Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2389df45 authored by Alexey Khoroshilov's avatar Alexey Khoroshilov Committed by Felipe Balbi
Browse files

usb: gadget: mv_u3d_core: fix violation of locking discipline in mv_u3d_ep_disable() 



mv_u3d_nuke() expects to be calles with ep->u3d->lock held,
because mv_u3d_done() does. But mv_u3d_ep_disable() calls it
without lock that can lead to unpleasant consequences.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
parent 272b98c6

drivers/usb/gadget/mv_u3d_core.c

+3 −0
Original line number Diff line number Diff line
@@ -645,6 +645,7 @@ static int mv_u3d_ep_disable(struct usb_ep *_ep) 
	struct mv_u3d_ep *ep;

	struct mv_u3d_ep_context *ep_context;

	u32 epxcr, direction;

	unsigned long flags;



	if (!_ep)

		return -EINVAL;
@@ -661,7 +662,9 @@ static int mv_u3d_ep_disable(struct usb_ep *_ep) 
	direction = mv_u3d_ep_dir(ep);



	/* nuke all pending requests (does flush) */

	spin_lock_irqsave(&u3d->lock, flags);

	mv_u3d_nuke(ep, -ESHUTDOWN);

	spin_unlock_irqrestore(&u3d->lock, flags);



	/* Disable the endpoint for Rx or Tx and reset the endpoint type */

	if (direction == MV_U3D_EP_DIR_OUT) {