staging: sep: call to sep_ioctl() may leave driver in unusable state

If sep_ioctl() is called from a process that does not own
current transaction, it unlocks unheld sep->ioctl_mutex and
returns -EACCES leaving sep->sep_mutex acquired.

The patch fixes the mutex lock-unlock mismatch.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/sep/sep_driver.c b/drivers/staging/sep/sep_driver.c
index bf7286e01a3961ecf08bf689c4569ba84bb280a6..8ac3faea2d2ffa64e6212d9488090b95b35e93fd 100644 (file)
--- a/drivers/staging/sep/sep_driver.c
+++ b/drivers/staging/sep/sep_driver.c
@@ -2420,11 +2420,12 @@ static long sep_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
                                (sep->pid_doing_transaction != 0)) {
                dev_dbg(&sep->pdev->dev, "ioctl pid is not owner\n");
                error = -EACCES;
-               goto end_function;
        }
-
        mutex_unlock(&sep->sep_mutex);
 
+       if (error)
+               return error;
+
        if (_IOC_TYPE(cmd) != SEP_IOC_MAGIC_NUMBER)
                return -ENOTTY;
 
@@ -2461,7 +2462,6 @@ static long sep_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
                break;
        }
 
-end_function:
        mutex_unlock(&sep->ioctl_mutex);
        return error;
 }