usb: class: cdc-wdm: fix reordering issue in read code path

Quoting the bug report:

Due to compiler optimization or CPU out-of-order execution, the
desc->length update can be reordered before the memmove. If this
happens, wdm_read() can see the new length and call copy_to_user() on
uninitialized memory. This also violates LKMM data race rules [1].

Fix it by using WRITE_ONCE and memory barriers.

Fixes: afba937e540c9 ("USB: CDC WDM driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Closes: https://lore.kernel.org/linux-usb/CALbr=LbrUZn_cfp7CfR-7Z5wDTHF96qeuM=3fO2m-q4cDrnC4A@mail.gmail.com/
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260304130116.1721682-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index f2d94cfc70af0c77de135135653d9f8a7c6c6d28..7556c0dac908a5c2e63eaaa03411579a660f242a 100644 (file)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -225,7 +225,8 @@ static void wdm_in_callback(struct urb *urb)
                /* we may already be in overflow */
                if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
                        memmove(desc->ubuf + desc->length, desc->inbuf, length);
-                       desc->length += length;
+                       smp_wmb(); /* against wdm_read() */
+                       WRITE_ONCE(desc->length, desc->length + length);
                }
        }
 skip_error:
@@ -533,6 +534,7 @@ static ssize_t wdm_read
                return -ERESTARTSYS;
 
        cntr = READ_ONCE(desc->length);
+       smp_rmb(); /* against wdm_in_callback() */
        if (cntr == 0) {
                desc->read = 0;
 retry: