Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code »

Commit f563926fed982f26b391ca42493f55f2447f1b0a

Authored by Bjørn Mork
Committed by Greg Kroah-Hartman
1 parent 52a6966c35
Exists in master and in 16 other branches dlt-processor-sdk-linux-03.00.00.04, processor-sdk-linux-01.00.00, processor-sdk-linux-02.00.01, smarc-ti-linux-3.14.y, smarc-ti-linux-3.15.y, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04, ti-linux-3.14.y, ti-linux-3.15.y, ti-lsk-linux-4.1.y

usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set 

Do not decrement resp_count if it's already 0.

We set resp_count to 0 when the device is closed.  The next open and
read will try to clear the WDM_READ flag if there was leftover data
in the read buffer. This fix is necessary to prevent resubmitting
the read URB in a tight loop because resp_count becomes negative.

The bug can easily be triggered from userspace by not reading all
data in the read buffer, and then closing and reopening the chardev.

Fixes: 8dd5cd5395b9 ("usb: cdc-wdm: avoid hanging on zero length reads")
Cc: <stable@vger.kernel.org> # 3.13
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff

drivers/usb/class/cdc-wdm.c
Diff comments   View file @ f563926
... ... @@ -445,7 +445,7 @@
445 445 clear_bit(WDM_READ, &desc->flags);
446 446  
447 447 /* submit read urb only if the device is waiting for it */
448   - if (!--desc->resp_count)
  448 + if (!desc->resp_count || !--desc->resp_count)
449 449 goto out;
450 450  
451 451 set_bit(WDM_RESPONDING, &desc->flags);