From: Alexey Khoroshilov Date: Tue, 23 Jul 2013 20:20:17 +0000 (+0400) Subject: usb: gadget: mv_u3d_core: fix violation of locking discipline in mv_u3d_ep_disable() X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=2389df458b9e8222ef54fbb6e7023ead84b87a5c;p=openwrt%2Fstaging%2Fblogic.git usb: gadget: mv_u3d_core: fix violation of locking discipline in mv_u3d_ep_disable() mv_u3d_nuke() expects to be calles with ep->u3d->lock held, because mv_u3d_done() does. But mv_u3d_ep_disable() calls it without lock that can lead to unpleasant consequences. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Felipe Balbi --- diff --git a/drivers/usb/gadget/mv_u3d_core.c b/drivers/usb/gadget/mv_u3d_core.c index bbb6e98c4384..561b30efb8ee 100644 --- a/drivers/usb/gadget/mv_u3d_core.c +++ b/drivers/usb/gadget/mv_u3d_core.c @@ -645,6 +645,7 @@ static int mv_u3d_ep_disable(struct usb_ep *_ep) struct mv_u3d_ep *ep; struct mv_u3d_ep_context *ep_context; u32 epxcr, direction; + unsigned long flags; if (!_ep) return -EINVAL; @@ -661,7 +662,9 @@ static int mv_u3d_ep_disable(struct usb_ep *_ep) direction = mv_u3d_ep_dir(ep); /* nuke all pending requests (does flush) */ + spin_lock_irqsave(&u3d->lock, flags); mv_u3d_nuke(ep, -ESHUTDOWN); + spin_unlock_irqrestore(&u3d->lock, flags); /* Disable the endpoint for Rx or Tx and reset the endpoint type */ if (direction == MV_U3D_EP_DIR_OUT) {