--- /dev/null
+From 3ee830f04845a39815ef67c3597260578fdc3ec8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jan 2023 14:41:49 +0530
+Subject: usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+[ Upstream commit 921deb9da15851425ccbb6ee409dc2fd8fbdfe6b ]
+
+__ffs_ep0_queue_wait executes holding the spinlock of &ffs->ev.waitq.lock
+and unlocks it after the assignments to usb_request are done.
+However in the code if the request is already NULL we bail out returning
+-EINVAL but never unlocked the spinlock.
+
+Fix this by adding spin_unlock_irq &ffs->ev.waitq.lock before returning.
+
+Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait")
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Link: https://lore.kernel.org/r/20230124091149.18647-1-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 946cf039eddd..ba9af04ad37a 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -274,8 +274,10 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
+ struct usb_request *req = ffs->ep0req;
+ int ret;
+
+- if (!req)
++ if (!req) {
++ spin_unlock_irq(&ffs->ev.waitq.lock);
+ return -EINVAL;
++ }
+
+ req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
+
+--
+2.39.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
