From: Christian Gromm Date: Fri, 19 Aug 2016 09:12:56 +0000 (+0200) Subject: staging: most: hdm-usb: synchronize release of struct buf_anchor X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=b24c9fe9fcf9c7a04fa08e5c1da7d156011e6b63;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git staging: most: hdm-usb: synchronize release of struct buf_anchor In case a channel that is going to be destroyed has been tagged as not "healthy" by the function hdm_poison_channel() while the functions hdm_write_completion() or hdm_read_completion() are being executed, they race for destruction of buf_anchor. This patch fixes the problem. Signed-off-by: Andrey Shvetsov Signed-off-by: Christian Gromm Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/most/hdm-usb/hdm_usb.c b/drivers/staging/most/hdm-usb/hdm_usb.c index 4156a30d0f41..26b5c1bac3d2 100644 --- a/drivers/staging/most/hdm-usb/hdm_usb.c +++ b/drivers/staging/most/hdm-usb/hdm_usb.c @@ -285,6 +285,8 @@ static unsigned int get_stream_frame_size(struct most_channel_config *cfg) static int hdm_poison_channel(struct most_interface *iface, int channel) { struct most_dev *mdev; + unsigned long flags; + spinlock_t *lock; /* temp. lock */ mdev = to_mdev(iface); if (unlikely(!iface)) { @@ -296,7 +298,10 @@ static int hdm_poison_channel(struct most_interface *iface, int channel) return -ECHRNG; } + lock = mdev->anchor_list_lock + channel; + spin_lock_irqsave(lock, flags); mdev->is_channel_healthy[channel] = false; + spin_unlock_irqrestore(lock, flags); cancel_work_sync(&mdev->clear_work[channel].ws); @@ -407,8 +412,10 @@ static void hdm_write_completion(struct urb *urb) dev = &mdev->usb_device->dev; lock = mdev->anchor_list_lock + channel; + spin_lock_irqsave(lock, flags); if ((urb->status == -ENOENT) || (urb->status == -ECONNRESET) || (!mdev->is_channel_healthy[channel])) { + spin_unlock_irqrestore(lock, flags); complete(&anchor->urb_compl); return; } @@ -419,6 +426,7 @@ static void hdm_write_completion(struct urb *urb) case -EPIPE: dev_warn(dev, "Broken OUT pipe detected\n"); mdev->is_channel_healthy[channel] = false; + spin_unlock_irqrestore(lock, flags); mbo->status = MBO_E_INVAL; mdev->clear_work[channel].pipe = urb->pipe; schedule_work(&mdev->clear_work[channel].ws); @@ -436,7 +444,6 @@ static void hdm_write_completion(struct urb *urb) mbo->processed_length = urb->actual_length; } - spin_lock_irqsave(lock, flags); list_del(&anchor->list); spin_unlock_irqrestore(lock, flags); kfree(anchor); @@ -571,8 +578,10 @@ static void hdm_read_completion(struct urb *urb) dev = &mdev->usb_device->dev; lock = mdev->anchor_list_lock + channel; + spin_lock_irqsave(lock, flags); if ((urb->status == -ENOENT) || (urb->status == -ECONNRESET) || (!mdev->is_channel_healthy[channel])) { + spin_unlock_irqrestore(lock, flags); complete(&anchor->urb_compl); return; } @@ -583,6 +592,7 @@ static void hdm_read_completion(struct urb *urb) case -EPIPE: dev_warn(dev, "Broken IN pipe detected\n"); mdev->is_channel_healthy[channel] = false; + spin_unlock_irqrestore(lock, flags); mbo->status = MBO_E_INVAL; mdev->clear_work[channel].pipe = urb->pipe; schedule_work(&mdev->clear_work[channel].ws); @@ -606,7 +616,7 @@ static void hdm_read_completion(struct urb *urb) mbo->status = MBO_E_INVAL; } } - spin_lock_irqsave(lock, flags); + list_del(&anchor->list); spin_unlock_irqrestore(lock, flags); kfree(anchor);