From: Greg Kroah-Hartman Date: Sun, 31 Mar 2024 11:03:48 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v6.7.12~98 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9686953709db60ab0acd0eb8b1c7524d711877b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: usb-cdc-wdm-close-race-between-read-and-workqueue.patch --- diff --git a/queue-4.19/series b/queue-4.19/series index 34bc0a08c9f..a38b8f8d40a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -81,6 +81,7 @@ mm-memory-failure-fix-an-incorrect-use-of-tail-pages.patch mm-migrate-set-swap-entry-values-of-thp-tail-pages-properly.patch wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch +usb-cdc-wdm-close-race-between-read-and-workqueue.patch fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch printk-update-console_may_schedule-in-console_tryloc.patch btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch diff --git a/queue-4.19/usb-cdc-wdm-close-race-between-read-and-workqueue.patch b/queue-4.19/usb-cdc-wdm-close-race-between-read-and-workqueue.patch new file mode 100644 index 00000000000..12337ef0619 --- /dev/null +++ b/queue-4.19/usb-cdc-wdm-close-race-between-read-and-workqueue.patch @@ -0,0 +1,47 @@ +From 339f83612f3a569b194680768b22bf113c26a29d Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 14 Mar 2024 12:50:48 +0100 +Subject: usb: cdc-wdm: close race between read and workqueue + +From: Oliver Neukum + +commit 339f83612f3a569b194680768b22bf113c26a29d upstream. + +wdm_read() cannot race with itself. However, in +service_outstanding_interrupt() it can race with the +workqueue, which can be triggered by error handling. + +Hence we need to make sure that the WDM_RESPONDING +flag is not just only set but tested. + +Fixes: afba937e540c9 ("USB: CDC WDM driver") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20240314115132.3907-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-wdm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -471,6 +471,7 @@ out_free_mem: + static int service_outstanding_interrupt(struct wdm_device *desc) + { + int rv = 0; ++ int used; + + /* submit read urb only if the device is waiting for it */ + if (!desc->resp_count || !--desc->resp_count) +@@ -485,7 +486,10 @@ static int service_outstanding_interrupt + goto out; + } + +- set_bit(WDM_RESPONDING, &desc->flags); ++ used = test_and_set_bit(WDM_RESPONDING, &desc->flags); ++ if (used) ++ goto out; ++ + spin_unlock_irq(&desc->iuspin); + rv = usb_submit_urb(desc->response, GFP_KERNEL); + spin_lock_irq(&desc->iuspin);