Merge "usb: gadget: mbim: protect packets queue corruption"
diff --git a/drivers/usb/gadget/f_mbim.c b/drivers/usb/gadget/f_mbim.c
index 15f20ca..88a7bde 100644
--- a/drivers/usb/gadget/f_mbim.c
+++ b/drivers/usb/gadget/f_mbim.c
@@ -1710,8 +1710,10 @@
return -EIO;
}
+ spin_lock(&dev->lock);
while (list_empty(&dev->cpkt_req_q)) {
pr_debug("Requests list is empty. Wait.\n");
+ spin_unlock(&dev->lock);
ret = wait_event_interruptible(dev->read_wq,
!list_empty(&dev->cpkt_req_q));
if (ret < 0) {
@@ -1720,11 +1722,13 @@
return -ERESTARTSYS;
}
pr_debug("Received request packet\n");
+ spin_lock(&dev->lock);
}
cpkt = list_first_entry(&dev->cpkt_req_q, struct ctrl_pkt,
list);
if (cpkt->len > count) {
+ spin_unlock(&dev->lock);
mbim_unlock(&dev->read_excl);
pr_err("cpkt size too big:%d > buf size:%d\n",
cpkt->len, count);
@@ -1734,6 +1738,7 @@
pr_debug("cpkt size:%d\n", cpkt->len);
list_del(&cpkt->list);
+ spin_unlock(&dev->lock);
mbim_unlock(&dev->read_excl);
ret = copy_to_user(buf, cpkt->buf, cpkt->len);