Skip to content

Commit fdd1049

Browse files
xairygregkh
xairy
authored and
gregkh
committed
usb: raw-gadget: fix raw_event_queue_fetch locking
If queue->size check in raw_event_queue_fetch() fails (which normally shouldn't happen, that check is a fail-safe), the function returns without reenabling interrupts. This patch fixes that issue, along with propagating the cause of failure to the function caller. Fixes: f2c2e71 ("usb: gadget: add raw-gadget interface") Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Andrey Konovalov <[email protected]> Link: https://lore.kernel.org/r/9f7ce7a1472cfb9447f6c5a494186fa1f2670f6f.1586270396.git.andreyknvl@google.com Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 068fbff commit fdd1049

File tree

1 file changed

+20
-5
lines changed

1 file changed

+20
-5
lines changed

drivers/usb/gadget/legacy/raw_gadget.c

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,7 @@ static int raw_event_queue_add(struct raw_event_queue *queue,
8181
static struct usb_raw_event *raw_event_queue_fetch(
8282
struct raw_event_queue *queue)
8383
{
84+
int ret;
8485
unsigned long flags;
8586
struct usb_raw_event *event;
8687

@@ -89,11 +90,18 @@ static struct usb_raw_event *raw_event_queue_fetch(
8990
* there's at least one event queued by decrementing the semaphore,
9091
* and then take the lock to protect queue struct fields.
9192
*/
92-
if (down_interruptible(&queue->sema))
93-
return NULL;
93+
ret = down_interruptible(&queue->sema);
94+
if (ret)
95+
return ERR_PTR(ret);
9496
spin_lock_irqsave(&queue->lock, flags);
95-
if (WARN_ON(!queue->size))
96-
return NULL;
97+
/*
98+
* queue->size must have the same value as queue->sema counter (before
99+
* the down_interruptible() call above), so this check is a fail-safe.
100+
*/
101+
if (WARN_ON(!queue->size)) {
102+
spin_unlock_irqrestore(&queue->lock, flags);
103+
return ERR_PTR(-ENODEV);
104+
}
97105
event = queue->events[0];
98106
queue->size--;
99107
memmove(&queue->events[0], &queue->events[1],
@@ -522,10 +530,17 @@ static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
522530
spin_unlock_irqrestore(&dev->lock, flags);
523531

524532
event = raw_event_queue_fetch(&dev->queue);
525-
if (!event) {
533+
if (PTR_ERR(event) == -EINTR) {
526534
dev_dbg(&dev->gadget->dev, "event fetching interrupted\n");
527535
return -EINTR;
528536
}
537+
if (IS_ERR(event)) {
538+
dev_err(&dev->gadget->dev, "failed to fetch event\n");
539+
spin_lock_irqsave(&dev->lock, flags);
540+
dev->state = STATE_DEV_FAILED;
541+
spin_unlock_irqrestore(&dev->lock, flags);
542+
return -ENODEV;
543+
}
529544
length = min(arg.length, event->length);
530545
if (copy_to_user((void __user *)value, event, sizeof(*event) + length))
531546
return -EFAULT;

0 commit comments

Comments
 (0)