4.19-stable patches

added patches:
	usb-cdc-wdm-close-race-between-read-and-workqueue.patch

diff --git a/queue-4.19/series b/queue-4.19/series
index 34bc0a08c9f56348bc943534bc464b82993aca30..a38b8f8d40a178ec881f4ae18177a34d1ad13bdd 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -81,6 +81,7 @@ mm-memory-failure-fix-an-incorrect-use-of-tail-pages.patch
 mm-migrate-set-swap-entry-values-of-thp-tail-pages-properly.patch
 wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
 exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
+usb-cdc-wdm-close-race-between-read-and-workqueue.patch
 fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch
 printk-update-console_may_schedule-in-console_tryloc.patch
 btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch

diff --git a/queue-4.19/usb-cdc-wdm-close-race-between-read-and-workqueue.patch b/queue-4.19/usb-cdc-wdm-close-race-between-read-and-workqueue.patch
new file mode 100644 (file)
index 0000000..12337ef
--- /dev/null
+++ b/queue-4.19/usb-cdc-wdm-close-race-between-read-and-workqueue.patch
@@ -0,0 +1,47 @@
+From 339f83612f3a569b194680768b22bf113c26a29d Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 14 Mar 2024 12:50:48 +0100
+Subject: usb: cdc-wdm: close race between read and workqueue
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 339f83612f3a569b194680768b22bf113c26a29d upstream.
+
+wdm_read() cannot race with itself. However, in
+service_outstanding_interrupt() it can race with the
+workqueue, which can be triggered by error handling.
+
+Hence we need to make sure that the WDM_RESPONDING
+flag is not just only set but tested.
+
+Fixes: afba937e540c9 ("USB: CDC WDM driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20240314115132.3907-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-wdm.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -471,6 +471,7 @@ out_free_mem:
+ static int service_outstanding_interrupt(struct wdm_device *desc)
+ {
+       int rv = 0;
++      int used;
+ 
+       /* submit read urb only if the device is waiting for it */
+       if (!desc->resp_count || !--desc->resp_count)
+@@ -485,7 +486,10 @@ static int service_outstanding_interrupt
+               goto out;
+       }
+ 
+-      set_bit(WDM_RESPONDING, &desc->flags);
++      used = test_and_set_bit(WDM_RESPONDING, &desc->flags);
++      if (used)
++              goto out;
++
+       spin_unlock_irq(&desc->iuspin);
+       rv = usb_submit_urb(desc->response, GFP_KERNEL);
+       spin_lock_irq(&desc->iuspin);