[PATCH 4.8 08/37] mfd: rtsx_usb: Avoid setting ucr->current_sg.status

From: Greg Kroah-Hartman
Date: Fri Oct 14 2016 - 08:30:31 EST

4.8-stable review patch. If anyone has any objections, please let me know.


From: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>

commit 8dcc5ff8fcaf778bb57ab4448fedca9e381d088f upstream.

Member "status" of struct usb_sg_request is managed by usb core. A
spin lock is used to serialize the change of it. The driver could
check the value of req->status, but should avoid changing it without
the hold of the spinlock. Otherwise, it could cause race or error
in usb core.

This patch could be backported to stable kernels with version later
than v3.14.

Cc: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Cc: Roger Tseng <rogerable@xxxxxxxxxxx>
Signed-off-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>
Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

drivers/mfd/rtsx_usb.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/mfd/rtsx_usb.c
+++ b/drivers/mfd/rtsx_usb.c
@@ -46,9 +46,6 @@ static void rtsx_usb_sg_timed_out(unsign

dev_dbg(&ucr->pusb_intf->dev, "%s: sg transfer timed out", __func__);
- /* we know the cancellation is caused by time-out */
- ucr->current_sg.status = -ETIMEDOUT;

static int rtsx_usb_bulk_transfer_sglist(struct rtsx_ucr *ucr,
@@ -67,12 +64,15 @@ static int rtsx_usb_bulk_transfer_sglist
ucr->sg_timer.expires = jiffies + msecs_to_jiffies(timeout);
- del_timer_sync(&ucr->sg_timer);
+ if (!del_timer_sync(&ucr->sg_timer))
+ ret = -ETIMEDOUT;
+ else
+ ret = ucr->current_sg.status;

if (act_len)
*act_len = ucr->current_sg.bytes;

- return ucr->current_sg.status;
+ return ret;

int rtsx_usb_transfer_data(struct rtsx_ucr *ucr, unsigned int pipe,