proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2025-12-06 05:40:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

usb: raw-gadget: fix raw_event_queue_fetch locking

Browse Source 
If queue->size check in raw_event_queue_fetch() fails (which normally
shouldn't happen, that check is a fail-safe), the function returns
without reenabling interrupts. This patch fixes that issue, along with
propagating the cause of failure to the function caller.

Fixes: f2c2e71764 ("usb: gadget: add raw-gadget interface"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
This commit is contained in:
Andrey Konovalov 2020-04-07 16:47:54 +02:00 committed by Felipe Balbi
parent 12b94da411
commit 0666aa539e
1 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
drivers/usb/gadget/legacy/raw_gadget.c
View File

@ -81,6 +81,7 @@ static int raw_event_queue_add(struct raw_event_queue *queue,
static struct usb_raw_event *raw_event_queue_fetch( static struct usb_raw_event *raw_event_queue_fetch(
struct raw_event_queue *queue) struct raw_event_queue *queue)
{ {
int ret;
unsigned long flags; unsigned long flags;
struct usb_raw_event *event; struct usb_raw_event *event;
@ -89,11 +90,18 @@ static struct usb_raw_event *raw_event_queue_fetch(
* there's at least one event queued by decrementing the semaphore, * there's at least one event queued by decrementing the semaphore,
* and then take the lock to protect queue struct fields. * and then take the lock to protect queue struct fields.
*/ */
if (down_interruptible(&queue->sema)) ret = down_interruptible(&queue->sema);
return NULL; if (ret)
return ERR_PTR(ret);
spin_lock_irqsave(&queue->lock, flags); spin_lock_irqsave(&queue->lock, flags);
if (WARN_ON(!queue->size)) /*
return NULL; * queue->size must have the same value as queue->sema counter (before
* the down_interruptible() call above), so this check is a fail-safe.
*/
if (WARN_ON(!queue->size)) {
spin_unlock_irqrestore(&queue->lock, flags);
return ERR_PTR(-ENODEV);
}
event = queue->events[0]; event = queue->events[0];
queue->size--; queue->size--;
memmove(&queue->events[0], &queue->events[1], memmove(&queue->events[0], &queue->events[1],
@ -525,10 +533,17 @@ static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
spin_unlock_irqrestore(&dev->lock, flags); spin_unlock_irqrestore(&dev->lock, flags);
event = raw_event_queue_fetch(&dev->queue); event = raw_event_queue_fetch(&dev->queue);
if (!event) { if (PTR_ERR(event) == -EINTR) {
dev_dbg(&dev->gadget->dev, "event fetching interrupted\n"); dev_dbg(&dev->gadget->dev, "event fetching interrupted\n");
return -EINTR; return -EINTR;
} }
if (IS_ERR(event)) {
dev_err(&dev->gadget->dev, "failed to fetch event\n");
spin_lock_irqsave(&dev->lock, flags);
dev->state = STATE_DEV_FAILED;
spin_unlock_irqrestore(&dev->lock, flags);
return -ENODEV;
}
length = min(arg.length, event->length); length = min(arg.length, event->length);
ret = copy_to_user((void __user *)value, event, ret = copy_to_user((void __user *)value, event,
sizeof(*event) + length); sizeof(*event) + length);