On Tue, Jan 24, 2023 at 02:41:49PM +0530, Udipto Goswami wrote:
> __ffs_ep0_queue_wait executes holding the spinlock of &ffs->ev.waitq.lock
> and unlocks it after the assignments to usb_request are done.
> However in the code if the request is already NULL we bail out returning
> -EINVAL but never unlocked the spinlock.
>
> Fix this by adding spin_unlock_irq &ffs->ev.waitq.lock before returning.
>
> Fixes: 6a19da111057("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait")
> Signed-off-by: Udipto Goswami <quic_ugoswami@xxxxxxxxxxx>
Reviewed-by: John Keeping <john@xxxxxxxxxxxx>
> ---
> drivers/usb/gadget/function/f_fs.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index 523a961b910b..8ad354741380 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -279,8 +279,10 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
> struct usb_request *req = ffs->ep0req;
> int ret;
>
> - if (!req)
> + if (!req) {
> + spin_unlock_irq(&ffs->ev.waitq.lock);
> return -EINVAL;
> + }
>
> req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
>
> --
> 2.17.1
>
