From: Greg Kroah-Hartman Date: Sun, 31 Mar 2024 11:04:28 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.7.12~96 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=978ed369c65dd4fc7a690c2725c910eb75aff793;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: usb-cdc-wdm-close-race-between-read-and-workqueue.patch --- diff --git a/queue-5.10/series b/queue-5.10/series index 9cd03a0ca87..c00ab71ff95 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -159,3 +159,4 @@ hexagon-vmlinux.lds.s-handle-attributes-section.patch mmc-core-initialize-mmc_blk_ioc_data.patch mmc-core-avoid-negative-index-with-array-access.patch net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch +usb-cdc-wdm-close-race-between-read-and-workqueue.patch diff --git a/queue-5.10/usb-cdc-wdm-close-race-between-read-and-workqueue.patch b/queue-5.10/usb-cdc-wdm-close-race-between-read-and-workqueue.patch new file mode 100644 index 00000000000..12337ef0619 --- /dev/null +++ b/queue-5.10/usb-cdc-wdm-close-race-between-read-and-workqueue.patch @@ -0,0 +1,47 @@ +From 339f83612f3a569b194680768b22bf113c26a29d Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 14 Mar 2024 12:50:48 +0100 +Subject: usb: cdc-wdm: close race between read and workqueue + +From: Oliver Neukum + +commit 339f83612f3a569b194680768b22bf113c26a29d upstream. + +wdm_read() cannot race with itself. However, in +service_outstanding_interrupt() it can race with the +workqueue, which can be triggered by error handling. + +Hence we need to make sure that the WDM_RESPONDING +flag is not just only set but tested. + +Fixes: afba937e540c9 ("USB: CDC WDM driver") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20240314115132.3907-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -471,6 +471,7 @@ out_free_mem: + static int service_outstanding_interrupt(struct wdm_device *desc) + { + int rv = 0; ++ int used; + + /* submit read urb only if the device is waiting for it */ + if (!desc->resp_count || !--desc->resp_count) +@@ -485,7 +486,10 @@ static int service_outstanding_interrupt + goto out; + } + +- set_bit(WDM_RESPONDING, &desc->flags); ++ used = test_and_set_bit(WDM_RESPONDING, &desc->flags); ++ if (used) ++ goto out; ++ + spin_unlock_irq(&desc->iuspin); + rv = usb_submit_urb(desc->response, GFP_KERNEL); + spin_lock_irq(&desc->iuspin);