From: Lu Baolu Date: Thu, 11 Aug 2016 02:39:03 +0000 (+0800) Subject: mfd: rtsx_usb: Avoid setting ucr->current_sg.status X-Git-Tag: v4.9-rc1~97^2~38 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=8dcc5ff8fcaf778bb57ab4448fedca9e381d088f;p=users%2Fhch%2Fmisc.git mfd: rtsx_usb: Avoid setting ucr->current_sg.status Member "status" of struct usb_sg_request is managed by usb core. A spin lock is used to serialize the change of it. The driver could check the value of req->status, but should avoid changing it without the hold of the spinlock. Otherwise, it could cause race or error in usb core. This patch could be backported to stable kernels with version later than v3.14. Cc: stable@vger.kernel.org # 3.14+ Cc: Alan Stern Cc: Roger Tseng Signed-off-by: Lu Baolu Signed-off-by: Lee Jones --- diff --git a/drivers/mfd/rtsx_usb.c b/drivers/mfd/rtsx_usb.c index dbd907d7170e..691dab791f7a 100644 --- a/drivers/mfd/rtsx_usb.c +++ b/drivers/mfd/rtsx_usb.c @@ -46,9 +46,6 @@ static void rtsx_usb_sg_timed_out(unsigned long data) dev_dbg(&ucr->pusb_intf->dev, "%s: sg transfer timed out", __func__); usb_sg_cancel(&ucr->current_sg); - - /* we know the cancellation is caused by time-out */ - ucr->current_sg.status = -ETIMEDOUT; } static int rtsx_usb_bulk_transfer_sglist(struct rtsx_ucr *ucr, @@ -67,12 +64,15 @@ static int rtsx_usb_bulk_transfer_sglist(struct rtsx_ucr *ucr, ucr->sg_timer.expires = jiffies + msecs_to_jiffies(timeout); add_timer(&ucr->sg_timer); usb_sg_wait(&ucr->current_sg); - del_timer_sync(&ucr->sg_timer); + if (!del_timer_sync(&ucr->sg_timer)) + ret = -ETIMEDOUT; + else + ret = ucr->current_sg.status; if (act_len) *act_len = ucr->current_sg.bytes; - return ucr->current_sg.status; + return ret; } int rtsx_usb_transfer_data(struct rtsx_ucr *ucr, unsigned int pipe,