From 0c07aec31a98a63ee83f2bbad4a2fab0e0f58d33 Mon Sep 17 00:00:00 2001 From: Alexey Khoroshilov Date: Mon, 13 Feb 2012 11:01:32 -0300 Subject: [PATCH] [media] staging: go7007: fix mismatch in mutex lock-unlock in [read|write]_reg_fp If go7007_usb_vendor_request() fails in write_reg_fp() or in read_reg_fp(), the usb->i2c_lock mutex left locked. The patch moves mutex_unlock(&usb->i2c_lock) before check for go7007_usb_vendor_request() returned value. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Mauro Carvalho Chehab --- drivers/staging/media/go7007/s2250-board.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/staging/media/go7007/s2250-board.c b/drivers/staging/media/go7007/s2250-board.c index e7736a91553..014d38410c9 100644 --- a/drivers/staging/media/go7007/s2250-board.c +++ b/drivers/staging/media/go7007/s2250-board.c @@ -192,6 +192,7 @@ static int write_reg_fp(struct i2c_client *client, u16 addr, u16 val) { struct go7007 *go = i2c_get_adapdata(client->adapter); struct go7007_usb *usb; + int rc; u8 *buf; struct s2250 *dec = i2c_get_clientdata(client); @@ -216,12 +217,13 @@ static int write_reg_fp(struct i2c_client *client, u16 addr, u16 val) kfree(buf); return -EINTR; } - if (go7007_usb_vendor_request(go, 0x57, addr, val, buf, 16, 1) < 0) { + rc = go7007_usb_vendor_request(go, 0x57, addr, val, buf, 16, 1); + mutex_unlock(&usb->i2c_lock); + if (rc < 0) { kfree(buf); - return -EFAULT; + return rc; } - mutex_unlock(&usb->i2c_lock); if (buf[0] == 0) { unsigned int subaddr, val_read; @@ -254,6 +256,7 @@ static int read_reg_fp(struct i2c_client *client, u16 addr, u16 *val) { struct go7007 *go = i2c_get_adapdata(client->adapter); struct go7007_usb *usb; + int rc; u8 *buf; if (go == NULL) @@ -276,11 +279,12 @@ static int read_reg_fp(struct i2c_client *client, u16 addr, u16 *val) kfree(buf); return -EINTR; } - if (go7007_usb_vendor_request(go, 0x58, addr, 0, buf, 16, 1) < 0) { + rc = go7007_usb_vendor_request(go, 0x58, addr, 0, buf, 16, 1); + mutex_unlock(&usb->i2c_lock); + if (rc < 0) { kfree(buf); - return -EFAULT; + return rc; } - mutex_unlock(&usb->i2c_lock); *val = (buf[0] << 8) | buf[1]; kfree(buf); -- 2.20.1