5.10-stable patches

added patches:
	usb-cdc-wdm-close-race-between-read-and-workqueue.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index 9cd03a0ca87f89b17a9f19600c1597df25c512f2..c00ab71ff95d4059074777d1aa48d95eb0e6f8bc 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -159,3 +159,4 @@ hexagon-vmlinux.lds.s-handle-attributes-section.patch
 mmc-core-initialize-mmc_blk_ioc_data.patch
 mmc-core-avoid-negative-index-with-array-access.patch
 net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch
+usb-cdc-wdm-close-race-between-read-and-workqueue.patch

diff --git a/queue-5.10/usb-cdc-wdm-close-race-between-read-and-workqueue.patch b/queue-5.10/usb-cdc-wdm-close-race-between-read-and-workqueue.patch
new file mode 100644 (file)
index 0000000..12337ef
--- /dev/null
+++ b/queue-5.10/usb-cdc-wdm-close-race-between-read-and-workqueue.patch
@@ -0,0 +1,47 @@
+From 339f83612f3a569b194680768b22bf113c26a29d Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 14 Mar 2024 12:50:48 +0100
+Subject: usb: cdc-wdm: close race between read and workqueue
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 339f83612f3a569b194680768b22bf113c26a29d upstream.
+
+wdm_read() cannot race with itself. However, in
+service_outstanding_interrupt() it can race with the
+workqueue, which can be triggered by error handling.
+
+Hence we need to make sure that the WDM_RESPONDING
+flag is not just only set but tested.
+
+Fixes: afba937e540c9 ("USB: CDC WDM driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20240314115132.3907-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-wdm.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -471,6 +471,7 @@ out_free_mem:
+ static int service_outstanding_interrupt(struct wdm_device *desc)
+ {
+       int rv = 0;
++      int used;
+ 
+       /* submit read urb only if the device is waiting for it */
+       if (!desc->resp_count || !--desc->resp_count)
+@@ -485,7 +486,10 @@ static int service_outstanding_interrupt
+               goto out;
+       }
+ 
+-      set_bit(WDM_RESPONDING, &desc->flags);
++      used = test_and_set_bit(WDM_RESPONDING, &desc->flags);
++      if (used)
++              goto out;
++
+       spin_unlock_irq(&desc->iuspin);
+       rv = usb_submit_urb(desc->response, GFP_KERNEL);
+       spin_lock_irq(&desc->iuspin);