USB: wdm: close race between wdm_open and wdm_wwan_port_stop

Clearing WDM_WWAN_IN_USE must be the last action or
we can open a chardev whose URBs are still poisoned

Fixes: cac6fb015f71 ("usb: class: cdc-wdm: WWAN framework integration")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20250401084749.175246-3-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index eb86d1c9b4a44852df1ca991ddf6b0de48f0eec7..9c686751ddc10e90dfe761e7143b602d0563f606 100644 (file)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -726,7 +726,7 @@ static int wdm_open(struct inode *inode, struct file *file)
                rv = -EBUSY;
                goto out;
        }
-
+       smp_rmb(); /* ordered against wdm_wwan_port_stop() */
        rv = usb_autopm_get_interface(desc->intf);
        if (rv < 0) {
                dev_err(&desc->intf->dev, "Error autopm - %d\n", rv);
@@ -868,8 +868,10 @@ static void wdm_wwan_port_stop(struct wwan_port *port)
        poison_urbs(desc);
        desc->manage_power(desc->intf, 0);
        clear_bit(WDM_READ, &desc->flags);
-       clear_bit(WDM_WWAN_IN_USE, &desc->flags);
        unpoison_urbs(desc);
+       smp_wmb(); /* ordered against wdm_open() */
+       /* this must be last lest we open a poisoned device */
+       clear_bit(WDM_WWAN_IN_USE, &desc->flags);
 }
 
 static void wdm_wwan_port_tx_complete(struct urb *urb)