This is a note to let you know that I've just added the patch titled
usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set
to the 3.13-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usb-cdc-wdm-resp_count-can-be-0-even-if-wdm_read-is-set.patch
and it can be found in the queue-3.13 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From f563926fed982f26b391ca42493f55f2447f1b0a Mon Sep 17 00:00:00 2001
From: Bjørn Mork <bjorn@xxxxxxx>
Date: Sun, 12 Jan 2014 21:48:53 +0100
Subject: usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Bjørn Mork <bjorn@xxxxxxx>
commit f563926fed982f26b391ca42493f55f2447f1b0a upstream.
Do not decrement resp_count if it's already 0.
We set resp_count to 0 when the device is closed. The next open and
read will try to clear the WDM_READ flag if there was leftover data
in the read buffer. This fix is necessary to prevent resubmitting
the read URB in a tight loop because resp_count becomes negative.
The bug can easily be triggered from userspace by not reading all
data in the read buffer, and then closing and reopening the chardev.
Fixes: 8dd5cd5395b9 ("usb: cdc-wdm: avoid hanging on zero length reads")
Signed-off-by: Bjørn Mork <bjorn@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/class/cdc-wdm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -445,7 +445,7 @@ static int clear_wdm_read_flag(struct wd
clear_bit(WDM_READ, &desc->flags);
/* submit read urb only if the device is waiting for it */
- if (!--desc->resp_count)
+ if (!desc->resp_count || !--desc->resp_count)
goto out;
set_bit(WDM_RESPONDING, &desc->flags);
Patches currently in stable-queue which might be from bjorn@xxxxxxx are
queue-3.13/usb-cdc-wdm-resp_count-can-be-0-even-if-wdm_read-is-set.patch
queue-3.13/usb-serial-add-support-for-iball-3.5g-connect-usb-modem.patch
queue-3.13/usb-cdc-wdm-avoid-hanging-on-zero-length-reads.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html