Commit a30551db authored by Anton Vorontsov's avatar Anton Vorontsov Committed by Greg Kroah-Hartman

USB: fsl_qe_udc: Fix recursive locking bug in ch9getstatus()

The call chain is this:

qe_udc_irq() <- grabs the udc->lock spinlock
rx_irq()
qe_ep0_rx()
ep0_setup_handle()
setup_received_handle()
ch9getstatus()
qe_ep_queue() <- tries to grab the udc->lock again

It seems unsafe to temporarily drop the lock in the ch9getstatus(),
so to fix that bug the lock-less __qe_ep_queue() function
implemented and used by the ch9getstatus().
Signed-off-by: default avatarAnton Vorontsov <avorontsov@ru.mvista.com>
Acked-by: default avatarDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 94f341db
...@@ -1681,14 +1681,11 @@ static void qe_free_request(struct usb_ep *_ep, struct usb_request *_req) ...@@ -1681,14 +1681,11 @@ static void qe_free_request(struct usb_ep *_ep, struct usb_request *_req)
kfree(req); kfree(req);
} }
/* queues (submits) an I/O request to an endpoint */ static int __qe_ep_queue(struct usb_ep *_ep, struct usb_request *_req)
static int qe_ep_queue(struct usb_ep *_ep, struct usb_request *_req,
gfp_t gfp_flags)
{ {
struct qe_ep *ep = container_of(_ep, struct qe_ep, ep); struct qe_ep *ep = container_of(_ep, struct qe_ep, ep);
struct qe_req *req = container_of(_req, struct qe_req, req); struct qe_req *req = container_of(_req, struct qe_req, req);
struct qe_udc *udc; struct qe_udc *udc;
unsigned long flags;
int reval; int reval;
udc = ep->udc; udc = ep->udc;
...@@ -1732,7 +1729,7 @@ static int qe_ep_queue(struct usb_ep *_ep, struct usb_request *_req, ...@@ -1732,7 +1729,7 @@ static int qe_ep_queue(struct usb_ep *_ep, struct usb_request *_req,
list_add_tail(&req->queue, &ep->queue); list_add_tail(&req->queue, &ep->queue);
dev_vdbg(udc->dev, "gadget have request in %s! %d\n", dev_vdbg(udc->dev, "gadget have request in %s! %d\n",
ep->name, req->req.length); ep->name, req->req.length);
spin_lock_irqsave(&udc->lock, flags);
/* push the request to device */ /* push the request to device */
if (ep_is_in(ep)) if (ep_is_in(ep))
reval = ep_req_send(ep, req); reval = ep_req_send(ep, req);
...@@ -1748,11 +1745,24 @@ static int qe_ep_queue(struct usb_ep *_ep, struct usb_request *_req, ...@@ -1748,11 +1745,24 @@ static int qe_ep_queue(struct usb_ep *_ep, struct usb_request *_req,
if (ep->dir == USB_DIR_OUT) if (ep->dir == USB_DIR_OUT)
reval = ep_req_receive(ep, req); reval = ep_req_receive(ep, req);
spin_unlock_irqrestore(&udc->lock, flags);
return 0; return 0;
} }
/* queues (submits) an I/O request to an endpoint */
static int qe_ep_queue(struct usb_ep *_ep, struct usb_request *_req,
gfp_t gfp_flags)
{
struct qe_ep *ep = container_of(_ep, struct qe_ep, ep);
struct qe_udc *udc = ep->udc;
unsigned long flags;
int ret;
spin_lock_irqsave(&udc->lock, flags);
ret = __qe_ep_queue(_ep, _req);
spin_unlock_irqrestore(&udc->lock, flags);
return ret;
}
/* dequeues (cancels, unlinks) an I/O request from an endpoint */ /* dequeues (cancels, unlinks) an I/O request from an endpoint */
static int qe_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req) static int qe_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
{ {
...@@ -2008,7 +2018,7 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value, ...@@ -2008,7 +2018,7 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value,
udc->ep0_dir = USB_DIR_IN; udc->ep0_dir = USB_DIR_IN;
/* data phase */ /* data phase */
status = qe_ep_queue(&ep->ep, &req->req, GFP_ATOMIC); status = __qe_ep_queue(&ep->ep, &req->req);
if (status == 0) if (status == 0)
return; return;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment