[PATCH] USB: usbfs: drop the device semaphore in proc_bulk and proc_control

usb_control_msg and usb_bulk_msg may sleep for a long time, so drop the per device semaphore before calling them. This fixes OSDL bug 3108. Dropping the semaphore is racy, but (1) the race is fairly harmless, (2) it can be occur elsewhere as an inevitable consequence of the current usbfs api, this just makes it fractionally more likely. Signed-off-by: Duncan Sands <baldrick@free.fr> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

[PATCH] USB: usbfs: drop the device semaphore in proc_bulk and proc_control
usb_control_msg and usb_bulk_msg may sleep for a long time, so drop the per device semaphore before calling them. This fixes OSDL bug 3108. Dropping the semaphore is racy, but (1) the race is fairly harmless, (2) it can be occur elsewhere as an inevitable consequence of the current usbfs api, this just makes it fractionally more likely. Signed-off-by: Duncan Sands <baldrick@free.fr> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
0760ab15 · Duncan Sands · Greg Kroah-Hartman · 1fa89efc · 0760ab15
Commit 0760ab15 authored Aug 05, 2004 by Duncan Sands Committed by Greg Kroah-Hartman Aug 05, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

drivers/usb/core/devio.c drivers/usb/core/devio.c +8 -0

No files found.
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -555,8 +555,10 @@ static int proc_control(struct dev_state *ps, void __user *arg)
 		snoop(&dev->dev, "control read: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n", 
 			ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex);

+		up(&dev->serialize);
 		i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
 				       ctrl.wValue, ctrl.wIndex, tbuf, ctrl.wLength, tmo);
+		down(&dev->serialize);
 		if ((i > 0) && ctrl.wLength) {
 			if (usbfs_snoop) {
 				dev_info(&dev->dev, "control read: data ");
@@ -584,8 +586,10 @@ static int proc_control(struct dev_state *ps, void __user *arg)
 				printk ("%02x ", (unsigned char)(tbuf)[j]);
 			printk("\n");
 		}
+		up(&dev->serialize);
 		i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
 				       ctrl.wValue, ctrl.wIndex, tbuf, ctrl.wLength, tmo);
+		down(&dev->serialize);
 	}
 	free_page((unsigned long)tbuf);
 	if (i<0) {
@@ -627,7 +631,9 @@ static int proc_bulk(struct dev_state *ps, void __user *arg)
 			kfree(tbuf);
 			return -EINVAL;
 		}
+		up(&dev->serialize);
 		i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
+		down(&dev->serialize);
 		if (!i && len2) {
 			if (copy_to_user(bulk.data, tbuf, len2)) {
 				kfree(tbuf);
@@ -641,7 +647,9 @@ static int proc_bulk(struct dev_state *ps, void __user *arg)
 				return -EFAULT;
 			}
 		}
+		up(&dev->serialize);
 		i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
+		down(&dev->serialize);
 	}
 	kfree(tbuf);
 	if (i < 0) {