* usb/io_edgeport: Fix a possible sleep-in-atomic bug in edge_bulk_in_callback
@ 2017-12-13 12:34 Jia-Ju Bai
0 siblings, 0 replies; 2+ messages in thread
From: Jia-Ju Bai @ 2017-12-13 12:34 UTC (permalink / raw)
To: johan, gregkh, pberger, alborchers; +Cc: linux-usb, Jia-Ju Bai
According to drivers/usb/serial/io_edgeport.c, the driver may sleep
under a spinlock.
The function call path is:
edge_bulk_in_callback (acquire the spinlock)
process_rcvd_data
process_rcvd_status
change_port_settings
send_iosp_ext_cmd
write_cmd_usb
usb_kill_urb --> may sleep
To fix it, usb_kill_urb() is removed from the error path after usb_submit_urb() fails.
This possible bug is found by my static analysis tool (DSAC) and checked by my code review.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
drivers/usb/serial/io_edgeport.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 219265c..17283f4 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2282,7 +2282,6 @@ static int write_cmd_usb(struct edgeport_port *edge_port,
/* something went wrong */
dev_err(dev, "%s - usb_submit_urb(write command) failed, status = %d\n",
__func__, status);
- usb_kill_urb(urb);
usb_free_urb(urb);
atomic_dec(&CmdUrbs);
return status;
^ permalink raw reply related [flat|nested] 2+ messages in thread
* usb/io_edgeport: Fix a possible sleep-in-atomic bug in edge_bulk_in_callback
@ 2017-12-14 10:07 Johan Hovold
0 siblings, 0 replies; 2+ messages in thread
From: Johan Hovold @ 2017-12-14 10:07 UTC (permalink / raw)
To: Jia-Ju Bai; +Cc: johan, gregkh, pberger, alborchers, linux-usb
On Wed, Dec 13, 2017 at 08:34:36PM +0800, Jia-Ju Bai wrote:
> According to drivers/usb/serial/io_edgeport.c, the driver may sleep
> under a spinlock.
> The function call path is:
> edge_bulk_in_callback (acquire the spinlock)
> process_rcvd_data
> process_rcvd_status
> change_port_settings
> send_iosp_ext_cmd
> write_cmd_usb
> usb_kill_urb --> may sleep
>
> To fix it, usb_kill_urb() is removed from the error path after usb_submit_urb() fails.
I added a "the redundant" before "usb_kill_urb()" in the above sentence
to make it more clear why this was done.
> This possible bug is found by my static analysis tool (DSAC) and checked by my code review.
And line-wrapped you commit message (at about 72 columns).
I also used a common prefix and shortened the summary to:
USB: serial: io_edgeport: fix possible sleep-in-atomic
Just some minor nits, that you can keep in mind for your next patch
submission.
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Thanks for reporting and fixing this. Now applied for -next.
Johan
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-12-14 10:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-14 10:07 usb/io_edgeport: Fix a possible sleep-in-atomic bug in edge_bulk_in_callback Johan Hovold
-- strict thread matches above, loose matches on Subject: below --
2017-12-13 12:34 Jia-Ju Bai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).