usb: usbtmc: Fix erroneous wait_srq ioctl return

wait_event_interruptible_timeout returns a long
The return was being assigned to an int causing an integer overflow when
the remaining jiffies > INT_MAX resulting in random error returns.

Use a long return value,  converting to the int ioctl return only on
error.

Fixes: 739240a9f6ac ("usb: usbtmc: Add ioctl USBTMC488_IOCTL_WAIT_SRQ")
Cc: stable@vger.kernel.org
Signed-off-by: Dave Penkler <dpenkler@gmail.com>
Link: https://lore.kernel.org/r/20250502070941.31819-3-dpenkler@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
index e91f11c1ab5fde837240068100b93db75697900c..4761a5ecadd6f38b8004810c4f886f9ce8b5a4c6 100644 (file)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -606,9 +606,9 @@ static int usbtmc488_ioctl_wait_srq(struct usbtmc_file_data *file_data,
 {
        struct usbtmc_device_data *data = file_data->data;
        struct device *dev = &data->intf->dev;
-       int rv;
        u32 timeout;
        unsigned long expire;
+       long wait_rv;
 
        if (!data->iin_ep_present) {
                dev_dbg(dev, "no interrupt endpoint present\n");
@@ -622,25 +622,24 @@ static int usbtmc488_ioctl_wait_srq(struct usbtmc_file_data *file_data,
 
        mutex_unlock(&data->io_mutex);
 
-       rv = wait_event_interruptible_timeout(
-                       data->waitq,
-                       atomic_read(&file_data->srq_asserted) != 0 ||
-                       atomic_read(&file_data->closing),
-                       expire);
+       wait_rv = wait_event_interruptible_timeout(
+               data->waitq,
+               atomic_read(&file_data->srq_asserted) != 0 ||
+               atomic_read(&file_data->closing),
+               expire);
 
        mutex_lock(&data->io_mutex);
 
        /* Note! disconnect or close could be called in the meantime */
        if (atomic_read(&file_data->closing) || data->zombie)
-               rv = -ENODEV;
+               return -ENODEV;
 
-       if (rv < 0) {
-               /* dev can be invalid now! */
-               pr_debug("%s - wait interrupted %d\n", __func__, rv);
-               return rv;
+       if (wait_rv < 0) {
+               dev_dbg(dev, "%s - wait interrupted %ld\n", __func__, wait_rv);
+               return wait_rv;
        }
 
-       if (rv == 0) {
+       if (wait_rv == 0) {
                dev_dbg(dev, "%s - wait timed out\n", __func__);
                return -ETIMEDOUT;
        }