Syzbot has been reporting a slab-out-of-bounds/bad user copy in ldusb for some time now. This turned out to due to a bug in the read() implementation, which would have read() access the uninitialised ring buffer and leak huge amounts of slab data on URB completion errors (e.g. disconnect). The first patch plugs the info leaks. The second patch fixes a couple of issues in the custom ring-buffer implementation, which before the first patch also could have led to info leaks. In an attempt to avoid copying the ring-buffer entry to a temporary buffer while holding the spinlock, I added an smp_rmb() before copy_to_user() which I think will suffice, but I'd appreciate if you could help me verify that. Hence the RFC on that one. The first commit could go to Linus meanwhile. Johan v2 - fix buffer-entry length check in 1/2 Johan Hovold (2): USB: ldusb: fix read info leaks USB: ldusb: fix ring-buffer locking drivers/usb/misc/ldusb.c | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) -- 2.23.0
