Commit 59044112 authored Mar 14, 2024 by Oliver Neukum Committed by Greg Kroah-Hartman Apr 13, 2024

usb: cdc-wdm: close race between read and workqueue



commit 339f83612f3a569b194680768b22bf113c26a29d upstream.

wdm_read() cannot race with itself. However, in
service_outstanding_interrupt() it can race with the
workqueue, which can be triggered by error handling.

Hence we need to make sure that the WDM_RESPONDING
flag is not just only set but tested.

Fixes: afba937e ("USB: CDC WDM driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20240314115132.3907-1-oneukum@suse.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 3a679f8a

drivers/usb/class/cdc-wdm.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -471,6 +471,7 @@ static ssize_t wdm_write
		static int service_outstanding_interrupt(struct wdm_device *desc)
		{
		int rv = 0;
		int used;

		/* submit read urb only if the device is waiting for it */
		if (!desc->resp_count \|\| !--desc->resp_count)
		@@ -485,7 +486,10 @@ static int service_outstanding_interrupt(struct wdm_device *desc)
		goto out;
		}

		set_bit(WDM_RESPONDING, &desc->flags);
		used = test_and_set_bit(WDM_RESPONDING, &desc->flags);
		if (used)
		goto out;

		spin_unlock_irq(&desc->iuspin);
		rv = usb_submit_urb(desc->response, GFP_KERNEL);
		spin_lock_irq(&desc->iuspin);