Oliver Neukum <oliver@xxxxxxxxxx> writes:
> Please try this patch.
>
> Regards
> Oliver
>
> diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
> index c6f6560..0bb2b32 100644
> --- a/drivers/usb/class/cdc-wdm.c
> +++ b/drivers/usb/class/cdc-wdm.c
> @@ -157,8 +157,9 @@ static void wdm_out_callback(struct urb *urb)
> spin_lock(&desc->iuspin);
> desc->werr = urb->status;
> spin_unlock(&desc->iuspin);
> - clear_bit(WDM_IN_USE, &desc->flags);
> kfree(desc->outbuf);
> + desc->outbuf = NULL;
> + clear_bit(WDM_IN_USE, &desc->flags);
> wake_up(&desc->wait);
> }
>
> @@ -338,7 +339,7 @@ static ssize_t wdm_write
> if (we < 0)
> return -EIO;
>
> - desc->outbuf = buf = kmalloc(count, GFP_KERNEL);
> + buf = kmalloc(count, GFP_KERNEL);
> if (!buf) {
> rv = -ENOMEM;
> goto outnl;
> @@ -406,10 +407,12 @@ static ssize_t wdm_write
> req->wIndex = desc->inum;
> req->wLength = cpu_to_le16(count);
> set_bit(WDM_IN_USE, &desc->flags);
> + desc->outbuf = buf;
>
> rv = usb_submit_urb(desc->command, GFP_KERNEL);
> if (rv < 0) {
> kfree(buf);
> + desc->outbuf = NULL;
> clear_bit(WDM_IN_USE, &desc->flags);
> dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv);
> } else {
Looks good! Thanks a lot for figuring that out. I was staring myself
blind at this. Yes, it looks very obvious when you point it out like
that.
I had even noticed the unlocked desc->outbuf assignment, but in my
naĩvity I just tried to move the mutex_lock in front of it. Which of
course didn't help a bit as the buffer would be used in wdm_out_callback
I guess you'll wrap this up and submit instead of my helpless patch, so
that this can be fixed for 3.4?
Bjørn
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
