[PATCH 10/13] fix race in skel_write

[stefani]

From: Stefani Seibold <stefani@xxxxxxxxxxx>

Access to members of dev->interface without holding the io_mutex lock
could result in a NULL pointer access, since disconnect will do this
as a marker for disconnect.

Signed-off-by: Stefani Seibold <stefani@xxxxxxxxxxx>
---
 drivers/usb/usb-skeleton.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/usb-skeleton.c b/drivers/usb/usb-skeleton.c
index 6482acb..0a1ab0b 100644
--- a/drivers/usb/usb-skeleton.c
+++ b/drivers/usb/usb-skeleton.c
@@ -96,7 +96,7 @@ static int skel_open(struct inode *inode, struct file *file)
 	kref_get(&dev->kref);
 
 	/*
-	 * must be not locked since disconnect waits in usb_deregister_dev()
+	 * must be not locked since a disconnect waits in usb_deregister_dev()
 	 * due the already locked minor_rwsem in the usb_open() function
 	 */
 	retval = usb_autopm_get_interface(interface);
@@ -441,13 +441,14 @@ static ssize_t skel_write(struct file *file, const char *user_buffer,
 
 	/* send the data out the bulk port */
 	retval = usb_submit_urb(urb, GFP_KERNEL);
-	mutex_unlock(&dev->io_mutex);
 	if (retval) {
 		dev_err(&dev->interface->dev,
 			"%s - failed submitting write urb, error %d\n",
 			__func__, retval);
+		mutex_unlock(&dev->io_mutex);
 		goto error_unanchor;
 	}
+	mutex_unlock(&dev->io_mutex);
 
 	/*
 	 * release our reference to this urb, the USB core will eventually free
-- 
1.7.8.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/