Patch "usb: cdc-wdm: close race between read and workqueue" has been added to the 4.19-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 31 Mar 2024 13:03:48 +0200

This is a note to let you know that I've just added the patch titled

    usb: cdc-wdm: close race between read and workqueue

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-cdc-wdm-close-race-between-read-and-workqueue.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 339f83612f3a569b194680768b22bf113c26a29d Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@xxxxxxxx>
Date: Thu, 14 Mar 2024 12:50:48 +0100
Subject: usb: cdc-wdm: close race between read and workqueue

From: Oliver Neukum <oneukum@xxxxxxxx>

commit 339f83612f3a569b194680768b22bf113c26a29d upstream.

wdm_read() cannot race with itself. However, in
service_outstanding_interrupt() it can race with the
workqueue, which can be triggered by error handling.

Hence we need to make sure that the WDM_RESPONDING
flag is not just only set but tested.

Fixes: afba937e540c9 ("USB: CDC WDM driver")
Cc: stable <stable@xxxxxxxxxx>
Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
Link: https://lore.kernel.org/r/20240314115132.3907-1-oneukum@xxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/usb/class/cdc-wdm.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -471,6 +471,7 @@ out_free_mem:
 static int service_outstanding_interrupt(struct wdm_device *desc)
 {
 	int rv = 0;
+	int used;
 
 	/* submit read urb only if the device is waiting for it */
 	if (!desc->resp_count || !--desc->resp_count)
@@ -485,7 +486,10 @@ static int service_outstanding_interrupt
 		goto out;
 	}
 
-	set_bit(WDM_RESPONDING, &desc->flags);
+	used = test_and_set_bit(WDM_RESPONDING, &desc->flags);
+	if (used)
+		goto out;
+
 	spin_unlock_irq(&desc->iuspin);
 	rv = usb_submit_urb(desc->response, GFP_KERNEL);
 	spin_lock_irq(&desc->iuspin);


Patches currently in stable-queue which might be from oneukum@xxxxxxxx are

queue-4.19/usb-cdc-wdm-close-race-between-read-and-workqueue.patch







