierarchy */ opts_item = group->cg_item.ci_parent->ci_parent-> @@ -597,10 +601,6 @@ static ssize_t uvcg_default_output_b_source_id_store(struct config_item *item, opts = to_f_uvc_opts(opts_item); cd = &opts->uvc_output_terminal; - result = kstrtou8(page, 0, &num); - if (result) - return result; - mutex_lock(&opts->lock); cd->bSourceID = num; mutex_unlock(&opts->lock); @@ -707,15 +707,15 @@ static ssize_t uvcg_extension_b_num_controls_store(struct config_item *item, int ret; u8 num; + ret = kstrtou8(page, 0, &num); + if (ret) + return ret; + mutex_lock(su_mutex); opts_item = item->ci_parent->ci_parent->ci_parent; opts = to_f_uvc_opts(opts_item); - ret = kstrtou8(page, 0, &num); - if (ret) - return ret; - mutex_lock(&opts->lock); xu->desc.bNumControls = num; mutex_unlock(&opts->lock); @@ -742,14 +742,15 @@ static ssize_t uvcg_extension_b_nr_in_pins_store(struct config_item *item, int ret; u8 num; + ret = kstrtou8(page, 0, &num); + if (ret) + return ret; + mutex_lock(su_mutex); opts_item = item->ci_parent->ci_parent->ci_parent; opts = to_f_uvc_opts(opts_item); - ret = kstrtou8(page, 0, &num); - if (ret) - return ret; mutex_lock(&opts->lock); @@ -795,15 +796,15 @@ static ssize_t uvcg_extension_b_control_size_store(struct config_item *item, int ret; u8 num; + ret = kstrtou8(page, 0, &num); + if (ret) + return ret; + mutex_lock(su_mutex); opts_item = item->ci_parent->ci_parent->ci_parent; opts = to_f_uvc_opts(opts_item); - ret = kstrtou8(page, 0, &num); - if (ret) - return ret; - mutex_lock(&opts->lock); if (num == xu->desc.bControlSize) {
This code accidentally returns without dropping the "su_mutex" if kstrtou8() fails. It's probably better to just do the kstrtou8() before taking the lock. Fixes: b3c839bd8a07 ("usb: gadget: uvc: Make bSourceID read/write") Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs") Signed-off-by: Dan Carpenter <error27@gmail.com> --- drivers/usb/gadget/function/uvc_configfs.c | 31 +++++++++++----------- 1 file changed, 16 insertions(+), 15 deletions(-)