]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b92fd29)
usb: usbtmc: Fix erroneous get_stb ioctl error returns
authorDave Penkler <dpenkler@gmail.com>
Fri, 2 May 2025 07:09:39 +0000 (09:09 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 4 Jun 2025 12:36:55 +0000 (14:36 +0200)
commit cac01bd178d6a2a23727f138d647ce1a0e8a73a1 upstream.

wait_event_interruptible_timeout returns a long
The return was being assigned to an int causing an integer overflow when
the remaining jiffies > INT_MAX resulting in random error returns.

Use a long return value and convert to int ioctl return only on error.

When the return value of wait_event_interruptible_timeout was <= INT_MAX
the number of remaining jiffies was returned which has no meaning for the
user. Return 0 on success.

Reported-by: Michael Katzmann <vk2bea@gmail.com>
Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Cc: stable@vger.kernel.org
Signed-off-by: Dave Penkler <dpenkler@gmail.com>
Link: https://lore.kernel.org/r/20250502070941.31819-2-dpenkler@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/class/usbtmc.c patch | blob | blame | history

diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
index 6e6d0f5a558d09fc8e0086e06e1a3598fc0ad6e8..f1944e063d97d3b32e0ec640381b00cfbf4afd67 100644 (file)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -485,6 +485,7 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data,
        u8 tag;
        __u8 stb;
        int rv;
+       long wait_rv;
 
        dev_dbg(dev, "Enter ioctl_read_stb iin_ep_present: %d\n",
                data->iin_ep_present);
@@ -527,16 +528,17 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data,
        }
 
        if (data->iin_ep_present) {
-               rv = wait_event_interruptible_timeout(
+               wait_rv = wait_event_interruptible_timeout(
                        data->waitq,
                        atomic_read(&data->iin_data_valid) != 0,
                        file_data->timeout);
-               if (rv < 0) {
-                       dev_dbg(dev, "wait interrupted %d\n", rv);
+               if (wait_rv < 0) {
+                       dev_dbg(dev, "wait interrupted %ld\n", wait_rv);
+                       rv = wait_rv;
                        goto exit;
                }
 
-               if (rv == 0) {
+               if (wait_rv == 0) {
                        dev_dbg(dev, "wait timed out\n");
                        rv = -ETIMEDOUT;
                        goto exit;
@@ -556,6 +558,8 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data,
        rv = put_user(stb, (__u8 __user *)arg);
        dev_dbg(dev, "stb:0x%02x received %d\n", (unsigned int)stb, rv);
 
+       rv = 0;
+
  exit:
        /* bump interrupt bTag */
        data->iin_bTag += 1;
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git