Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 86f8ef2c authored by Tilman Schmidt's avatar Tilman Schmidt Committed by David S. Miller
Browse files

isdn/gigaset: fix usb_gigaset write_cmd result race 



In usb_gigaset function gigaset_write_cmd(), the length field of
the command buffer structure could be cleared by the transmit
tasklet before it was used for the function's return value.
Fix by copying to a local variable before scheduling the tasklet.

Signed-off-by: default avatarTilman Schmidt <tilman@imap.cc>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 340184b3

drivers/isdn/gigaset/usb-gigaset.c

+3 −1
Original line number Original line Diff line number Diff line
@@ -497,6 +497,7 @@ static int send_cb(struct cardstate *cs, struct cmdbuf_t *cb) 
static int gigaset_write_cmd(struct cardstate *cs, struct cmdbuf_t *cb)

static int gigaset_write_cmd(struct cardstate *cs, struct cmdbuf_t *cb)

{

{

	unsigned long flags;

	unsigned long flags;

	int len;





	gigaset_dbg_buffer(cs->mstate != MS_LOCKED ?

	gigaset_dbg_buffer(cs->mstate != MS_LOCKED ?

			   DEBUG_TRANSCMD : DEBUG_LOCKCMD,

			   DEBUG_TRANSCMD : DEBUG_LOCKCMD,
@@ -515,10 +516,11 @@ static int gigaset_write_cmd(struct cardstate *cs, struct cmdbuf_t *cb) 
	spin_unlock_irqrestore(&cs->cmdlock, flags);

	spin_unlock_irqrestore(&cs->cmdlock, flags);





	spin_lock_irqsave(&cs->lock, flags);

	spin_lock_irqsave(&cs->lock, flags);

	len = cb->len;

	if (cs->connected)

	if (cs->connected)

		tasklet_schedule(&cs->write_tasklet);

		tasklet_schedule(&cs->write_tasklet);

	spin_unlock_irqrestore(&cs->lock, flags);

	spin_unlock_irqrestore(&cs->lock, flags);

	return cb->len;

	return len;

}

}





static int gigaset_write_room(struct cardstate *cs)

static int gigaset_write_room(struct cardstate *cs)