isdn/gigaset: fix usb_gigaset write_cmd result race

In usb_gigaset function gigaset_write_cmd(), the length field of the command buffer structure could be cleared by the transmit tasklet before it was used for the function's return value. Fix by copying to a local variable before scheduling the tasklet. Signed-off-by: N Tilman Schmidt <tilman@imap.cc> Signed-off-by: N David S. Miller <davem@davemloft.net>

isdn/gigaset: fix usb_gigaset write_cmd result race
In usb_gigaset function gigaset_write_cmd(), the length field of the command buffer structure could be cleared by the transmit tasklet before it was used for the function's return value. Fix by copying to a local variable before scheduling the tasklet. Signed-off-by: N Tilman Schmidt <tilman@imap.cc> Signed-off-by: N David S. Miller <davem@davemloft.net>
86f8ef2c · Tilman Schmidt · David S. Miller · 340184b3 · 86f8ef2c
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

drivers/isdn/gigaset/usb-gigaset.c drivers/isdn/gigaset/usb-gigaset.c +3 -1

未找到文件。
--- a/drivers/isdn/gigaset/usb-gigaset.c
+++ b/drivers/isdn/gigaset/usb-gigaset.c
@@ -497,6 +497,7 @@ static int send_cb(struct cardstate *cs, struct cmdbuf_t *cb)
 static int gigaset_write_cmd(struct cardstate *cs, struct cmdbuf_t *cb)
 {
 	unsigned long flags;
+	int len;
 	gigaset_dbg_buffer(cs->mstate != MS_LOCKED ?
 			   DEBUG_TRANSCMD : DEBUG_LOCKCMD,
@@ -515,10 +516,11 @@ static int gigaset_write_cmd(struct cardstate *cs, struct cmdbuf_t *cb)
 	spin_unlock_irqrestore(&cs->cmdlock, flags);
 	spin_lock_irqsave(&cs->lock, flags);
+	len = cb->len;
 	if (cs->connected)
 		tasklet_schedule(&cs->write_tasklet);
 	spin_unlock_irqrestore(&cs->lock, flags);
-	return cb->len;
+	return len;
 }
 static int gigaset_write_room(struct cardstate *cs)