Commit cac01bd1 authored by Dave Penkler's avatar Dave Penkler Committed by Greg Kroah-Hartman
Browse files

usb: usbtmc: Fix erroneous get_stb ioctl error returns 



wait_event_interruptible_timeout returns a long
The return was being assigned to an int causing an integer overflow when
the remaining jiffies > INT_MAX resulting in random error returns.

Use a long return value and convert to int ioctl return only on error.

When the return value of wait_event_interruptible_timeout was <= INT_MAX
the number of remaining jiffies was returned which has no meaning for the
user. Return 0 on success.

Reported-by: default avatarMichael Katzmann <vk2bea@gmail.com>
Fixes: dbf3e7f6 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDave Penkler <dpenkler@gmail.com>
Link: https://lore.kernel.org/r/20250502070941.31819-2-dpenkler@gmail.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e918d395

drivers/usb/class/usbtmc.c

+8 −4
Original line number Diff line number Diff line
@@ -482,6 +482,7 @@ static int usbtmc_get_stb(struct usbtmc_file_data *file_data, __u8 *stb) 
	u8 *buffer;

	u8 tag;

	int rv;

	long wait_rv;



	dev_dbg(dev, "Enter ioctl_read_stb iin_ep_present: %d\n",

		data->iin_ep_present);
@@ -511,16 +512,17 @@ static int usbtmc_get_stb(struct usbtmc_file_data *file_data, __u8 *stb) 
	}



	if (data->iin_ep_present) {

		rv = wait_event_interruptible_timeout(

		wait_rv = wait_event_interruptible_timeout(

			data->waitq,

			atomic_read(&data->iin_data_valid) != 0,

			file_data->timeout);

		if (rv < 0) {

			dev_dbg(dev, "wait interrupted %d\n", rv);

		if (wait_rv < 0) {

			dev_dbg(dev, "wait interrupted %ld\n", wait_rv);

			rv = wait_rv;

			goto exit;

		}



		if (rv == 0) {

		if (wait_rv == 0) {

			dev_dbg(dev, "wait timed out\n");

			rv = -ETIMEDOUT;

			goto exit;
@@ -539,6 +541,8 @@ static int usbtmc_get_stb(struct usbtmc_file_data *file_data, __u8 *stb) 


	dev_dbg(dev, "stb:0x%02x received %d\n", (unsigned int)*stb, rv);



	rv = 0;



 exit:

	/* bump interrupt bTag */

	data->iin_bTag += 1;