Am Montag, 2. Juli 2012, 01:08:59 schrieb Bjørn Mork:
> The WDM_READ flag is normally cleared by wdm_int_callback
> before resubmitting the interrupt urb. But a crashing
> device may cause both a read error and cancelling all
> urbs. We must make sure that the flag is cleared by
> wdm_read in this case.
>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Bjørn Mork <bjorn@xxxxxxx>
> ---
> drivers/usb/class/cdc-wdm.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
> index 25e7d72..f77a631 100644
> --- a/drivers/usb/class/cdc-wdm.c
> +++ b/drivers/usb/class/cdc-wdm.c
> @@ -461,6 +461,8 @@ retry:
> spin_lock_irq(&desc->iuspin);
>
> if (desc->rerr) { /* read completed, error happened */
> + dev_dbg(&desc->intf->dev, "%s: error - clearing WDM_READ\n", __func__);
> + clear_bit(WDM_READ, &desc->flags);
> desc->rerr = 0;
> spin_unlock_irq(&desc->iuspin);
> rv = -EIO;
> @@ -475,6 +477,8 @@ retry:
> goto retry;
> }
> if (!desc->reslength) { /* zero length read */
> + dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
> + clear_bit(WDM_READ, &desc->flags);
> spin_unlock_irq(&desc->iuspin);
> goto retry;
> }
Are you sure that both patches are needed? After the first error is reported
we will return to user space and run into the reslength check at the next
call. If we cleared the flag unconditionally on reporting an error it seems
to me that we are introducing a data leak if a second read after the one
that produced the error has already completed.
Regards
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
