4.9-stable patches

added patches:
	usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch
	usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch
	usbip-stub-dev-synchronize-sysfs-code-paths.patch
	usbip-synchronize-event-handler-with-sysfs-code-paths.patch
	usbip-vudc-synchronize-sysfs-code-paths.patch

diff --git a/queue-4.9/pcnet32-use-pci_resource_len-to-validate-pci-resourc.patch b/queue-4.9/pcnet32-use-pci_resource_len-to-validate-pci-resourc.patch
index 2ab0e0c0fdf981b66b199f50e197bb3bbee5e727..5c28d117ff3bf51dc7fc9049b6a3ac8340b7849c 100644 (file)
--- a/queue-4.9/pcnet32-use-pci_resource_len-to-validate-pci-resourc.patch
+++ b/queue-4.9/pcnet32-use-pci_resource_len-to-validate-pci-resourc.patch
@@ -23,14 +23,12 @@ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- drivers/net/ethernet/amd/pcnet32.c | 5 +++--
+ drivers/net/ethernet/amd/pcnet32.c |    5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)
 
-diff --git a/drivers/net/ethernet/amd/pcnet32.c b/drivers/net/ethernet/amd/pcnet32.c
-index c22bf52d3320..c3887ac3d04d 100644
 --- a/drivers/net/ethernet/amd/pcnet32.c
 +++ b/drivers/net/ethernet/amd/pcnet32.c
-@@ -1493,8 +1493,7 @@ pcnet32_probe_pci(struct pci_dev *pdev, const struct pci_device_id *ent)
+@@ -1493,8 +1493,7 @@ pcnet32_probe_pci(struct pci_dev *pdev,
        }
        pci_set_master(pdev);
  
@@ -40,7 +38,7 @@ index c22bf52d3320..c3887ac3d04d 100644
                if (pcnet32_debug & NETIF_MSG_PROBE)
                        pr_err("card has no PCI IO resources, aborting\n");
                return -ENODEV;
-@@ -1506,6 +1505,8 @@ pcnet32_probe_pci(struct pci_dev *pdev, const struct pci_device_id *ent)
+@@ -1506,6 +1505,8 @@ pcnet32_probe_pci(struct pci_dev *pdev,
                        pr_err("architecture does not support 32bit PCI busmaster DMA\n");
                return err;
        }
@@ -49,6 +47,3 @@ index c22bf52d3320..c3887ac3d04d 100644
        if (!request_region(ioaddr, PCNET32_TOTAL_SIZE, "pcnet32_probe_pci")) {
                if (pcnet32_debug & NETIF_MSG_PROBE)
                        pr_err("io address range already allocated\n");
--- 
-2.30.2
-

diff --git a/queue-4.9/series b/queue-4.9/series
index 7541d3a1b02f5a65a31c276c9c17c847852215d1..666e9fc827a8027dfcff62bf3ab401c33e32beb2 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -20,3 +20,8 @@ net-davicom-fix-regulator-not-turned-off-on-failed-probe.patch
 net-sit-unregister-catch-all-devices.patch
 i40e-fix-the-panic-when-running-bpf-in-xdpdrv-mode.patch
 arm-9071-1-uprobes-don-t-hook-on-thumb-instructions.patch
+usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch
+usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch
+usbip-stub-dev-synchronize-sysfs-code-paths.patch
+usbip-vudc-synchronize-sysfs-code-paths.patch
+usbip-synchronize-event-handler-with-sysfs-code-paths.patch

diff --git a/queue-4.9/usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch b/queue-4.9/usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch
new file mode 100644 (file)
index 0000000..812fb11
--- /dev/null
+++ b/queue-4.9/usbip-add-sysfs_lock-to-synchronize-sysfs-code-paths.patch
@@ -0,0 +1,153 @@
+From foo@baz Tue Apr 20 01:51:40 PM CEST 2021
+From: Tom Seewald <tseewald@gmail.com>
+Date: Fri, 16 Apr 2021 15:53:16 -0500
+Subject: usbip: add sysfs_lock to synchronize sysfs code paths
+To: stable@vger.kernel.org
+Cc: Shuah Khan <skhan@linuxfoundation.org>, syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Tom Seewald <tseewald@gmail.com>, Valentina Manea <valentina.manea.m@gmail.com>, Shuah Khan <shuah@kernel.org>
+Message-ID: <20210416205319.14075-1-tseewald@gmail.com>
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 4e9c93af7279b059faf5bb1897ee90512b258a12 upstream.
+
+Fuzzing uncovered race condition between sysfs code paths in usbip
+drivers. Device connect/disconnect code paths initiated through
+sysfs interface are prone to races if disconnect happens during
+connect and vice versa.
+
+This problem is common to all drivers while it can be reproduced easily
+in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths.
+
+Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host
+and usip-vudc drivers and the event handler will have to use this lock to
+protect the paths. These changes will be done in subsequent patches.
+
+Cc: stable@vger.kernel.org # 4.9.x
+Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org
+Signed-off-by: Tom Seewald <tseewald@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/usbip_common.h |    3 +++
+ drivers/usb/usbip/vhci_hcd.c     |    1 +
+ drivers/usb/usbip/vhci_sysfs.c   |   30 +++++++++++++++++++++++++-----
+ 3 files changed, 29 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/usbip/usbip_common.h
++++ b/drivers/usb/usbip/usbip_common.h
+@@ -278,6 +278,9 @@ struct usbip_device {
+       /* lock for status */
+       spinlock_t lock;
+ 
++      /* mutex for synchronizing sysfs store paths */
++      struct mutex sysfs_lock;
++
+       int sockfd;
+       struct socket *tcp_socket;
+ 
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -907,6 +907,7 @@ static void vhci_device_init(struct vhci
+       vdev->ud.side   = USBIP_VHCI;
+       vdev->ud.status = VDEV_ST_NULL;
+       spin_lock_init(&vdev->ud.lock);
++      mutex_init(&vdev->ud.sysfs_lock);
+ 
+       INIT_LIST_HEAD(&vdev->priv_rx);
+       INIT_LIST_HEAD(&vdev->priv_tx);
+--- a/drivers/usb/usbip/vhci_sysfs.c
++++ b/drivers/usb/usbip/vhci_sysfs.c
+@@ -161,6 +161,8 @@ static int vhci_port_disconnect(struct v
+ 
+       usbip_dbg_vhci_sysfs("enter\n");
+ 
++      mutex_lock(&vdev->ud.sysfs_lock);
++
+       /* lock */
+       spin_lock_irqsave(&vhci->lock, flags);
+       spin_lock(&vdev->ud.lock);
+@@ -171,6 +173,7 @@ static int vhci_port_disconnect(struct v
+               /* unlock */
+               spin_unlock(&vdev->ud.lock);
+               spin_unlock_irqrestore(&vhci->lock, flags);
++              mutex_unlock(&vdev->ud.sysfs_lock);
+ 
+               return -EINVAL;
+       }
+@@ -181,6 +184,8 @@ static int vhci_port_disconnect(struct v
+ 
+       usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN);
+ 
++      mutex_unlock(&vdev->ud.sysfs_lock);
++
+       return 0;
+ }
+ 
+@@ -309,30 +314,36 @@ static ssize_t store_attach(struct devic
+       vhci = hcd_to_vhci(hcd);
+       vdev = &vhci->vdev[rhport];
+ 
++      mutex_lock(&vdev->ud.sysfs_lock);
++
+       /* Extract socket from fd. */
+       socket = sockfd_lookup(sockfd, &err);
+       if (!socket) {
+               dev_err(dev, "failed to lookup sock");
+-              return -EINVAL;
++              err = -EINVAL;
++              goto unlock_mutex;
+       }
+       if (socket->type != SOCK_STREAM) {
+               dev_err(dev, "Expecting SOCK_STREAM - found %d",
+                       socket->type);
+               sockfd_put(socket);
+-              return -EINVAL;
++              err = -EINVAL;
++              goto unlock_mutex;
+       }
+ 
+       /* create threads before locking */
+       tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx");
+       if (IS_ERR(tcp_rx)) {
+               sockfd_put(socket);
+-              return -EINVAL;
++              err = -EINVAL;
++              goto unlock_mutex;
+       }
+       tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx");
+       if (IS_ERR(tcp_tx)) {
+               kthread_stop(tcp_rx);
+               sockfd_put(socket);
+-              return -EINVAL;
++              err = -EINVAL;
++              goto unlock_mutex;
+       }
+ 
+       /* get task structs now */
+@@ -353,7 +364,8 @@ static ssize_t store_attach(struct devic
+               kthread_stop_put(tcp_tx);
+ 
+               dev_err(dev, "port %d already used\n", rhport);
+-              return -EINVAL;
++              err = -EINVAL;
++              goto unlock_mutex;
+       }
+ 
+       dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n",
+@@ -378,7 +390,15 @@ static ssize_t store_attach(struct devic
+ 
+       rh_port_connect(vdev, speed);
+ 
++      dev_info(dev, "Device attached\n");
++
++      mutex_unlock(&vdev->ud.sysfs_lock);
++
+       return count;
++
++unlock_mutex:
++      mutex_unlock(&vdev->ud.sysfs_lock);
++      return err;
+ }
+ static DEVICE_ATTR(attach, S_IWUSR, NULL, store_attach);
+ 

diff --git a/queue-4.9/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch b/queue-4.9/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch
new file mode 100644 (file)
index 0000000..32ee731
--- /dev/null
+++ b/queue-4.9/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch
@@ -0,0 +1,35 @@
+From 9858af27e69247c5d04c3b093190a93ca365f33d Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 11 Mar 2021 10:44:45 +0000
+Subject: usbip: Fix incorrect double assignment to udc->ud.tcp_rx
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 9858af27e69247c5d04c3b093190a93ca365f33d upstream.
+
+Currently udc->ud.tcp_rx is being assigned twice, the second assignment
+is incorrect, it should be to udc->ud.tcp_tx instead of rx. Fix this.
+
+Fixes: 46613c9dfa96 ("usbip: fix vudc usbip_sockfd_store races leading to gpf")
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Addresses-Coverity: ("Unused value")
+Link: https://lore.kernel.org/r/20210311104445.7811-1-colin.king@canonical.com
+Signed-off-by: Tom Seewald <tseewald@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vudc_sysfs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/vudc_sysfs.c
++++ b/drivers/usb/usbip/vudc_sysfs.c
+@@ -187,7 +187,7 @@ static ssize_t store_sockfd(struct devic
+ 
+               udc->ud.tcp_socket = socket;
+               udc->ud.tcp_rx = tcp_rx;
+-              udc->ud.tcp_rx = tcp_tx;
++              udc->ud.tcp_tx = tcp_tx;
+               udc->ud.status = SDEV_ST_USED;
+ 
+               spin_unlock_irq(&udc->ud.lock);

diff --git a/queue-4.9/usbip-stub-dev-synchronize-sysfs-code-paths.patch b/queue-4.9/usbip-stub-dev-synchronize-sysfs-code-paths.patch
new file mode 100644 (file)
index 0000000..feaf405
--- /dev/null
+++ b/queue-4.9/usbip-stub-dev-synchronize-sysfs-code-paths.patch
@@ -0,0 +1,89 @@
+From foo@baz Tue Apr 20 01:51:40 PM CEST 2021
+From: Tom Seewald <tseewald@gmail.com>
+Date: Fri, 16 Apr 2021 15:53:17 -0500
+Subject: usbip: stub-dev synchronize sysfs code paths
+To: stable@vger.kernel.org
+Cc: Shuah Khan <skhan@linuxfoundation.org>, syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Tom Seewald <tseewald@gmail.com>, Valentina Manea <valentina.manea.m@gmail.com>, Shuah Khan <shuah@kernel.org>
+Message-ID: <20210416205319.14075-2-tseewald@gmail.com>
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 9dbf34a834563dada91366c2ac266f32ff34641a upstream.
+
+Fuzzing uncovered race condition between sysfs code paths in usbip
+drivers. Device connect/disconnect code paths initiated through
+sysfs interface are prone to races if disconnect happens during
+connect and vice versa.
+
+Use sysfs_lock to protect sysfs paths in stub-dev.
+
+Cc: stable@vger.kernel.org # 4.9.x
+Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org
+Signed-off-by: Tom Seewald <tseewald@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/stub_dev.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -77,6 +77,7 @@ static ssize_t store_sockfd(struct devic
+ 
+               dev_info(dev, "stub up\n");
+ 
++              mutex_lock(&sdev->ud.sysfs_lock);
+               spin_lock_irq(&sdev->ud.lock);
+ 
+               if (sdev->ud.status != SDEV_ST_AVAILABLE) {
+@@ -101,13 +102,13 @@ static ssize_t store_sockfd(struct devic
+               tcp_rx = kthread_create(stub_rx_loop, &sdev->ud, "stub_rx");
+               if (IS_ERR(tcp_rx)) {
+                       sockfd_put(socket);
+-                      return -EINVAL;
++                      goto unlock_mutex;
+               }
+               tcp_tx = kthread_create(stub_tx_loop, &sdev->ud, "stub_tx");
+               if (IS_ERR(tcp_tx)) {
+                       kthread_stop(tcp_rx);
+                       sockfd_put(socket);
+-                      return -EINVAL;
++                      goto unlock_mutex;
+               }
+ 
+               /* get task structs now */
+@@ -126,6 +127,8 @@ static ssize_t store_sockfd(struct devic
+               wake_up_process(sdev->ud.tcp_rx);
+               wake_up_process(sdev->ud.tcp_tx);
+ 
++              mutex_unlock(&sdev->ud.sysfs_lock);
++
+       } else {
+               dev_info(dev, "stub down\n");
+ 
+@@ -136,6 +139,7 @@ static ssize_t store_sockfd(struct devic
+               spin_unlock_irq(&sdev->ud.lock);
+ 
+               usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN);
++              mutex_unlock(&sdev->ud.sysfs_lock);
+       }
+ 
+       return count;
+@@ -144,6 +148,8 @@ sock_err:
+       sockfd_put(socket);
+ err:
+       spin_unlock_irq(&sdev->ud.lock);
++unlock_mutex:
++      mutex_unlock(&sdev->ud.sysfs_lock);
+       return -EINVAL;
+ }
+ static DEVICE_ATTR(usbip_sockfd, S_IWUSR, NULL, store_sockfd);
+@@ -309,6 +315,7 @@ static struct stub_device *stub_device_a
+       sdev->ud.side           = USBIP_STUB;
+       sdev->ud.status         = SDEV_ST_AVAILABLE;
+       spin_lock_init(&sdev->ud.lock);
++      mutex_init(&sdev->ud.sysfs_lock);
+       sdev->ud.tcp_socket     = NULL;
+       sdev->ud.sockfd         = -1;
+ 

diff --git a/queue-4.9/usbip-synchronize-event-handler-with-sysfs-code-paths.patch b/queue-4.9/usbip-synchronize-event-handler-with-sysfs-code-paths.patch
new file mode 100644 (file)
index 0000000..0548190
--- /dev/null
+++ b/queue-4.9/usbip-synchronize-event-handler-with-sysfs-code-paths.patch
@@ -0,0 +1,48 @@
+From foo@baz Tue Apr 20 01:51:40 PM CEST 2021
+From: Tom Seewald <tseewald@gmail.com>
+Date: Fri, 16 Apr 2021 15:53:19 -0500
+Subject: usbip: synchronize event handler with sysfs code paths
+To: stable@vger.kernel.org
+Cc: Shuah Khan <skhan@linuxfoundation.org>, syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Tom Seewald <tseewald@gmail.com>, Valentina Manea <valentina.manea.m@gmail.com>, Shuah Khan <shuah@kernel.org>
+Message-ID: <20210416205319.14075-4-tseewald@gmail.com>
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 upstream.
+
+Fuzzing uncovered race condition between sysfs code paths in usbip
+drivers. Device connect/disconnect code paths initiated through
+sysfs interface are prone to races if disconnect happens during
+connect and vice versa.
+
+Use sysfs_lock to synchronize event handler with sysfs paths
+in usbip drivers.
+
+Cc: stable@vger.kernel.org # 4.9.x
+Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/c5c8723d3f29dfe3d759cfaafa7dd16b0dfe2918.1616807117.git.skhan@linuxfoundation.org
+Signed-off-by: Tom Seewald <tseewald@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/usbip_event.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/usbip/usbip_event.c
++++ b/drivers/usb/usbip/usbip_event.c
+@@ -84,6 +84,7 @@ static void event_handler(struct work_st
+       while ((ud = get_event()) != NULL) {
+               usbip_dbg_eh("pending event %lx\n", ud->event);
+ 
++              mutex_lock(&ud->sysfs_lock);
+               /*
+                * NOTE: shutdown must come first.
+                * Shutdown the device.
+@@ -104,6 +105,7 @@ static void event_handler(struct work_st
+                       ud->eh_ops.unusable(ud);
+                       unset_event(ud, USBIP_EH_UNUSABLE);
+               }
++              mutex_unlock(&ud->sysfs_lock);
+ 
+               wake_up(&ud->eh_waitq);
+       }

diff --git a/queue-4.9/usbip-vudc-synchronize-sysfs-code-paths.patch b/queue-4.9/usbip-vudc-synchronize-sysfs-code-paths.patch
new file mode 100644 (file)
index 0000000..05ef11c
--- /dev/null
+++ b/queue-4.9/usbip-vudc-synchronize-sysfs-code-paths.patch
@@ -0,0 +1,75 @@
+From foo@baz Tue Apr 20 01:51:40 PM CEST 2021
+From: Tom Seewald <tseewald@gmail.com>
+Date: Fri, 16 Apr 2021 15:53:18 -0500
+Subject: usbip: vudc synchronize sysfs code paths
+To: stable@vger.kernel.org
+Cc: Shuah Khan <skhan@linuxfoundation.org>, syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Tom Seewald <tseewald@gmail.com>, Valentina Manea <valentina.manea.m@gmail.com>, Shuah Khan <shuah@kernel.org>
+Message-ID: <20210416205319.14075-3-tseewald@gmail.com>
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+commit bd8b82042269a95db48074b8bb400678dbac1815 upstream.
+
+Fuzzing uncovered race condition between sysfs code paths in usbip
+drivers. Device connect/disconnect code paths initiated through
+sysfs interface are prone to races if disconnect happens during
+connect and vice versa.
+
+Use sysfs_lock to protect sysfs paths in vudc.
+
+Cc: stable@vger.kernel.org # 4.9.x # 4.14.x
+Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/caabcf3fc87bdae970509b5ff32d05bb7ce2fb15.1616807117.git.skhan@linuxfoundation.org
+Signed-off-by: Tom Seewald <tseewald@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vudc_dev.c   |    1 +
+ drivers/usb/usbip/vudc_sysfs.c |    5 +++++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/usb/usbip/vudc_dev.c
++++ b/drivers/usb/usbip/vudc_dev.c
+@@ -582,6 +582,7 @@ static int init_vudc_hw(struct vudc *udc
+       init_waitqueue_head(&udc->tx_waitq);
+ 
+       spin_lock_init(&ud->lock);
++      mutex_init(&ud->sysfs_lock);
+       ud->status = SDEV_ST_AVAILABLE;
+       ud->side = USBIP_VUDC;
+ 
+--- a/drivers/usb/usbip/vudc_sysfs.c
++++ b/drivers/usb/usbip/vudc_sysfs.c
+@@ -125,6 +125,7 @@ static ssize_t store_sockfd(struct devic
+               dev_err(dev, "no device");
+               return -ENODEV;
+       }
++      mutex_lock(&udc->ud.sysfs_lock);
+       spin_lock_irqsave(&udc->lock, flags);
+       /* Don't export what we don't have */
+       if (!udc->driver || !udc->pullup) {
+@@ -200,6 +201,8 @@ static ssize_t store_sockfd(struct devic
+ 
+               wake_up_process(udc->ud.tcp_rx);
+               wake_up_process(udc->ud.tcp_tx);
++
++              mutex_unlock(&udc->ud.sysfs_lock);
+               return count;
+ 
+       } else {
+@@ -220,6 +223,7 @@ static ssize_t store_sockfd(struct devic
+       }
+ 
+       spin_unlock_irqrestore(&udc->lock, flags);
++      mutex_unlock(&udc->ud.sysfs_lock);
+ 
+       return count;
+ 
+@@ -229,6 +233,7 @@ unlock_ud:
+       spin_unlock_irq(&udc->ud.lock);
+ unlock:
+       spin_unlock_irqrestore(&udc->lock, flags);
++      mutex_unlock(&udc->ud.sysfs_lock);
+ 
+       return ret;
+ }