In a multithreaded scenario an arbitrary number of threads can be in wdm_write() and in wdm_flush(). Hence whenever WDM_IN_USE is reset, all possible waiters need to be notified. This is true whether this is due to IO completing or to an error starting IO. Reported-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> --- drivers/usb/class/cdc-wdm.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index e3db6fbeadef..adb3fc307083 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -151,7 +151,7 @@ static void wdm_out_callback(struct urb *urb) kfree(desc->outbuf); desc->outbuf = NULL; clear_bit(WDM_IN_USE, &desc->flags); - wake_up(&desc->wait); + wake_up_all(&desc->wait); } static void wdm_in_callback(struct urb *urb) @@ -424,6 +424,7 @@ static ssize_t wdm_write if (rv < 0) { desc->outbuf = NULL; clear_bit(WDM_IN_USE, &desc->flags); + wake_up_all(&desc->wait); /* for flush() */ dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv); rv = usb_translate_errors(rv); goto out_free_mem_pm; @@ -586,6 +587,7 @@ static ssize_t wdm_read static int wdm_flush(struct file *file, fl_owner_t id) { struct wdm_device *desc = file->private_data; + int rv; wait_event(desc->wait, /* @@ -600,11 +602,12 @@ static int wdm_flush(struct file *file, fl_owner_t id) /* cannot dereference desc->intf if WDM_DISCONNECTING */ if (test_bit(WDM_DISCONNECTING, &desc->flags)) return -ENODEV; - if (desc->werr < 0) + rv = desc->werr; + if (rv < 0) dev_err(&desc->intf->dev, "Error in flush path: %d\n", - desc->werr); + rv); - return usb_translate_errors(desc->werr); + return usb_translate_errors(rv); } static __poll_t wdm_poll(struct file *file, struct poll_table_struct *wait) -- 2.16.4