提交 93a5bfbc 编写于 作者: R Raveendran Somu 提交者: Kalle Valo

brcmfmac: Fix driver crash on USB control transfer timeout

When the control transfer gets timed out, the error status
was returned without killing that urb, this leads to using
the same urb. This issue causes the kernel crash as the same
urb is sumbitted multiple times. The fix is to kill the
urb for timeout transfer before returning error
Signed-off-by: NRaveendran Somu <raveendran.somu@cypress.com>
Signed-off-by: NChi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1585124429-97371-2-git-send-email-chi-hsien.lin@cypress.com
上级 0985d3a4
......@@ -328,11 +328,12 @@ static int brcmf_usb_tx_ctlpkt(struct device *dev, u8 *buf, u32 len)
return err;
}
timeout = brcmf_usb_ioctl_resp_wait(devinfo);
clear_bit(0, &devinfo->ctl_op);
if (!timeout) {
brcmf_err("Txctl wait timed out\n");
usb_kill_urb(devinfo->ctl_urb);
err = -EIO;
}
clear_bit(0, &devinfo->ctl_op);
return err;
}
......@@ -358,11 +359,12 @@ static int brcmf_usb_rx_ctlpkt(struct device *dev, u8 *buf, u32 len)
}
timeout = brcmf_usb_ioctl_resp_wait(devinfo);
err = devinfo->ctl_urb_status;
clear_bit(0, &devinfo->ctl_op);
if (!timeout) {
brcmf_err("rxctl wait timed out\n");
usb_kill_urb(devinfo->ctl_urb);
err = -EIO;
}
clear_bit(0, &devinfo->ctl_op);
if (!err)
return devinfo->ctl_urb_actual_length;
else
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册